Sunday, 13 August 2017

7 - Enabling Router SSH through ASAv ASDM over the WAN


Enabling Router SSH through ASAv ASDM over the WAN

This lab will allow remote administration for the router, R1. Static NAT to translate a one to one ASAv association addressing for the router and enabling SSH will be the primary methods of accomplishing this. 

To recap, here is the summary of the lab configuration so far:
  • Cloud1 represents the WAN.
  • ASAv has an outside interface of 192.168.14.130 (pretending this is our public IP)
  • ASAv has an inside interface of 10.1.0.250
  • ASDM is successfully built with reachability using the outside interface 192.168.14.130
  • The network behind the ASAv is designed with 10.0.0.0/24 
  • The router is configured to route traffic with a default gateway to the ASAv
  • The virtual PC is configured with the router as the default gateway
  • The virtual PC can successfully the ASAv's inside IP 10.1.0.250.
  • The virtual PC is configured with 8.8.8.8 DNS Server
  • The ASAv is configured with dynamic PAT to allow internal IP address to translate to a public IP for communication
STEP 1 - Enable Static NAT

Static NAT allows internal addressing to be assigned a public IP address. This allows for external users to a way to map and access internal services. The ASAv is the gateway for the internal and external network which the router belongs to. Thus the ASAv will be logically configured for Static NAT to match a public IP address to the internal IP of the router.

Enabling Static NAT begins with creating two network objects.

The first is R1. Navigate to Configuration to Firewall to Objects and Network Objects/Group. Then from the Add drop down select Add Network Object. Fill the object out as presented below:

Name: R1
Type: Host
IP Version: IPv4
IP Address: 10.1.0.1
Description: Router

Click OK.



The second object to be added will be Global-R1:
Name: Global-R1
Type: Host
IP Version: IPv4
IP Address: 192.168.14.131
Description: Public IP

Click OK.


STEP 2 - Configuring NAT Rule

The NAT Rule will allow the traffic to know how to get to a destination. It converts a known IP to the hidden IP. In this case we'll configure the Global IP address (192.168.14.131 I know this is a private IP for our scenario, but in production this would be Global) to associate with the internal router IP address (10.1.0.1).

To configure NAT Rules, navigate to Configuration to Firewall to NAT Rules. Then from the Add drop down select, Add NAT Rule.

We'll configure it as below:

Source Interface: outside
Destination Interface: inside
Source Address: any
Destination Address: Global-R1 (You need to click the 3 dots and select the object Global-R1 which was previously created)
Service: Any

Source NAT Type:Static
Source Address: Original
Destination Address: R1 (You need to click the 3 dots and select the object R1 which was previously created)
Enable Rule is checked

Click OK


 Step 3 - Permitting the ACL for SSH traffic

While the NAT shows the traffic what path to take, the ACL gives permission on if the traffic is allowed to take the path. We'll allow the ACL to permit traffic to manage the router via SSH.

From Configuration to Firewall to Access Rule, select the Add Access Rule from the Add drop down.

Fill out the form as shown below:
Interface: outside
Action: Permit
Source: any
Destination: R1
Service: tcp/ssh

Click OK



Step 4 - Applying and Saving ASDM Configuration

Once we've configured ASDM as shown above, we'll go ahead and Apply and Save as shown in the screen shot.


Step 5 - Configuring Router for SSH

The ASAv is now configured to where NAT rules can provide location, and the ACL can permit SSH traffic to pass. Although if a user tried to SSH now, they would still not be able to since the router isn't configured for it. Our next step will allow for this.

From the router:
configure terminal
hostname R1
ip domain-name ecorp.com
crypto key generate rsa modulus 1024
username admin privilege 15 secret toor
line vty 0 4
login local
transport input telnet ssh
end
write


Step 6 - Testing SSH Connection through the WAN

Putty or any SSH terminal can be used for this next step. If you don't have Putty installed go ahead and do so now. It's a self explanatory and simple process. Once Putty is up, configure the Host Name with 192.168.14.131 and click okay. Make sure you're on a personal network. You don't want to be on someone else's network where you can access a machine of the same IP address.


A Security Alert Pops up for me. I clicked okay, you should be fine if you're on a personal network.


The command line will request credentials. Place admin and toor as the username and password respectively - and viola!



From the router, you can also see that there's an external connection.
show ssh
who


ASDM will also show the SSH connection.

Navigate to Monitoring to Properties to Connections.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)