I am upgrading a new remote office using an ASA5525X as our gateway with (3) 2960Xs behind that for the LAN-call it Site A
With the understanding that I cannot SSH to the ASA then SSH from the ASA to the switches underneath I am working on trying to find a way to be able to access these switches remotely.
We currently have an IPSEC VPN Tunnel to this office that allows Site A's internal subnet (192.168.5.0/24) to talk to the HQ subnet of 192.168.10.0/24.
I have the switches setup 192.168.5.5 - 192.168.5.6 - 192.168.5.7 with the default gateway to ASA as 192.168.5.1.
-----
I have been doing some digging and seen something in regards to NATing these internal switches IPs OUT to a specific port and using the external IP of the ASA with that port to access them. Below is a config I am implementing on the ASA.
Has anyone used this method or believe it will work?
object network SW1
host 192.168.5.5
object network SW2
host 192.168.5.6
object network SW3
host 192.168.5.7
!
object-group network SSH_Switches
network-object object SW1
network-object object SW2
network-object object SW3
!
object network SW1
nat (inside,outside) static interface service tcp ssh 22111 (Not the ports I am using just an example)
!
object network SW2
nat (inside,outside) static interface service tcp ssh 22112 (Not the ports I am using just an example)
!
object network SW3
nat (inside,outside) static interface service tcp ssh 22113 (Not the ports I am using just an example)
!
access-list Outside extended permit tcp 192.168.10.0 255.255.255.0 (HQ Office subnet) object-group SSH_Switches eq 22
!
Any help/confirmation much apprecaited.
No comments:
Post a Comment