topic from my remote PIX I see in in Network Security

SSH management not working

Jon Moots — Tue, 12 Mar 2019 05:36:53 GMT

I have a question on an old 8.0(3) ASA. I inherited these from a previous developer and am having trouble getting into them through SSH from a remote location.

Here is a rough setup for them:

- I am in a remote office with 10.10.10.0 IP Subnet setup.

- I have a VPN tunnel going to a Data Center from the remote office with the IP subnet for the DC as 20.20.0.0

- On the 20.20.0.0. subnet I have an ASA with the inside address of 20.20.0.1/24, and 3 server with the IP address of 20.20.0.2-4/24.

GIVEN: I can remote into the servers via SSH from the office 10.10.0.0.network with no problems.

I can also use SSH from the servers to the ASA and get into the ASA.

Where I have a problem is trying to get to the ASA with SSH from the remote office location. I have SSH turned on for the inside interface for 0.0.0.0 0.0.0.0

I have AAA authentication via LOCAL database, all of that is there, I just cant get to the ASA from the remote site and not sure what to look for with it being an older version of the ASA software.

It does have an access list for no-nat:

access-list nonat extended permit ip 20.20.0.0 255.255.0.0 office 255.255.255.0 ****(Where office is defined as 10.10.0.0.)****

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

Am I looking in the right direction or way off here? Any help would be appreciated.

-Jon

Is the VPN terminating on the

Marius Gunnerud — Mon, 09 Mar 2015 18:13:25 GMT

Is the VPN terminating on the ASA you are trying to manage?

If so do you have the command management-access inside (where inside is the name of the interface) configured?

If adding that command doesn't work, try generating a new RSA key to use for the SSH session

crypto key generate rsa modulus 1024

Please remember to select a correct answer and rate helpful posts

Thank you Marius, The

Jon Moots — Mon, 09 Mar 2015 18:31:39 GMT

Thank you Marius,

The management-access interface command worked. There was nothing in there at all for that. Did not know it needed one.

Thanks again.

One last question for you.

Jon Moots — Mon, 09 Mar 2015 18:39:17 GMT

One last question for you. Once I am in, I am trying to copy via tftp back to the server on the remote office network. The ASA will not connect to it or ping it. Do I have to add something into it to get it to see the office network?

How are you copying and what

Marius Gunnerud — Mon, 09 Mar 2015 20:28:06 GMT

How are you copying and what are you copying to the server?

Since VPN terminates on the ASA, you may need to add the commands:

tftp-sever inside <server IP> disk0:/

replace disk0 with the location where the file you want to copy is.

then issue the command copy disk0: tftp: and fill in the require information.

Please remember to select a correct answer and rate helpful posts

Hi Jon, For your reference

Tushar Bangia — Tue, 10 Mar 2015 03:45:43 GMT

Hi Jon,

For your reference "management-access interface" can be used to source the traffic from the same interface for site to site vpn, incase we don't have access to any internal host machine.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s4.html

Hope the information is helpful!!

Regards,

Tushar Bangia

Note : Please do rate the post if you find it helpful!!

I am trying to do a Copy

Jon Moots — Tue, 10 Mar 2015 12:22:59 GMT

I am trying to do a Copy running-config tftp command to get the running configs backed up to an offsite location.

So the command above, do I replace the disk0:/ with running-config? Disk0: will give me all of the files but nothing for configurations.

-Jon

Thank you Tushar, I will look

Jon Moots — Tue, 10 Mar 2015 12:23:37 GMT

Thank you Tushar, I will look into this as well.

-Jon

disk0 was just an example as

Marius Gunnerud — Tue, 10 Mar 2015 12:36:58 GMT

disk0 was just an example as that is where my config file is located on my ASA.

yes, you would just need to replace disk0 with running-config.

Please remember to select a correct answer and rate helpful posts

OK, I got the command down,

Jon Moots — Tue, 10 Mar 2015 12:46:36 GMT

OK, I got the command down, now I am getting a time-out error when trying to connect. I cannot ping from the ASA interface to the remote office interface or the workstation.

That does not sound right since I can remote from the workstation to the ASA and its fine.

AM I missing something?

You will not be able to ping

Marius Gunnerud — Tue, 10 Mar 2015 12:55:40 GMT

You will not be able to ping from the ASA to the workstation over the VPN, to test connectivity you would need to ping from a workstation on the inside interface. So this is expected behavior.

try changing the command to tftp-server outside and test

Please remember to select a correct answer and rate helpful posts

Still time-out. Could it be

Jon Moots — Tue, 10 Mar 2015 14:51:00 GMT

Still time-out. Could it be something on the remote PIX that is stopping it from coming back in to the tftp workstation?

That would be the next thing

Marius Gunnerud — Tue, 10 Mar 2015 14:52:35 GMT

That would be the next thing to check. It is very likely that there is something stopping it on the PIX.

Please remember to select a correct answer and rate helpful posts

from my remote PIX I see in

Jon Moots — Tue, 10 Mar 2015 17:13:11 GMT

from my remote PIX I see in the logs:

710003: UDP access denied by ACL from 10.10.0.109/xxxx to inside:10.10.0.1/snmp

where xxxx are random numners, 10.10.0.109 is my TFTP server and 10.10.0.1 is my inside interface on the PIX.

I do not see any ACL listed in the PIX that should be blocking anything, I have several of these messages in the logs could this be what is stopping the tftp transfer?

The log you posted is for

Marius Gunnerud — Wed, 11 Mar 2015 08:33:39 GMT

The log you posted is for SNMP, if you filter the logs, do you see one for TFTP? Or if you monitor the logs when trying to copy the config do you see the TFTP being denied?

Please remember to select a correct answer and rate helpful posts