Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Silver

Possible with ASA appliance

Looking at the diagram, is it possible to

ssh from the WinXP machine to both Eth0 (

IP address 192.168.2.2) and Eth1 (IP

address 192.168.3.2)? If it is possible,

how do I go about doing it?

Thanks.

8 REPLIES

Re: Possible with ASA appliance

David, my opinion ..

You can ssh to E0 provided you have allow ssh to WinXP. One cannot ssh to E1 from WinXP unless you have an Ipsec tunnel , and management-access statement in ASA firewall.

{edit}

Actually... let me re-look at the diagram again.

I read to quick, you shoudl be able to SSH to both hosts 192.168.2.2 and 192.168.3.2 through alc permittng ssh through outside interface.

Silver

Re: Possible with ASA appliance

WinXP can ssh to 192.168.2.2 without any

issues. That's easy.

When WinXP ssh to host 192.168.3.2, this

is where you run into asymetric route.

In other words, traffics will Enter E0,

leave E2 and comeback into E1.

How does ASA handle it?

Re: Possible with ASA appliance

Is centOS 192.168.3.2 gateway 192.168.3.1? and what message is showing in asdm log for the traffic back.

Silver

Re: Possible with ASA appliance

CentOS gateway has two NICs: 192.168.2.2 (eth1) and 192.168.3.2 (eth2). CentOS' default gateway is 192.168.2.1

Re: Possible with ASA appliance

If Im understanding this right, I see the asymetric routing but I believe the centOS 192.168.3.2 does not know to get backout on E2 as it supose to but using centOS only default gateway 192.168.2.1, if centOS NIC2 192.168.3.2 had a default gateway of 3.1 it should get backout on E2.. unless Im missing something.

Silver

Re: Possible with ASA appliance

Here is the flow sequence:

WinXP makes an SSH connection to 192.168.3.2.

Traffics will hit ASA E0, go out of E2

interface. It will then hit Eth2

interface of CentOS.

On the return path, traffics will leave

Eth1 of CentOS because the default gateway for CentOS is 192.168.2.1. Now,

you got asymetric route.

Re: Possible with ASA appliance

This is a good one and to be honest I would have to lab this out, anyone can provide some thoughts , E1 should not be taking that traffic E2 back out E0 , I wander if ip verify reverse-path would prevent this.

Silver

Re: Possible with ASA appliance

Anyone know if this is possible with ASA

appliance? Thanks

122
Views
0
Helpful
8
Replies