cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1224
Views
0
Helpful
8
Replies
Beginner

Cisco ASA SSH Over IPSec VPN Tunnel

Hello,

We have a cisco asa 5510 Firewall running the latest version 9.1(7)23 connected to our Office through an IPSec VPN Tunnel, and we are trying to configure a new management machine to connect remotly to the management ip address of the firewall, the traffic is reaching the management ip and so en domain encryption is working fine, and traffic is being tunnelled through IPSec, but when SSH traffic is hitting the firewall is being dropped and we have below logs :

fw01# show logging | include 10.49.3
Feb 08 2018 19:34:42: %ASA-7-609001: Built local-host outside:10.49.3.27
Feb 08 2018 19:34:42: %ASA-6-302013: Built inbound TCP connection 929708 for outside:10.49.3.27/41466 (10.49.3.27/41466) to identity:10.215.80.62/22 (10.215.80.62/22)
Feb 08 2018 19:34:42: %ASA-6-302014: Teardown TCP connection 929708 for outside:10.49.3.27/41466 to identity:10.215.80.62/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
Feb 08 2018 19:34:42: %ASA-7-609002: Teardown local-host outside:10.49.3.27 duration 0:00:00
Feb 08 2018 19:34:43: %ASA-7-609001: Built local-host outside:10.49.3.27
Feb 08 2018 19:34:43: %ASA-6-302013: Built inbound TCP connection 929712 for outside:10.49.3.27/41466 (10.49.3.27/41466) to identity:10.215.80.62/22 (10.215.80.62/22)
Feb 08 2018 19:34:43: %ASA-6-302014: Teardown TCP connection 929712 for outside:10.49.3.27/41466 to identity:10.215.80.62/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
Feb 08 2018 19:34:43: %ASA-7-609002: Teardown local-host outside:10.49.3.27 duration 0:00:00
Feb 08 2018 19:34:43: %ASA-6-106015: Deny TCP (no connection) from 10.215.80.62/22 to 10.49.3.27/41466 flags SYN ACK on interface outside
fw01#

 

Ip address of the remote management machine 10.49.3.27

Management ip address of the firewall 10.215.80.62
We have alrady tried to remove and reconfigure 

management-access inside

But SSH is still failling.
Thank you




8 REPLIES 8
Beginner

Re: Cisco ASA SSH Over IPSec VPN Tunnel

hi @Neji Jihed

 

try adding 

ssh 10.49.3.0 255.255.255.0 inside

 

Please mark it as answered, if your querry is resolved. Appreciate your time!

Beginner

Re: Cisco ASA SSH Over IPSec VPN Tunnel

Did already but SSH is still failing, forgot to mention that in the topic,

Thank you

VIP Rising star

Re: Cisco ASA SSH Over IPSec VPN Tunnel

You need to have a NAT policy with route-lookup option in place.

Identity NAT example:

nat (INSIDE,OUTSIDE) source static OBJ-LOCAL OBJ-LOCAL destination static OBJ-REMOTE OBJ-REMOTE no-proxy-arp route-lookup

 

HTH

Bogdan

Highlighted
Beginner

Re: Cisco ASA SSH Over IPSec VPN Tunnel

Already there as well.

VIP Rising star

Re: Cisco ASA SSH Over IPSec VPN Tunnel

That is weird, the logs you posted are indicating that the packets are not being sent to the correct interface.

Are you sure the ips specified in the nat rule include 10.49.3.27 and 10.215.80.62 ?

Are there other nat rules above that could disturb the route lookup rule? If so you can move the route lookup nat rule to the first position.

Are you able to ping ? You may need to inspect icmp and allow icmp to the management interface.

Beginner

Re: Cisco ASA SSH Over IPSec VPN Tunnel

Here is the NAT rule : 

nat (inside,any) source static obj-10.215.80.0 obj-10.215.80.0 destination static obj-10.49.3.0 obj-10.49.3.0 no-proxy-arp route-lookup
object network obj-10.215.80.0
 subnet 10.215.80.0 255.255.255.192
object network obj-10.49.3.0
 subnet 10.49.3.0 255.255.255.0

There two NAT rules before this one which are doing same thing (management with route-lookup in plac) and they are working fine.

VIP Rising star

Re: Cisco ASA SSH Over IPSec VPN Tunnel

NAT seems ok.

I had a better look at the logs and it seems that ssh session is blocked, but the ssh command should allow access.

There is a bug that you may be hitting: CSCta05045

Can you try:

no management-access inside
management-access inside

Beginner

Re: Cisco ASA SSH Over IPSec VPN Tunnel

I am aware about the Bug, i have also tried the management-console trick but it did not work.

I even updated the firewall to the latest version,

i am out of thoughts.

 

Thank you;