07-08-2014 11:47 AM
I have an ASA5510 that I can VPN into. I want to be able to administer the router that I have directly connected to the ASA through VPN with SSH. is that possible?
07-08-2014 04:24 PM
Sure. You just need to work through the routing and NAT handling and potentially adjust your configuration accordingly.
Where is the router with respect to the ASA interfaces - "inside" or "outside"?
07-08-2014 04:30 PM
07-08-2014 04:39 PM
So typically a remote access VPN connection is assigned an address from a pool. The ASA is told not to NAT traffic to/from the pool even though those connections are coming from outside. Most inside devices, such as your router, should be reachable assuming the ASA has a connected interface or route to them.
One thing that needs to be taken into account is the route from that device back to the address pool. If the ASA is not the default gateway (or in the default routing path) for those inside devices, then you may need to add a static route on them making it so.
07-08-2014 05:01 PM
07-08-2014 06:49 PM
Having a separate range is fine, in fact it's generally the use case presented in most Cisco documents. Whatever the range, there's typically NAT exemption for the VPN pool. That's all pretty straightforward and covered with the basic config guides out there (and accommodated by the Wizard in ASDM if you use that).
Most of the examples assume the ASA is your default gateway off the network. That makes any outbound routing considerations moot as the ASA will see all outbound traffic and know how to handle the VPN pool (nat exempt, encapsulate in VPN, forward via outgoing default route to remote peer for decapsulation).
When the ASA is not the default gateway you need to inform the interior router(s) how to get to the pool. If it's just a single L3 switch, a simple static route to the ASA inside interface generally suffices. Anything bigger and we may need to redistribute the static route into whatever IGP you use (i.e. EIGRP or OSPF in most cases) or even run the IGP on the ASA so it can advertise the subnet used by the pool.
07-08-2014 09:14 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: