JORGE RODRIGUEZ Mon, 02/02/2009 - 18:13

David, my opinion ..

You can ssh to E0 provided you have allow ssh to WinXP. One cannot ssh to E1 from WinXP unless you have an Ipsec tunnel , and management-access statement in ASA firewall.


Actually... let me re-look at the diagram again.

I read to quick, you shoudl be able to SSH to both hosts and through alc permittng ssh through outside interface.

cisco24x7 Mon, 02/02/2009 - 18:32

WinXP can ssh to without any

issues. That's easy.

When WinXP ssh to host, this

is where you run into asymetric route.

In other words, traffics will Enter E0,

leave E2 and comeback into E1.

How does ASA handle it?

JORGE RODRIGUEZ Mon, 02/02/2009 - 18:44

Is centOS gateway and what message is showing in asdm log for the traffic back.

cisco24x7 Mon, 02/02/2009 - 18:47

CentOS gateway has two NICs: (eth1) and (eth2). CentOS' default gateway is

JORGE RODRIGUEZ Mon, 02/02/2009 - 18:54

If Im understanding this right, I see the asymetric routing but I believe the centOS does not know to get backout on E2 as it supose to but using centOS only default gateway, if centOS NIC2 had a default gateway of 3.1 it should get backout on E2.. unless Im missing something.

cisco24x7 Mon, 02/02/2009 - 19:01

Here is the flow sequence:

WinXP makes an SSH connection to

Traffics will hit ASA E0, go out of E2

interface. It will then hit Eth2

interface of CentOS.

On the return path, traffics will leave

Eth1 of CentOS because the default gateway for CentOS is Now,

you got asymetric route.

JORGE RODRIGUEZ Mon, 02/02/2009 - 19:17

This is a good one and to be honest I would have to lab this out, anyone can provide some thoughts , E1 should not be taking that traffic E2 back out E0 , I wander if ip verify reverse-path would prevent this.


This Discussion