cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1973
Views
0
Helpful
6
Replies

Enable externar SSH with CISCO ASA 5505

sspagnamantova
Level 1
Level 1

Hi all,

I have to enable SSH and HTTPS in a CISCO ASA 5505. SSH and HTTPS must accept request only fron certain addresses of the WAN.

How can I do it?

Thanks in advance,

Simone Spagna

6 Replies 6

srue
Level 7
Level 7

you can't. if you have some sort of filtering device in front of the asa, you can do it there, otherwise no.

The complete situation is: My ASA is on a private network, say 10.10.10.0/24. Trough the ASA IP (say 10.10.10.10) is routed a public network (say 89.100.100.64/28).

The internal network is natted as 192.168.0.0/24.

I'm able to static nat some public ip to some internal machine/port, to access it from the Internet.

I would be able to access my ASA console (SSH and HTTPS) as, say 89.100.100.69 and access it trough the Internat.

Is there any way to obtain this?

Thank you

Simone

I am just guessing here and do not have the equipment to try this out.

Just to access the ASDM or command line, entering http or ssh IP address /32 should get you access.

However to access the Management Console, provided you have set up contexts and the Management IP has a Public NAT, with the right rules, you should be able to access that IP as well.

Mike

I didn't set up contexts and I prefer not to, if it's not stritly required (by the way, I tried to list contexts, but I got an error - command not found - is ASA 5505 capable of managing contexts?).

The problem with your answer is to know what are the rihgt rules. I tried a lot but none worked.

Simone

I am not sure if I understand but why don't you just allow SSH and HTTPS access to the outside interface of the ASA? Your outside interface can be accessed from the Internet so...

If you specify which hosts can access the ASA wouldn't this do what you want?

For example:

http outside

ssh outside

I apologize if I am not understanding your problem correctly.

Hope it helps.

the address of the ASA is on a private network (I wrote 10.10.10.10), so is not reachable from the Internet.

On the private address is routed by the provider a public subnet (I wrote 89.100.100.64/28).

If I configure the ASA, I can route the subnet on an interface and (if the access rules are correct) connect machines on the public network on that interface, access them from the Internet an access Internet from that machines.

Also, the ASA is assigned a pubblic address on that interface but, as the packets arrive form internal routing and not from the interface, I can't access the SSH and HTTPS from the Internet (I cound only from the machines connected to the interface).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: