miregistrocisco Tue, 12/02/2008 - 01:11
User Badges:

Very helpful link, but I still have a question: I tried to manage the firewall succesfully from hosts located in the inside and outside subnets, but I couldn't archieve managing the firewall from a remote host in the other side of the router, in spite of having followed carefully the steps in the link you posted. Any suggestion? (specially about how to use the ssh command in this case or how to do natting in the router). Thanks in advance!

mdreelan Tue, 12/02/2008 - 08:18
User Badges:

There may be an ACL on the router in front of the ASA, have you checked that?

miregistrocisco Wed, 12/03/2008 - 03:13
User Badges:

Actually I can manage the firewall but in a very peculiar way: I start a VNC connection from a remote host to a server behind the firewall, and later I start again an SSH connection from the server to the firewall. To allow the VNC connection I do static natting in order to traduce the server address (located in the inside subnet) to a static one in the outside subnet, create an ACL (in the firewall) that permits the VNC traffic and finally configure the router to nat the incoming VNC queries to the statically traduced IP address. To allow SSH connections from the server to the firewall I follow all the steps in the link, entering the command "ssh DMZ", where is the server source address and DMZ is the name of the inside interface.

What do I have to do so as to manage the firewall directly?

mdreelan Wed, 12/03/2008 - 07:27
User Badges:

Determine if you are able to see your external IP address hitting the firewall.

example: say your outside ip arrives as

run debug icmp trace 1, ping your ASA (is it an asa?) and check the logs or run term mon on the ASA to make sure you see your pings arrive.

then add ssh outside

test ssh connection and check logs for errors. post logs here (change real asa ip address for your own security).

miregistrocisco Tue, 12/09/2008 - 02:55
User Badges:

I can't see any ping reaching the firewall. I entered the "debug icmp trace 1" command and ping from an external computer but nothing happened. I suppose there's something wrong with the router config but I'm not able to determine what. It's a Zyxel 660HW. Any idea?

mdreelan Tue, 12/09/2008 - 07:18
User Badges:

If you are not seeing ping to the ASA (when you type "debug icmp trace 1" on the ASA, and you are logged into the ASA to see the terminal loggs, and debugs, then your ping is not hitting the ASA. If you have access to the router, you need to open up ssh (and ping if you like) to manage from the outside. OK? (Please rate my posts if you find this info. helpful).

solpandor Wed, 12/10/2008 - 02:26
User Badges:


is there a router in front of the ASA? If no then try this

1) conf t

2) ssh (ip of the network or host allowed to access) (mask) outside

e.g ssh outside


miregistrocisco Wed, 12/10/2008 - 04:39
User Badges:

solpandor, there's a router in front of the ASA, that's the problem, to reach the firewall through the router from the outside.

miregistrocisco Wed, 12/10/2008 - 04:37
User Badges:

So the problem is in the router config. I have access to it but don't know how to congigure it correctly :'( I'm afraid I will have to ask in other forums

miregistrocisco Thu, 12/11/2008 - 03:34
User Badges:

To mdreelan, solpandor or anyone,

Finally I succeeded passing through the router and the firewall console notifies the arriving pings, but still can't stablish an ssh connection. I have tried mapping the incoming ssh queries global IP address to a local IP address in the subnet between the firewall and the router (e.g., and then adding "ssh WAN"; I've also tried mapping the incoming packets to the outside firewall interface address ( and entering "ssh WAN", and in both cases it didn't work. What's wrong??

mdreelan Thu, 12/11/2008 - 10:45
User Badges:

you need to generate the rsa keys

on the asa type

"crypto key generate rsa general-keys modulus 1024"


ssh outside

(using your source ip that you see in the debug icmp trace


PS: Dont be a hater, be a rater!

mdreelan Thu, 12/11/2008 - 10:47
User Badges:

should be ssh outside

so if I was coming from and wanted only that host I would type:

ssh outside


This Discussion