SSH into router over a VPN through an ASA5510?

Unanswered Question
Jul 8th, 2014
User Badges:

I have an ASA5510 that I can VPN into.  I want to be able to administer the router that I have directly connected to the ASA through VPN with SSH.  is that possible?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marvin Rhoads Tue, 07/08/2014 - 16:24
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Sure. You just need to work through the routing and NAT handling and potentially adjust your configuration accordingly.

Where is the router with respect to the ASA interfaces  - "inside" or "outside"?

Bryan Harb Tue, 07/08/2014 - 16:30
User Badges:
So I have the cable modem to the e0/0 on the asa the on port e0/1 of the asa is the router so inside
Marvin Rhoads Tue, 07/08/2014 - 16:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

So typically a remote access VPN connection is assigned an address from a pool. The ASA is told not to NAT traffic to/from the pool even though those connections are coming from outside. Most inside devices, such as your router, should be reachable assuming the ASA has a connected interface or route to them.

One thing that needs to be taken into account is the route from that device back to the address pool. If the ASA is not the default gateway (or in the default routing path) for those inside devices, then you may need to add a static route on them making it so.

Bryan Harb Tue, 07/08/2014 - 17:01
User Badges:
So I think I screwed up then because I have a set range for my VPN 192.168.3.0 then I have a different range for inside devices 192.168.4.0. Shouldn't there be a NaT for the 192.168.3.0 network to talk to inside devices on the 192.168.4.0 network?
Marvin Rhoads Tue, 07/08/2014 - 18:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Having a separate range is fine, in fact it's generally the use case presented in most Cisco documents. Whatever the range, there's typically  NAT exemption for the VPN pool. That's all pretty straightforward and covered with the basic config guides out there (and accommodated by the Wizard in ASDM if you use that).

Most of the examples assume the ASA is your default gateway off the network. That makes any outbound routing considerations moot as the ASA will see all outbound traffic and know how to handle the VPN pool (nat exempt, encapsulate in VPN, forward via outgoing default route to remote peer for decapsulation).

When the ASA is not the default gateway you need to inform the interior router(s) how to get to the pool. If it's just a single L3 switch, a simple static route to the ASA inside interface generally suffices. Anything bigger and we may need to redistribute the static route into whatever IGP you use (i.e. EIGRP or OSPF in most cases) or even run the IGP on the ASA so it can advertise the subnet used by the pool.

Bryan Harb Tue, 07/08/2014 - 21:14
User Badges:
I set the default route on my router to the inside interface ip of the asa. And I will connect the router to a switch for the servers. So I will make sure then the nat exception is on the VPN pool. I believe I used the asdm wizard to set it up with mostly defaults.

Actions

This Discussion

Related Content