Here's an odd one... SSH to ASA when outside is private. (5585-40/8.4)
Okay, this is an interesting case.
Hardware: 5585-40 in active/active. One context per customer.
Setup: Inbound connections come in via a couple ASRs, next on to couple 7K VDCs that handle the "outside" zone. Each customer gets a private network using HSRP/SVI and gets trunked over to the outside subinterface of the ASAs. Public IP space gets routed to the private address on the outside primary ASA interface and customers route and/or NAT through as needed just fine.
This works great in achieving two goals:
1. Easy way to keep customers from terminating VPN tunnels on the ASAs (for performance/multi-tenancy reasons).
2. Keeps the customer specific configuration on our equipment down to a redistributed static route which is easy to provision and scales well.
Issue: Most clients are built with dedicated WAN connections that terminate on the "inside" zone of their firewall context (where they access their context) so this hasn't come up yet. However, I now have a need to allow a customer to SSH into their firewall from "outside". I've tried various static NAT schemes and ACLs, but I'm running out of ideas.
Does anybody have any ideas on how to crack this nut?
Here's an odd one... SSH to ASA when outside is private. (5585-4
So access the outside IP for SSH from inside? Nope, not possible. By design (and moreover security reasons) The ASA wont allow you to acess the far-end IP address of any other interface rather than the one that you connect to. One solution would be VPN and use the management access outside command, but you are in multiple context so that shipped has sailed.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :