cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
609
Views
0
Helpful
6
Replies

SSH into router over a VPN through an ASA5510?

bryanrobh
Level 1
Level 1

I have an ASA5510 that I can VPN into.  I want to be able to administer the router that I have directly connected to the ASA through VPN with SSH.  is that possible?

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

Sure. You just need to work through the routing and NAT handling and potentially adjust your configuration accordingly.

Where is the router with respect to the ASA interfaces  - "inside" or "outside"?

bryanrobh
Level 1
Level 1
So I have the cable modem to the e0/0 on the asa the on port e0/1 of the asa is the router so inside

So typically a remote access VPN connection is assigned an address from a pool. The ASA is told not to NAT traffic to/from the pool even though those connections are coming from outside. Most inside devices, such as your router, should be reachable assuming the ASA has a connected interface or route to them.

One thing that needs to be taken into account is the route from that device back to the address pool. If the ASA is not the default gateway (or in the default routing path) for those inside devices, then you may need to add a static route on them making it so.

bryanrobh
Level 1
Level 1
So I think I screwed up then because I have a set range for my VPN 192.168.3.0 then I have a different range for inside devices 192.168.4.0. Shouldn't there be a NaT for the 192.168.3.0 network to talk to inside devices on the 192.168.4.0 network?

Having a separate range is fine, in fact it's generally the use case presented in most Cisco documents. Whatever the range, there's typically  NAT exemption for the VPN pool. That's all pretty straightforward and covered with the basic config guides out there (and accommodated by the Wizard in ASDM if you use that).

Most of the examples assume the ASA is your default gateway off the network. That makes any outbound routing considerations moot as the ASA will see all outbound traffic and know how to handle the VPN pool (nat exempt, encapsulate in VPN, forward via outgoing default route to remote peer for decapsulation).

When the ASA is not the default gateway you need to inform the interior router(s) how to get to the pool. If it's just a single L3 switch, a simple static route to the ASA inside interface generally suffices. Anything bigger and we may need to redistribute the static route into whatever IGP you use (i.e. EIGRP or OSPF in most cases) or even run the IGP on the ASA so it can advertise the subnet used by the pool.

bryanrobh
Level 1
Level 1
I set the default route on my router to the inside interface ip of the asa. And I will connect the router to a switch for the servers. So I will make sure then the nat exception is on the VPN pool. I believe I used the asdm wizard to set it up with mostly defaults.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: