Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Here's an odd one... SSH to ASA when outside is private. (5585-40/8.4)

Okay, this is an interesting case.

Hardware: 5585-40 in active/active.  One context per customer.

Software: 8.4(2)

Setup: Inbound connections come in via a couple ASRs, next on to couple 7K VDCs that handle the "outside" zone.  Each customer gets a private network using HSRP/SVI and gets trunked over to the outside subinterface of the ASAs.  Public IP space gets routed to the private address on the outside primary ASA interface and customers route and/or NAT through as needed just fine.

This works great in achieving two goals:

1. Easy way to keep customers from terminating VPN tunnels on the ASAs (for performance/multi-tenancy reasons).

2. Keeps the customer specific configuration on our equipment down to a redistributed static route which is easy to provision and scales well.

Issue:  Most clients are built with dedicated WAN connections that terminate on the "inside" zone of their firewall context (where they access their context) so this hasn't come up yet.  However, I now have a need to allow a customer to SSH into their firewall from "outside".  I've tried various static NAT schemes and ACLs, but I'm running out of ideas.

Does anybody have any ideas on how to crack this nut?

Thanks,

-Daniel

1 REPLY
Cisco Employee

Here's an odd one... SSH to ASA when outside is private. (5585-4

Daniel,

So access the outside IP for SSH from inside? Nope, not possible. By design (and moreover security reasons) The ASA wont allow you to acess the far-end IP address of any other interface rather than the one that you connect to. One solution would be VPN and use the management access outside command, but you are in multiple context so that shipped has sailed.

BTW, NAT to an identity address doesnt work. 

Cheers,

Mike.

Mike
172
Views
0
Helpful
1
Replies
CreatePlease login to create content