Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510: Allow Pings and ssh 'putty' connection to directly connected 2800 router

Hi All

I have an ASA 5510 with a DMZ interface that has a Cisco 2800 router directly connected to it.  I am having two issues:

1. I want to use WhatsUpGold on the Inside Lan to ping the router to monitor up status(at least the e0 int. directly connected to the ASA)

2. I want to connect to the router from the inside LAN using putty on port 22  (I believe I have configured the router properly to handle ssh connections on vty)  *Right now I get a Putty fatal Error:Network error: Connection refused

The issue is, on the ASA we have an ACL bound to the inside interface with a Deny IP any any statement at the end so it is adding a layer of difficulty.

Do I need an ACE to the inside ACL allowing access from Inside to DMZ interface eq ssh?  Same with ICMP Pings?

Thanks

4 REPLIES
Cisco Employee

Re: ASA 5510: Allow Pings and ssh 'putty' connection to directly

Yes.

You are initiating a connections from the inside towards the dmz, you will need to open the ACL if there is an ACL applied on the inside interface. Make sure it is above the "deny any any" if there is an explicit "deny any any"

Then you will need translations and routes.

I hope it helps.

PK

Cisco Employee

Re: ASA 5510: Allow Pings and ssh 'putty' connection to directly

You need this

static (inside,dmz) whatup_gold_ip whatup_gold_ip net 255.255.255.255

I believe whatup_gold will know (from  its GW) to get to the firewall or order to reach the router on the DMZ.

If you don't have an ACL on the higher security interface then just that static should make it work otherwise add permission on this ACL applied on the inside interface

access-l blah permi tcp host whatsup_gold_ip hos 2800_dmz_ip eq 22

-KS

New Member

Re: ASA 5510: Allow Pings and ssh 'putty' connection to directly

Thanks for the info.

I do have an ACL on the higher security inside interface, so it seems I need to create ACEs on the inside to out ACL that permits traffic to DMZ on port 22 and for icmp?

I want to allow the entire inside subnet 192.168.101.0 /24 to send traffic to 192.168.201.1 ( DMZ router address) on port 22

I want the same for pings from any host on the inside subnet to 192.168.101.1

1. Should my ACL for ssh specify the DMZ interface or the router's e0 address?

2. I have tried and failed to create an ACL to handle icmp, any ideas?

Thanks again!

Cisco Employee

Re: ASA 5510: Allow Pings and ssh 'putty' connection to directly

I do have an ACL on the higher security inside interface, so it seems I need to create ACEs on the inside to out ACL that permits traffic to DMZ on port 22 and for icmp?

I want to allow the entire inside subnet 192.168.101.0 /24 to send traffic to 192.168.201.1 ( DMZ router address) on port 22

I want the same for pings from any host on the inside subnet to 192.168.101.1

1. Should my ACL for ssh specify the DMZ interface or the router's e0 address?

2. I have tried and failed to create an ACL to handle icmp, any ideas?

You need

access-l blah per tcp 192.168.101.0 255.255.255.0 host 192.168.201.1 eq 22

access-l blah per icmp 192.168.101.0 255.255.255.0 host 192.168.201.1

-KS

3452
Views
0
Helpful
4
Replies