Possible with ASA appliance

Unanswered Question
Feb 2nd, 2009

Looking at the diagram, is it possible to

ssh from the WinXP machine to both Eth0 (

IP address 192.168.2.2) and Eth1 (IP

address 192.168.3.2)? If it is possible,

how do I go about doing it?

Thanks.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 02/02/2009 - 18:13

David, my opinion ..

You can ssh to E0 provided you have allow ssh to WinXP. One cannot ssh to E1 from WinXP unless you have an Ipsec tunnel , and management-access statement in ASA firewall.

{edit}

Actually... let me re-look at the diagram again.

I read to quick, you shoudl be able to SSH to both hosts 192.168.2.2 and 192.168.3.2 through alc permittng ssh through outside interface.

cisco24x7 Mon, 02/02/2009 - 18:32

WinXP can ssh to 192.168.2.2 without any

issues. That's easy.

When WinXP ssh to host 192.168.3.2, this

is where you run into asymetric route.

In other words, traffics will Enter E0,

leave E2 and comeback into E1.

How does ASA handle it?

JORGE RODRIGUEZ Mon, 02/02/2009 - 18:44

Is centOS 192.168.3.2 gateway 192.168.3.1? and what message is showing in asdm log for the traffic back.

cisco24x7 Mon, 02/02/2009 - 18:47

CentOS gateway has two NICs: 192.168.2.2 (eth1) and 192.168.3.2 (eth2). CentOS' default gateway is 192.168.2.1

JORGE RODRIGUEZ Mon, 02/02/2009 - 18:54

If Im understanding this right, I see the asymetric routing but I believe the centOS 192.168.3.2 does not know to get backout on E2 as it supose to but using centOS only default gateway 192.168.2.1, if centOS NIC2 192.168.3.2 had a default gateway of 3.1 it should get backout on E2.. unless Im missing something.

cisco24x7 Mon, 02/02/2009 - 19:01

Here is the flow sequence:

WinXP makes an SSH connection to 192.168.3.2.

Traffics will hit ASA E0, go out of E2

interface. It will then hit Eth2

interface of CentOS.

On the return path, traffics will leave

Eth1 of CentOS because the default gateway for CentOS is 192.168.2.1. Now,

you got asymetric route.

JORGE RODRIGUEZ Mon, 02/02/2009 - 19:17

This is a good one and to be honest I would have to lab this out, anyone can provide some thoughts , E1 should not be taking that traffic E2 back out E0 , I wander if ip verify reverse-path would prevent this.

Actions

This Discussion