Cisco ASA 8.2 to 9.x :: migrando :: parte 4

Seguimos migrando….

Ahora toca añadir ssh para acceder a la config desde el exterior… los pasos:


asa(config)#username pix password password privilege 15
asa(config)#aaa authentication ssh console LOCAL
asa(config)#crypto key generate rsa
WARNING: You have a RSA keypair already defined named .

Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
asa(config)#ssh 1.1.1.0 255.255.255.0 outside

Y ahora ordenamos los nats….. en las configs anteriores no estaba del todo claro:

suponemos que tenemos los servers siguientes:

server11, server12 y server13 y hemos de abrir varios puertos con cada uno de ellos:


object network srv-192.168.0.13_3389
host 192.168.0.13
description server13_3389
object network srv-192.168.0.12_21
host 192.168.0.12
description server12_21
object network srv-192.168.0.12_20
host 192.168.0.12
description server12_20
object network srv-192.168.0.12_20_udp
host 192.168.0.12
description server12_20
object network srv-192.168.0.11_80
host 192.168.0.11
description server11_80
object network srv-192.168.0.11_443
host 192.168.0.11
description server11_443
object network srv-192.168.0.11_110
host 192.168.0.11
description server11_110
object network srv-192.168.0.11_143
host 192.168.0.11
description server11_143
object network srv-192.168.0.11_587
host 192.168.0.11
description server11_587

access-list outside_in extended permit tcp any object server13 eq 444
access-list outside_in extended permit tcp any object server13 eq 3389
access-list outside_in extended permit tcp any object server12 eq ftp
access-list outside_in extended permit tcp any object server12 eq ftp-data
access-list outside_in extended permit udp any object server12 eq 20
access-list outside_in extended permit tcp any object server11 eq www
access-list outside_in extended permit tcp any object server11 eq https
access-list outside_in extended permit tcp any object server11 eq pop3
access-list outside_in extended permit tcp any object server11 eq imap4
access-list outside_in extended permit tcp any object server11 eq 587

object network srv-192.168.0.13_444
nat (inside,outside) static interface service tcp 444 444
object network srv-192.168.0.13_3389
nat (inside,outside) static interface service tcp 3389 3389
object network srv-192.168.0.12_21
nat (inside,outside) static interface service tcp ftp ftp
object network srv-192.168.0.12_20
nat (inside,outside) static interface service tcp ftp-data ftp-data
object network srv-192.168.0.12_20_udp
nat (inside,outside) static interface service tcp ftp-data ftp-data
object network srv-192.168.0.11_80
nat (inside,outside) static interface service tcp www www
object network srv-192.168.0.11_443
nat (inside,outside) static interface service tcp https https
object network srv-192.168.0.11_110
nat (inside,outside) static interface service tcp pop3 pop3
object network srv-192.168.0.11_143
nat (inside,outside) static interface service tcp imap4 imap4
access-group outside_in in interface outside

Es bastante más engorroso, pero supongo que tendrá una explicación 😉