ASA5510 remotly managed.

Unanswered Question
Nov 3rd, 2008

Hi!

I have installed an ASA5510 in another town and I wish to manage it remotly using an SSH connection. Is it possible? What commands do I need to enter? Thanks in advance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
miregistrocisco Tue, 12/02/2008 - 01:11

Very helpful link, but I still have a question: I tried to manage the firewall succesfully from hosts located in the inside and outside subnets, but I couldn't archieve managing the firewall from a remote host in the other side of the router, in spite of having followed carefully the steps in the link you posted. Any suggestion? (specially about how to use the ssh command in this case or how to do natting in the router). Thanks in advance!

mdreelan Tue, 12/02/2008 - 08:18

There may be an ACL on the router in front of the ASA, have you checked that?

miregistrocisco Wed, 12/03/2008 - 03:13

Actually I can manage the firewall but in a very peculiar way: I start a VNC connection from a remote host to a server behind the firewall, and later I start again an SSH connection from the server to the firewall. To allow the VNC connection I do static natting in order to traduce the server address (located in the inside subnet) to a static one in the outside subnet, create an ACL (in the firewall) that permits the VNC traffic and finally configure the router to nat the incoming VNC queries to the statically traduced IP address. To allow SSH connections from the server to the firewall I follow all the steps in the link, entering the command "ssh 172.16.0.10 255.255.255.255 DMZ", where 172.16.0.10 is the server source address and DMZ is the name of the inside interface.

What do I have to do so as to manage the firewall directly?

mdreelan Wed, 12/03/2008 - 07:27

Determine if you are able to see your external IP address hitting the firewall.

example: say your outside ip arrives as 55.1.1.1

run debug icmp trace 1, ping your ASA (is it an asa?) and check the logs or run term mon on the ASA to make sure you see your pings arrive.

then add ssh 55.1.1.1 255.255.255.255 outside

test ssh connection and check logs for errors. post logs here (change real asa ip address for your own security).

miregistrocisco Tue, 12/09/2008 - 02:55

I can't see any ping reaching the firewall. I entered the "debug icmp trace 1" command and ping from an external computer but nothing happened. I suppose there's something wrong with the router config but I'm not able to determine what. It's a Zyxel 660HW. Any idea?

mdreelan Tue, 12/09/2008 - 07:18

If you are not seeing ping to the ASA (when you type "debug icmp trace 1" on the ASA, and you are logged into the ASA to see the terminal loggs, and debugs, then your ping is not hitting the ASA. If you have access to the router, you need to open up ssh (and ping if you like) to manage from the outside. OK? (Please rate my posts if you find this info. helpful).

solpandor Wed, 12/10/2008 - 02:26

hi

is there a router in front of the ASA? If no then try this

1) conf t

2) ssh (ip of the network or host allowed to access) (mask) outside

e.g ssh 10.10.10.5 255.255.255.255 outside

HTH

miregistrocisco Wed, 12/10/2008 - 04:39

solpandor, there's a router in front of the ASA, that's the problem, to reach the firewall through the router from the outside.

miregistrocisco Wed, 12/10/2008 - 04:37

So the problem is in the router config. I have access to it but don't know how to congigure it correctly :'( I'm afraid I will have to ask in other forums

miregistrocisco Thu, 12/11/2008 - 03:34

To mdreelan, solpandor or anyone,

Finally I succeeded passing through the router and the firewall console notifies the arriving pings, but still can't stablish an ssh connection. I have tried mapping the incoming ssh queries global IP address to a local IP address in the subnet between the firewall and the router (e.g. 192.168.0.55), and then adding "ssh 192.168.0.55 255.255.255.255 WAN"; I've also tried mapping the incoming packets to the outside firewall interface address (192.168.0.2) and entering "ssh 192.168.0.2 255.255.255.255 WAN", and in both cases it didn't work. What's wrong??

mdreelan Thu, 12/11/2008 - 10:45

you need to generate the rsa keys

on the asa type

"crypto key generate rsa general-keys modulus 1024"

and

ssh outside 1.1.1.1 255.255.255.255

(using your source ip that you see in the debug icmp trace

OK

PS: Dont be a hater, be a rater!

mdreelan Thu, 12/11/2008 - 10:47

should be ssh 1.1.1.1 255.255.255.255 outside

so if I was coming from 45.56.57.80 and wanted only that host I would type:

ssh 45.56.57.80 255.255.255.255 outside

Actions

This Discussion