topic Re: Cisco ASA SSH Over IPSec VPN Tunnel in Network Security

Cisco ASA SSH Over IPSec VPN Tunnel

Neji Jihed — Fri, 21 Feb 2020 15:28:37 GMT

Hello,

We have a cisco asa 5510 Firewall running the latest version 9.1(7)23 connected to our Office through an IPSec VPN Tunnel, and we are trying to configure a new management machine to connect remotly to the management ip address of the firewall, the traffic is reaching the management ip and so en domain encryption is working fine, and traffic is being tunnelled through IPSec, but when SSH traffic is hitting the firewall is being dropped and we have below logs :

fw01# show logging | include 10.49.3
Feb 08 2018 19:34:42: %ASA-7-609001: Built local-host outside:10.49.3.27
Feb 08 2018 19:34:42: %ASA-6-302013: Built inbound TCP connection 929708 for outside:10.49.3.27/41466 (10.49.3.27/41466) to identity:10.215.80.62/22 (10.215.80.62/22)
Feb 08 2018 19:34:42: %ASA-6-302014: Teardown TCP connection 929708 for outside:10.49.3.27/41466 to identity:10.215.80.62/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
Feb 08 2018 19:34:42: %ASA-7-609002: Teardown local-host outside:10.49.3.27 duration 0:00:00
Feb 08 2018 19:34:43: %ASA-7-609001: Built local-host outside:10.49.3.27
Feb 08 2018 19:34:43: %ASA-6-302013: Built inbound TCP connection 929712 for outside:10.49.3.27/41466 (10.49.3.27/41466) to identity:10.215.80.62/22 (10.215.80.62/22)
Feb 08 2018 19:34:43: %ASA-6-302014: Teardown TCP connection 929712 for outside:10.49.3.27/41466 to identity:10.215.80.62/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
Feb 08 2018 19:34:43: %ASA-7-609002: Teardown local-host outside:10.49.3.27 duration 0:00:00
Feb 08 2018 19:34:43: %ASA-6-106015: Deny TCP (no connection) from 10.215.80.62/22 to 10.49.3.27/41466 flags SYN ACK on interface outside
fw01#

Ip address of the remote management machine 10.49.3.27

Management ip address of the firewall 10.215.80.62
We have alrady tried to remove and reconfigure

management-access inside

But SSH is still failling. Thank you

Re: Cisco ASA SSH Over IPSec VPN Tunnel

M Mohammed — Tue, 06 Mar 2018 10:40:14 GMT

hi @Neji Jihed

try adding

ssh 10.49.3.0 255.255.255.0 inside

Please mark it as answered, if your querry is resolved. Appreciate your time!

Re: Cisco ASA SSH Over IPSec VPN Tunnel

Neji Jihed — Tue, 06 Mar 2018 12:26:11 GMT

Did already but SSH is still failing, forgot to mention that in the topic,

Thank you

Re: Cisco ASA SSH Over IPSec VPN Tunnel

Bogdan Nita — Tue, 06 Mar 2018 14:03:42 GMT

You need to have a NAT policy with route-lookup option in place.

Identity NAT example:

nat (INSIDE,OUTSIDE) source static OBJ-LOCAL OBJ-LOCAL destination static OBJ-REMOTE OBJ-REMOTE no-proxy-arp route-lookup

HTH

Bogdan

Re: Cisco ASA SSH Over IPSec VPN Tunnel

Neji Jihed — Tue, 06 Mar 2018 14:06:52 GMT

Already there as well.

Re: Cisco ASA SSH Over IPSec VPN Tunnel

Bogdan Nita — Tue, 06 Mar 2018 14:18:33 GMT

That is weird, the logs you posted are indicating that the packets are not being sent to the correct interface.

Are you sure the ips specified in the nat rule include 10.49.3.27 and 10.215.80.62 ?

Are there other nat rules above that could disturb the route lookup rule? If so you can move the route lookup nat rule to the first position.

Are you able to ping ? You may need to inspect icmp and allow icmp to the management interface.

Re: Cisco ASA SSH Over IPSec VPN Tunnel

Neji Jihed — Tue, 06 Mar 2018 14:52:12 GMT

Here is the NAT rule :

nat (inside,any) source static obj-10.215.80.0 obj-10.215.80.0 destination static obj-10.49.3.0 obj-10.49.3.0 no-proxy-arp route-lookup

object network obj-10.215.80.0
 subnet 10.215.80.0 255.255.255.192

object network obj-10.49.3.0
 subnet 10.49.3.0 255.255.255.0

There two NAT rules before this one which are doing same thing (management with route-lookup in plac) and they are working fine.

Re: Cisco ASA SSH Over IPSec VPN Tunnel

Bogdan Nita — Tue, 06 Mar 2018 15:27:06 GMT

NAT seems ok.

I had a better look at the logs and it seems that ssh session is blocked, but the ssh command should allow access.

There is a bug that you may be hitting: CSCta05045

Can you try:

no management-access inside
management-access inside

Re: Cisco ASA SSH Over IPSec VPN Tunnel

Neji Jihed — Tue, 06 Mar 2018 15:32:00 GMT

I am aware about the Bug, i have also tried the management-console trick but it did not work.

I even updated the firewall to the latest version,

i am out of thoughts.

Thank you;

Re: Cisco ASA SSH Over IPSec VPN Tunnel

Jesse Shumaker — Thu, 09 Jan 2020 05:37:12 GMT

I've run into this same issue and tried what the prior user is attempting and can't get ssh access to the inside interface over the vpn. any updates on this?

Re: Cisco ASA SSH Over IPSec VPN Tunnel

Reynaldo.Lopez.A — Mon, 15 Apr 2024 21:23:16 GMT

This one resolved my issue today. I'm on version ASA 9.12(4)62.