topic Re: unable to ssh or ASDM from inside subnet to FW management IP in Network Security

unable to ssh or ASDM from inside subnet to FW management IP

network1215 — Sat, 07 Mar 2020 19:13:49 GMT

Hi All,

I am trying to ssh and launch ASDM for management IP of ASA.

I have ASA with SFR Module. (SFR Module is using mgmt0/0 port for communication, no ip assigned physically on interface and port is connected to management vlan as access , works fine)

interface Port-channel1.999
description MGMT_NW
vlan 999
nameif MGMT_NW_NW
security-level 100
ip address 10.10.10.1 255.255.255.128

interface Port-channel1.15
description USER
vlan 15
nameif USER
security-level 100
ip address 10.10.15.1 255.255.255.0

So when I try to ping or ssh or ASDM or HTTPS to ASA IP 10.10.10.1, it doesn't work (connection fails). From user VLAN 10.10.15.12 (on my laptop)

I don't see arp entry for 10.10.10.1 in arp table of ASA. However I do see entries for 10.10.10.8 which is switch management IP and I am able to access it.

can someone help how do I resolve it

Re: unable to ssh or ASDM from inside subnet to FW management IP

Sheraz.Salim — Sat, 07 Mar 2020 19:44:03 GMT

make sure interface Port-channel1.999 connected to switch port-channel is configured as trunk.

username admin password cisco123 privilege 15

crypto key generate rsa modulus 2048

aaa authentication ssh console LOCAL

ssh x.x.x.x 255.255.255.0 MGMT_NW_NW

ssh xx.xx.xx.xx 255.255.255.0 USER

ssh timeout 60
ssh version 1 2
ssh key-exchange group dh-group1-sha1

http server enable

https x.xx.x.x 255.255.255.0 MGMT_NW_NW

https xx.xx.xx.xx 255.255.255.0 USER

same-security-traffic permit inter-interface

share the ouput of show arp | i 10.10.15.12 and why you except to see arp 10.10.10.1 it as firewall interface ip address.

test and confirm what you see the output.

Re: unable to ssh or ASDM from inside subnet to FW management IP

network1215 — Sat, 07 Mar 2020 19:27:47 GMT

I didn't get this part.

ssh 192.168.100.0 255.255.255.0 INSDIE/MANGMET

what should i replace it with from my config ? and I have some similar routes configured

Re: unable to ssh or ASDM from inside subnet to FW management IP

network1215 — Sat, 07 Mar 2020 19:32:49 GMT

make sure interface Port-channel1.999 connected to switch port-channel is configured as trunk.

yes it is trunk. and all vlans allowed

I already have following ssh commands configured but still didn't work.

ssh 10.10.10.0 255.255.255.128 MGMT_NW (works)
ssh 10.10.15.0 255.255.255.0 USER (doesn't work)

Re: unable to ssh or ASDM from inside subnet to FW management IP

Sheraz.Salim — Sat, 07 Mar 2020 20:30:02 GMT

can you ping from ASA USER ip address 10.10.15.1 to switch svi or at your laptop if its connected to in subnet 10.10.15.0 ?

Re: unable to ssh or ASDM from inside subnet to FW management IP

network1215 — Sat, 07 Mar 2020 20:36:57 GMT

yes I can ping it. no problem.

Re: unable to ssh or ASDM from inside subnet to FW management IP

Sheraz.Salim — Sat, 07 Mar 2020 21:15:54 GMT

your laptop address 10.10.15.12 and you trying to do ssh on 10.10.10.1 and ASDM 10.10.10.1 is this correct. if so this is not going to work due to No route to host. in order for you to reach SSH/ASDM if your laptop in subnet 10.10.10.x than you have to ssh/asdm to 10.10.10.1.