Bedrock1977
n00b
- Joined
- Dec 20, 2010
- Messages
- 61
Here is a generic diagram of my home and Cisco Lab environments. The Lab is located in the DMZ and should be accessible from the Internet, as well as from the inside. I can ping the DMZ from the inside, ping from the DMZ to the outside, and telnet directly to the Cisco Access Server 172.16.0.253 from the inside. I can also SSH into the ASA from the outside. Maybe there is something that I am missing here.
Once I am able to fully access the lab from the outside, I want to start considering options to access the lab remotely, but from some other way than telnet. The Cisco equipment I have does not support VPN/SSH. Is it possible to SSH directly to the ASA, then open a telnet session to the lab's access server?
Once I am able to fully access the lab from the outside, I want to start considering options to access the lab remotely, but from some other way than telnet. The Cisco equipment I have does not support VPN/SSH. Is it possible to SSH directly to the ASA, then open a telnet session to the lab's access server?
Code:
ASA Version 9.1(5)
!
hostname ASA1
enable password XXXXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
speed 100
duplex full
!
interface Ethernet0/3
speed 100
duplex full
!
interface Ethernet0/4
speed 100
duplex full
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group PPPoE
ip address pppoe setroute
!
interface Vlan3
description LINK TO CISCO RACK
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.0.254 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network power_switch_static
host 192.168.1.110
object network cisco_lab_static
host 172.16.0.253
object network dmz_to_outside
subnet 172.16.0.0 255.255.255.0
access-list outside_in extended permit tcp any host 172.16.0.253 eq telnet
access-list outside_in extended permit tcp any host 192.168.1.110 eq 5000
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network cisco_lab_static
nat (dmz,outside) static interface service tcp telnet telnet
object network dmz_to_outside
nat (dmz,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
no ssh stricthostkeycheck
ssh 192.168.0.0 255.255.0.0 inside
ssh XXXXX 255.255.255.255 outside
ssh timeout 15
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group PPPoE request dialout pppoe
vpdn group PPPoE localname XXXXX
vpdn group PPPoE ppp authentication pap
vpdn username XXXXX password ***** store-local
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd dns 216.146.35.35 216.146.36.36 interface inside
dhcpd enable inside
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 64.113.32.5 source outside
username XXXXX password XXXXX encrypted privilege 15
username XXXXX attributes
service-type nas-prompt
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous