SSH Remote administration

Unanswered Question
Apr 15th, 2009

Hi,

I was just wondering about best practices when it comes to remote administration of the ASA.

It appears that SSH is the best option, but the one thing that bugs me is that I would have to allow SSH access on the outside interface for all IPs since I don't ever know from where I may need access to it.

Any suggestions on how this is normally done? I am not comfortable with the above solution since technically I am allowing somebody to use brute force attacks for as long as they want (unless there are options which can be configure to prevent this)

any help will be appreciated

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Wed, 04/15/2009 - 14:17

You can use webvpn , from within webvpn you can rdp to an internal system and use ssh or asdm or even telnet sessions. Webvpn is SSL based and it is secure and you do not have to do any any for ssh outside interface.

regards

mdombek_biz Fri, 04/17/2009 - 06:14

If you only want to manage your ASA

try to configure a RA VPN and allow connection to your Inside interface using

management-access Inside

you can now connect via VPN and directly SSH to your Inside IP Address

HTH Michael

ronin2307 Fri, 04/17/2009 - 06:19

well, this is the thing: I already do all these things, but every once in a while my endusers (mostly C-level) call me and tell me they can't log in through VPN or webVPN. Something goes haywire and then obviously I can't log on using these methods as well.

So I thought mmaybe I could use SSH and try to reach the ASA that way from outside. I am not sure if the 5510 supports any kind of out-of-band access methods. I am pretty sure that ours doesn't since we have a very basic setup

thanks

Actions

This Discussion