Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


Possible with ASA appliance

Looking at the diagram, is it possible to

ssh from the WinXP machine to both Eth0 (

IP address and Eth1 (IP

address If it is possible,

how do I go about doing it?



Re: Possible with ASA appliance

David, my opinion ..

You can ssh to E0 provided you have allow ssh to WinXP. One cannot ssh to E1 from WinXP unless you have an Ipsec tunnel , and management-access statement in ASA firewall.


Actually... let me re-look at the diagram again.

I read to quick, you shoudl be able to SSH to both hosts and through alc permittng ssh through outside interface.


Re: Possible with ASA appliance

WinXP can ssh to without any

issues. That's easy.

When WinXP ssh to host, this

is where you run into asymetric route.

In other words, traffics will Enter E0,

leave E2 and comeback into E1.

How does ASA handle it?

Re: Possible with ASA appliance

Is centOS gateway and what message is showing in asdm log for the traffic back.


Re: Possible with ASA appliance

CentOS gateway has two NICs: (eth1) and (eth2). CentOS' default gateway is

Re: Possible with ASA appliance

If Im understanding this right, I see the asymetric routing but I believe the centOS does not know to get backout on E2 as it supose to but using centOS only default gateway, if centOS NIC2 had a default gateway of 3.1 it should get backout on E2.. unless Im missing something.


Re: Possible with ASA appliance

Here is the flow sequence:

WinXP makes an SSH connection to

Traffics will hit ASA E0, go out of E2

interface. It will then hit Eth2

interface of CentOS.

On the return path, traffics will leave

Eth1 of CentOS because the default gateway for CentOS is Now,

you got asymetric route.

Re: Possible with ASA appliance

This is a good one and to be honest I would have to lab this out, anyone can provide some thoughts , E1 should not be taking that traffic E2 back out E0 , I wander if ip verify reverse-path would prevent this.


Re: Possible with ASA appliance

Anyone know if this is possible with ASA

appliance? Thanks