topic Re: where is my mask mismatch? in Network Security

cannot ssh despite of having management access and nat configured

sawasa — Thu, 28 Jan 2021 11:31:24 GMT

Hello there,

I got an ASA 5508 which I recently configured to connect to AWS cloud via BGP (through the AWS direct connect).
Now I simply need to ssh my inside interface from an IP in cloud but in the ASA I can see the message:

Failed to locate egress interface for TCP from directConnect:10.15.1.1/34514 to 10.50.1.1/22

I double checked that my NAT configuration is in place, and that I got management-access configured for my if-inside.
Also there is a rule to permit ssh from the given IP 10.15.1.1
It happens that my Radius server is in that very same IP but I don't think I got auth problems given the message above.

!
interface GigabitEthernet1/3.2
description "direct connect to AWS"
vlan 2
nameif directConnect
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet1/5
nameif if-inside
security-level 100
ip address 10.50.1.1 255.255.255.0
!
nat (any,any) source static inside-net inside-net destination static AWS15 AWS15
!

aaa-server RA-Server protocol radius
aaa-server RA-Server (if-inside) host 10.15.1.1
key *****
authentication-port 1812
aaa authentication ssh console RA-Server LOCAL
!
ssh 10.15.1.1 255.255.255.255 if-inside
ssh timeout 10
ssh version 1 2
ssh key-exchange group dh-group1-sha1
console timeout 5
management-access if-inside

If someone can give me a hand with this, I would be very grateful! thanks!!

Re: where is my mask mismatch?

Heino Human — Thu, 28 Jan 2021 03:21:05 GMT

That is not a subnet, its a port number, in your case SSH

Re: where is my mask mismatch?

Rob Ingram — Thu, 28 Jan 2021 08:15:24 GMT

@sawasa

Add "route-lookup" to the end of your NAT rule.

Also try to use the specific interface names instead of "any" in the NAT rules.

Re: where is my mask mismatch?

sawasa — Thu, 28 Jan 2021 10:03:42 GMT

thanks you are totally right

Re: where is my mask mismatch?

sawasa — Thu, 28 Jan 2021 11:23:04 GMT

Hi Rob,

Thanks, I have added route-lookup and change the any for my interface names.
Still no luck and I keep having the same error message.
This is how my nat looks now:

nat (if-inside,directConnect) source static inside-net inside-net destination static AWS15 AWS15 route-lookup
nat (directConnect,if-inside) source static AWS15 AWS15 destination static inside-net inside-net route-lookup

Re: cannot ssh despite of having management access and nat configured

Rob Ingram — Thu, 28 Jan 2021 13:22:59 GMT

You don't need 2 NAT rules, the rules are bi-directional. You can remove the 2nd rule

Run packet-tracer from the CLI to simulate traffic and provide the output for review.

Can you provide your routing configuration please

Re: cannot ssh despite of having management access and nat configured

Marius Gunnerud — Thu, 28 Jan 2021 14:50:48 GMT

Is the VPN setup as split-tunnel? if so is the subnet that the if-inside interface is configured with included as interesting traffic?

If you are used vpn-filter, make sure that the ASA IPs are also allowed there.

Re: cannot ssh despite of having management access and nat configured

Panos Bouras — Thu, 28 Jan 2021 17:53:35 GMT

Hi @sawasa

Can you try to add the following

ssh 10.15.1.1 255.255.255.255 directConnect

Also change your NAT to

nat (if-inside,directConnect) source static inside-net inside-net destination static AWS15 AWS15

Re: cannot ssh despite of having management access and nat configured

sawasa — Thu, 28 Jan 2021 20:13:56 GMT

Thanks again Rob.
When I modified the NAT I left is as only one rule I got the same result, and I keep reading in other posts about "double NAT rule" so I added it just in case. I will remove it again.

Running the packet tracert results on:
"no route to host"
this is confusing since the 10.50.1.1 is my if-inside.

Do you think it might be because the directConnect is on VLAN 2? it is a virtual interface created for the AWS direct connect.

interface GigabitEthernet1/3.2
description "direct connect to AWS"
vlan 2
nameif directConnect

About the routing configuration, I actually only have BGP here configured for AWS and that is. The traffic from the 10.15.1.0/22 to the 10.50.1.0/24 works with no problem.

Re: cannot ssh despite of having management access and nat configured

sawasa — Thu, 28 Jan 2021 20:08:22 GMT

Hi Marius, thanks for your reply.
There is no VPN actually, it is a direct connection through a cross connect in the datacenter and AWS.

Re: cannot ssh despite of having management access and nat configured

sawasa — Thu, 28 Jan 2021 21:40:39 GMT

Hi Panos,
I mis read you before, will try the ssh statement

Re: cannot ssh despite of having management access and nat configured

Marius Gunnerud — Thu, 28 Jan 2021 20:55:23 GMT

If this is not a VPN then you are going about connecting to the ASA wrong. the management-access <interface> command is only for admin connection to the ASA over a VPN. So this will have no effect in your setup. You will need to access the ASA through the directConnect interface meaning you will need to change or add an ssh statement for the directConnect interface, or setup an AnyConnect VPN or site2site VPN and access the ASA through the if-inside interface.

Re: cannot ssh despite of having management access and nat configured

sawasa — Thu, 28 Jan 2021 22:18:29 GMT

thanks, I needed this explanation, I used to have VPN and I didn't realized about this when I changed to a direct connection

adding the ssh statement to the directConnect interface did the trick as you and Panos suggested.

I'm super glad to have this working!!
Thanks a lot!