Problem in access a server with ssh in ASA DMZ interface

Answered Question
May 7th, 2010
User Badges:

Need some help on ASA5520. It's the first time  configuring it and all servers are reachable and work but there's one specific Server which I need SSH access I made the custom configuration but no joy.


Following the information from "Sh run" about SSH config


object-group service SSH tcp
description ACESSO_SSH
port-object eq ssh


ssh 10.6.84.45 255.255.255.255 inside
ssh 10.6.84.70 255.255.255.255 inside
ssh 10.6.84.44 255.255.255.255 inside
ssh 10.6.84.49 255.255.255.255 inside
ssh VLAN84_DADM-3040 255.255.255.0 inside
ssh 10.6.84.18 255.255.255.255 inside


ssh timeout 60
ssh version 1


Thaaanks !

Correct Answer by Federico Coto F... about 7 years 1 month ago

Amanda,


If you need to establish an SSH session from the inside interface to the DMZ, you need NAT (if having nat-control enabled).


i.e

nat (inside) 1 0  0

global (DMZ) 1 interface


With the above configuration you should be able to SSH to the DMZ server from the inside LAN (assuming the name of the interfaces are inside and DMZ respectively).


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Federico Coto F... Fri, 05/07/2010 - 10:42
User Badges:
  • Green, 3000 points or more

Amanda


The configuration that you posted is the list of IPs allowed to establish an SSH connection to the ASA.

You need to be able to SSH to a server or to the ASA itself?

What's the IP of such server?


Federico.

anunes1987 Fri, 05/07/2010 - 11:04
User Badges:

I need to stablish the SSH connection from my LAN to the server. Before we had a PIX we didn't have any problem , but after the migration i'm unable to do so.


The ip of my server is 172.16.0.3 and it is on the DMZ interface.


Amanda.

Correct Answer
Federico Coto F... Fri, 05/07/2010 - 11:12
User Badges:
  • Green, 3000 points or more

Amanda,


If you need to establish an SSH session from the inside interface to the DMZ, you need NAT (if having nat-control enabled).


i.e

nat (inside) 1 0  0

global (DMZ) 1 interface


With the above configuration you should be able to SSH to the DMZ server from the inside LAN (assuming the name of the interfaces are inside and DMZ respectively).


Federico.

Actions

This Discussion

Related Content