Friday, December 16, 2016

Allow Remote Access from Internet to a Device of Inside Zone through Firewall

This is the secure way to remotely manage / SSH a device (Coperate-Router) which is in the inside/higher security zone of a router from outside/lower security zone of the Firewall. That outside can even be the public internet. In this post I am allowing it through a Cisco ASA Firewall.

After basic ip and routing configured, lab starts with ASDM..

Here we have to solve only 2 problems,
1. Setup a public IP address to access the Coperate-Router from internet
2. Bypass the Firewall from lower security zone to higher security zone

We will use NAT & ACL to solve this problem..

Create 2 Objects for Coperate-Router with Public & Internal IPs

Go to Configuration > Firewall > Objects > Network Objects/Groups and create 2 Objects, One with a public IP address & another for just to represent the actual Coperate-Router in NAT process.
(click on the images to view in full size)

You can create an object with any public IP you have. It doesn't matter..

Static NAT rule between Created Objects

Go to Configuration > Firewall > NAT Rules and add a NAT rule with following settings

Original Packet Interfaces must be sourced from outside to destined for inside..
Source address is irrelevant because it can come from anywhere from Internet..
If you want only one one PC to be connected to Coperate-Router you can give it as the source address of the original packet. Anyway you can set it on the ACL too because this is just a NAT rule which the packet hits prior to the ACL..
Destination address of the original packet should be the Public-CoRouter object..

ACL from outside to internal ip of Coperate-Router

Go to Configuration > Firewall > Access Rules and add an ACL with following settings

ACL is applied to the outside interface and the destination must be the CoRouter object we created..
You can assign the service to be SSH only..

Configure Routes

Now in order to work this setup, 3 routes must be there..

1. Default route on Coperate-Router to ASA
2. Default route on ASA to INT-RTR
3. Static route to on INT-RTR to ASA

If configured above routes well, Internet-PC will be able to open a SSH session to Coperate-Router..
If you encounter problems with SSH configuration on Coperate-Router please read this

0 comments to “Allow Remote Access from Internet to a Device of Inside Zone through Firewall”

Post a Comment