Meraki

Community

SSH Access Via Meraki MX to Aruba switch

Solved
AYEN
Getting noticed
a week ago
a week ago

SSH Access Via Meraki MX to Aruba switch

Hi, 

 

    I have question and recommendation on how to configure and access the ssh of Aruba switch which is connected to MX95 via outside network. My configuration that I was done is in port forwarding in firewall rule in Meraki MX. But unfortunately I can't access the ssh outside. Topology 

 

   Internet ---> Meraki MX95 -----> Aruba Switch

  Do I need to use another public IP for NAT 1:1 or port forwarding is enough? what was the Public port do i use for ssh?

Thanks 

0 Kudos
1 Accepted Solution
In response to AYEN
AidanKamp
Meraki Employee
Meraki Employee
a week ago
a week ago

If using port forwarding, the only way you can affect this is by only allowing certain IP addresses.

 

The Aruba Switch likely has systems for authentication/authorisation (e.g. local users, RADIUS etc.) and it would need to be implemented there.

 

If you were accessing the Switch via VPN through the MX instead, you could use group policies to lock down SSH access via user. Port forwarding does not have any sort of functionality for user based policy.

Whilst I am a Meraki employee, some of what I post may be opinion (especially architecture!). Others may have better or more efficient ways of doing things, so please learn from everyone!

View solution in original post

12 Replies 12
AidanKamp
Meraki Employee
Meraki Employee
a week ago
a week ago

If I can propose a different solution that might be more secure for your needs;


Does your MX95 have Client VPN or AnyConnect enabled? It might be better to VPN to this MX instead, and as long as your firewall rules and VPN routing configuration allows for it, you can then SSH directly to the switch instead of needing a port forwarding rule.

Whilst I am a Meraki employee, some of what I post may be opinion (especially architecture!). Others may have better or more efficient ways of doing things, so please learn from everyone!
In response to AidanKamp
AYEN
Getting noticed
a week ago
a week ago

Hi @AidanKamp ,

 

      I already propose that, but the problem with that is you have to configure each device to connect on Client VPN to access the network but on the port forwarding you only need to connect to internet to access the ssh.

0 Kudos
In response to AYEN
AidanKamp
Meraki Employee
Meraki Employee
a week ago
a week ago

Port forwarding should work fine then in that case. The public port can be anything you choose (as long as you change your SSH command to use that port), and the local port will need to match the port used by the Aruba switch (likely TCP22):

 

AidanKamp_0-1741066960965.png

 

If this is still not working, you can perform a packet capture on the internet interface to make sure the MX is seeing the incoming TCP traffic from your host. If that is seen, a packet capture on the LAN interface will help you check if the MX is forwarding that traffic internally.

If you're still having trouble, give support a call and we'll be happy to help!

 

https://meraki.cisco.com/meraki-support/overview/

 

Whilst I am a Meraki employee, some of what I post may be opinion (especially architecture!). Others may have better or more efficient ways of doing things, so please learn from everyone!
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

If you go to the Uplink tab on the MX - does it show that the WAN interface has a public IP address?

 

PhilipDAth_0-1741108902171.png

 

0 Kudos
In response to PhilipDAth
AYEN
Getting noticed
a week ago
a week ago

Yes, I saw it, but our client wants to use the other public IP to access the SSH that's why I use NAT 1:1, is there any problem with that?

0 Kudos
AYEN
Getting noticed
a week ago
a week ago

Hi @AidanKamp 

 

     I already done and success to ssh, but I did it in NAT 1:1 is that ok? And I want to remote the SSH by particular user. how can I do that?

0 Kudos
In response to AYEN
AidanKamp
Meraki Employee
Meraki Employee
a week ago
a week ago

No problem with 1:1 NAT as long as it works for what you have resource for.

Could you clarify your ask about a particular user and what your goal is?

Whilst I am a Meraki employee, some of what I post may be opinion (especially architecture!). Others may have better or more efficient ways of doing things, so please learn from everyone!
0 Kudos
In response to AidanKamp
AYEN
Getting noticed
a week ago
a week ago

Our goal is to access the Aruba switch outside the network and only particular user can access the switch. Is that feasible?

0 Kudos
In response to AYEN
AidanKamp
Meraki Employee
Meraki Employee
a week ago
a week ago

If using port forwarding, the only way you can affect this is by only allowing certain IP addresses.

 

The Aruba Switch likely has systems for authentication/authorisation (e.g. local users, RADIUS etc.) and it would need to be implemented there.

 

If you were accessing the Switch via VPN through the MX instead, you could use group policies to lock down SSH access via user. Port forwarding does not have any sort of functionality for user based policy.

Whilst I am a Meraki employee, some of what I post may be opinion (especially architecture!). Others may have better or more efficient ways of doing things, so please learn from everyone!
AYEN
Getting noticed
Thursday
Thursday

It's work when I put Public IP on the remote IPs to access the SSH of Aruba. I want to know is it the best practice and secure to do. But so far, it's work on me.

0 Kudos
In response to AYEN
AidanKamp
Meraki Employee
Meraki Employee
Thursday
Thursday

If using port forwarding, yes - I would ensure you restrict the 'Allowed remote IPs' to the IP addresses of you and your team that will be accessing it. This limits ability for malicious actors to brute force the SSH login of your devices from anywhere in the world.

Whilst I am a Meraki employee, some of what I post may be opinion (especially architecture!). Others may have better or more efficient ways of doing things, so please learn from everyone!
AYEN
Getting noticed
Thursday
Thursday

I'll try it and check the port forwarding, but for now thank you for your advice. Cheers!!!

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.