We have a cisco asa 5510 Firewall running the latest version 9.1(7)23 connected to our Office through an IPSec VPN Tunnel, and we are trying to configure a new management machine to connect remotly to the management ip address of the firewall, the traffic is reaching the management ip and so en domain encryption is working fine, and traffic is being tunnelled through IPSec, but when SSH traffic is hitting the firewall is being dropped and we have below logs :
fw01# show logging | include 10.49.3
Feb 08 2018 19:34:42: %ASA-7-609001: Built local-host outside:10.49.3.27
Feb 08 2018 19:34:42: %ASA-6-302013: Built inbound TCP connection 929708 for outside:10.49.3.27/41466 (10.49.3.27/41466) to identity:10.215.80.62/22 (10.215.80.62/22)
Feb 08 2018 19:34:42: %ASA-6-302014: Teardown TCP connection 929708 for outside:10.49.3.27/41466 to identity:10.215.80.62/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
Feb 08 2018 19:34:42: %ASA-7-609002: Teardown local-host outside:10.49.3.27 duration 0:00:00
Feb 08 2018 19:34:43: %ASA-7-609001: Built local-host outside:10.49.3.27
Feb 08 2018 19:34:43: %ASA-6-302013: Built inbound TCP connection 929712 for outside:10.49.3.27/41466 (10.49.3.27/41466) to identity:10.215.80.62/22 (10.215.80.62/22)
Feb 08 2018 19:34:43: %ASA-6-302014: Teardown TCP connection 929712 for outside:10.49.3.27/41466 to identity:10.215.80.62/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
Feb 08 2018 19:34:43: %ASA-7-609002: Teardown local-host outside:10.49.3.27 duration 0:00:00
Feb 08 2018 19:34:43: %ASA-6-106015: Deny TCP (no connection) from 10.215.80.62/22 to 10.49.3.27/41466 flags SYN ACK on interface outside
Ip address of the remote management machine 10.49.3.27
Management ip address of the firewall 10.215.80.62
We have alrady tried to remove and reconfigure
But SSH is still failling.
hi @Neji Jihed
ssh 10.49.3.0 255.255.255.0 inside
Please mark it as answered, if your querry is resolved. Appreciate your time!
You need to have a NAT policy with route-lookup option in place.
Identity NAT example:
nat (INSIDE,OUTSIDE) source static OBJ-LOCAL OBJ-LOCAL destination static OBJ-REMOTE OBJ-REMOTE no-proxy-arp route-lookup
That is weird, the logs you posted are indicating that the packets are not being sent to the correct interface.
Are you sure the ips specified in the nat rule include 10.49.3.27 and 10.215.80.62 ?
Are there other nat rules above that could disturb the route lookup rule? If so you can move the route lookup nat rule to the first position.
Are you able to ping ? You may need to inspect icmp and allow icmp to the management interface.
Here is the NAT rule :
nat (inside,any) source static obj-10.215.80.0 obj-10.215.80.0 destination static obj-10.49.3.0 obj-10.49.3.0 no-proxy-arp route-lookup
object network obj-10.215.80.0
subnet 10.215.80.0 255.255.255.192
object network obj-10.49.3.0
subnet 10.49.3.0 255.255.255.0
There two NAT rules before this one which are doing same thing (management with route-lookup in plac
) and they are working fine.
NAT seems ok.
I had a better look at the logs and it seems that ssh session is blocked, but the ssh command should allow access.
There is a bug that you may be hitting: CSCta05045
Can you try:
no management-access inside
I am aware about the Bug, i have also tried the management-console trick but it did not work.
I even updated the firewall to the latest version,
i am out of thoughts.