I was just wondering about best practices when it comes to remote administration of the ASA.
It appears that SSH is the best option, but the one thing that bugs me is that I would have to allow SSH access on the outside interface for all IPs since I don't ever know from where I may need access to it.
Any suggestions on how this is normally done? I am not comfortable with the above solution since technically I am allowing somebody to use brute force attacks for as long as they want (unless there are options which can be configure to prevent this)
You can use webvpn , from within webvpn you can rdp to an internal system and use ssh or asdm or even telnet sessions. Webvpn is SSL based and it is secure and you do not have to do any any for ssh outside interface.
well, this is the thing: I already do all these things, but every once in a while my endusers (mostly C-level) call me and tell me they can't log in through VPN or webVPN. Something goes haywire and then obviously I can't log on using these methods as well.
So I thought mmaybe I could use SSH and try to reach the ASA that way from outside. I am not sure if the 5510 supports any kind of out-of-band access methods. I am pretty sure that ours doesn't since we have a very basic setup
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...