SSH to DMZ on ASA 5505

B

Bedrock1977

n00b
Joined
Dec 20, 2010
Messages
61
Here is my dilemma...I have a rack of Cisco equipment that I have been studying with, on my lunch breaks, but our IT department has cut access to Telnet. I completely understand why they did it, but the only reason I used it for so long was because the rack was placed in a DMZ, without any access to the internal network at home.

Well when they dropped Telnet, it has caused an issue with my ability to study.

I have the ASA 5505 configured with three zones, INSIDE, OUTSIDE, AND DMZ. I can successfully SSH from the outside into the ASA to configure, as well as access the ASDM GUI. On the inside, I can SSH to the ASA, as well as Telnet to the Cisco Access Server in the DMZ.

I have tried configuring a Clientless SSL and SSL w/ AnyConnect VPNs, and they do not work at work. Mainly because I do not have Admin rights to install any kind of client, or to change browser settings. AnyConnect wants to create a special VPN network adapter, but I am unable to do that either, with the restrictions put in place.

Long story short, I need a good way to allow me to SSH into the Rack remotely. I have tossed around the idea of using one of the 1721 Routers I have with a VPN card built in. I could stick the 1721 in front of the ASA, with a static route between the two devices. And maybe use an ACL for security.

I am open to any and all suggestions on how I can make this work.

Thanks in advance!

Chris
 
Can't you use putty on your work PC? Putty doesn't install anything, just download and run it.
 
So can you SSH to any of the equipment in the DMZ? Just port forward a port so that device can be accessed via SSH. From any switch you should be able to just type telnet x.x.x.x at the terminal prompt and get into anything else in the DMZ. (Connect into one device and use that device to connect to the others) I would just tell you to SSH into the ASA and do that but it doesn't sound like you can type telnet x.x.x.x from a firewall appliance. (You should be able to SSH though)
 
Shockey said:
Can't you use putty on your work PC? Putty doesn't install anything, just download and run it.
Click to expand...

I use a portable version of Putty from a jump drive to SSH into the ASA without any issue.



bman212121 said:
So can you SSH to any of the equipment in the DMZ? Just port forward a port so that device can be accessed via SSH. From any switch you should be able to just type telnet x.x.x.x at the terminal prompt and get into anything else in the DMZ. (Connect into one device and use that device to connect to the others) I would just tell you to SSH into the ASA and do that but it doesn't sound like you can type telnet x.x.x.x from a firewall appliance. (You should be able to SSH though)
Click to expand...

I am unable to SSH to the equipment in the DMZ. The routers are mostly 2500 series, with (2) 2950 switches, (1) 3550 switch, and (2) 1721 routers with the internal VPN cards built in. So most of them, with the exception of the 3550 and the 1721 routers, do not support SSH directly. However, I have a 2509 Access Server that I use to access all devices. Ideally, I would like to SSH into the Access Server.

Currently, when I SSH into the ASA, I have a domain mapped to the 192.168.1.1 address on the ASA. This allows me into the device to configure it remotely if I don't want to use the ASDM interface. The DMZ interface on the ASA is 172.16.0.1 and the Access Server is 172.16.0.2. Since the Access Server, on it's own, will not support SSH, should I open a port to 172.16.0.1, and then connect from there?
 
Bedrock1977 said:
I use a portable version of Putty from a jump drive to SSH into the ASA without any issue.





I am unable to SSH to the equipment in the DMZ. The routers are mostly 2500 series, with (2) 2950 switches, (1) 3550 switch, and (2) 1721 routers with the internal VPN cards built in. So most of them, with the exception of the 3550 and the 1721 routers, do not support SSH directly. However, I have a 2509 Access Server that I use to access all devices. Ideally, I would like to SSH into the Access Server.

Currently, when I SSH into the ASA, I have a domain mapped to the 192.168.1.1 address on the ASA. This allows me into the device to configure it remotely if I don't want to use the ASDM interface. The DMZ interface on the ASA is 172.16.0.1 and the Access Server is 172.16.0.2. Since the Access Server, on it's own, will not support SSH, should I open a port to 172.16.0.1, and then connect from there?
Click to expand...

You can already get into your ASA from the outside IP so you wouldn't need to worry about having SSH access to the DMZ interface on it. (Having SSH to the ASA DMZ interface won't make telnet work for the access server) The main issue is that you need to be on a device that supports SSH so you can open another connection with telnet. You could setup a port forward from outside to SSH on the 3550 in the DMZ, then once you are logged into the switch run make your telnet connections to everything else in the DMZ. You could also just put your 1721 in the DMZ and port forward VPN access through the ASA to it so you can tunnel traffic.
 
I was able to create a smart tunnel and allow all TCP traffic from putty.exe into the tunnel. It's flawless now!

The only other issue I am having is the fact that while I am at work, I am unable to browse to another website, while connected to the VPN and Tunnel.

I know there is a feature called "split-tunneling", but from what I've read, that only applies to a client-based VPN. Since I am using a clientless VPN, will it work in my case?
 
You must log in or register to reply here.
Back
Top