Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
4218
Views
1
Helpful
10
Replies

Cisco ASA SSH Over IPSec VPN Tunnel

Neji Jihed
Level 1
Level 1

ā€Ž03-06-2018 12:39 AM - edited ā€Ž02-21-2020 07:28 AM

Hello,

We have a cisco asa 5510 Firewall running the latest version 9.1(7)23 connected to our Office through an IPSec VPN Tunnel, and we are trying to configure a new management machine to connect remotly to the management ip address of the firewall, the traffic is reaching the management ip and so en domain encryption is working fine, and traffic is being tunnelled through IPSec, but when SSH traffic is hitting the firewall is being dropped and we have below logs :

fw01# show logging | include 10.49.3
Feb 08 2018 19:34:42: %ASA-7-609001: Built local-host outside:10.49.3.27
Feb 08 2018 19:34:42: %ASA-6-302013: Built inbound TCP connection 929708 for outside:10.49.3.27/41466 (10.49.3.27/41466) to identity:10.215.80.62/22 (10.215.80.62/22)
Feb 08 2018 19:34:42: %ASA-6-302014: Teardown TCP connection 929708 for outside:10.49.3.27/41466 to identity:10.215.80.62/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
Feb 08 2018 19:34:42: %ASA-7-609002: Teardown local-host outside:10.49.3.27 duration 0:00:00
Feb 08 2018 19:34:43: %ASA-7-609001: Built local-host outside:10.49.3.27
Feb 08 2018 19:34:43: %ASA-6-302013: Built inbound TCP connection 929712 for outside:10.49.3.27/41466 (10.49.3.27/41466) to identity:10.215.80.62/22 (10.215.80.62/22)
Feb 08 2018 19:34:43: %ASA-6-302014: Teardown TCP connection 929712 for outside:10.49.3.27/41466 to identity:10.215.80.62/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
Feb 08 2018 19:34:43: %ASA-7-609002: Teardown local-host outside:10.49.3.27 duration 0:00:00
Feb 08 2018 19:34:43: %ASA-6-106015: Deny TCP (no connection) from 10.215.80.62/22 to 10.49.3.27/41466 flags SYN ACK on interface outside
fw01#

 

Ip address of the remote management machine 10.49.3.27

Management ip address of the firewall 10.215.80.62
We have alrady tried to remove and reconfigure 

management-access inside

But SSH is still failling.
Thank you




1 person had this problem
Labels:
0 Helpful
10 Replies 10

M Mohammed
Level 1
Level 1

ā€Ž03-06-2018 02:40 AM

hi @Neji Jihed

 

try adding 

ssh 10.49.3.0 255.255.255.0 inside

 

Please mark it as answered, if your querry is resolved. Appreciate your time!

0 Helpful

Neji Jihed
Level 1
Level 1
In response to M Mohammed

ā€Ž03-06-2018 04:26 AM

Did already but SSH is still failing, forgot to mention that in the topic,

Thank you

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to Neji Jihed

ā€Ž03-06-2018 06:03 AM

You need to have a NAT policy with route-lookup option in place.

Identity NAT example:

nat (INSIDE,OUTSIDE) source static OBJ-LOCAL OBJ-LOCAL destination static OBJ-REMOTE OBJ-REMOTE no-proxy-arp route-lookup

 

HTH

Bogdan

0 Helpful

Neji Jihed
Level 1
Level 1
In response to Bogdan Nita

ā€Ž03-06-2018 06:06 AM

Already there as well.

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to Neji Jihed

ā€Ž03-06-2018 06:18 AM

That is weird, the logs you posted are indicating that the packets are not being sent to the correct interface.

Are you sure the ips specified in the nat rule include 10.49.3.27 and 10.215.80.62 ?

Are there other nat rules above that could disturb the route lookup rule? If so you can move the route lookup nat rule to the first position.

Are you able to ping ? You may need to inspect icmp and allow icmp to the management interface.

0 Helpful

Neji Jihed
Level 1
Level 1
In response to Bogdan Nita

ā€Ž03-06-2018 06:52 AM

Here is the NAT rule : 

nat (inside,any) source static obj-10.215.80.0 obj-10.215.80.0 destination static obj-10.49.3.0 obj-10.49.3.0 no-proxy-arp route-lookup
object network obj-10.215.80.0
 subnet 10.215.80.0 255.255.255.192
object network obj-10.49.3.0
 subnet 10.49.3.0 255.255.255.0

There two NAT rules before this one which are doing same thing (management with route-lookup in plac) and they are working fine.

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to Neji Jihed

ā€Ž03-06-2018 07:27 AM

NAT seems ok.

I had a better look at the logs and it seems that ssh session is blocked, but the ssh command should allow access.

There is a bug that you may be hitting: CSCta05045

Can you try:

no management-access inside
management-access inside

Neji Jihed
Level 1
Level 1
In response to Bogdan Nita

ā€Ž03-06-2018 07:32 AM

I am aware about the Bug, i have also tried the management-console trick but it did not work.

I even updated the firewall to the latest version,

i am out of thoughts.

 

Thank you;

0 Helpful

Jesse Shumaker
Level 1
Level 1
In response to Neji Jihed

ā€Ž01-08-2020 09:37 PM

I've run into this same issue and tried what the prior user is attempting and can't get ssh access to the inside interface over the vpn. any updates on this?

0 Helpful

Reynaldo.Lopez.A
Level 1
Level 1
In response to Bogdan Nita

ā€Ž04-15-2024 02:23 PM

This one resolved my issue today. I'm on version ASA 9.12(4)62.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card