Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1465
Views
9
Helpful
4
Replies

ASA 5510 telnet/ssh access problem

fashour
Level 1
Level 1

‎09-03-2008 02:27 PM - edited ‎03-11-2019 06:39 AM

I have an ASA 5510 running ver 7.0.7. I have an L2L tunnel connecting to it. I am trying to manage the ASA via ssh or telnet to the inside interface from the L2L remote end and not able to.

I have the command management-access inside configured as well as allowing telnet and ssh to the inside from any where:

telnet 0 0 inside

ssh 0 0 inside

I am still not able to get to it via ssh or telnet. Http and icmp work fine.

When looking at the encrypts and decrepts for the ipsec sa:

#pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26

#pkts decaps: 64, #pkts decrypt: 64, #pkts verify: 64

indicating my telnet or ssh packets are decrypted but not encrypted. The show asp table vpn-context details shows corresponding data:

CBS-ASA-5510# sh asp table vpn-context d

VPN Ctx = 0067441000 [0x04051168]

Peer IP = 2.0.2.105

State = UP

Flags = DECR+ESP

SA = 0x15855031

SPI = 0x875427A6

Group = 0

Pkts = 64

Bad Pkts = 0

Bad SPI = 0

Spoof = 0

Bad Crypto = 0

Rekey Pkt = 1

Rekey Call = 1

VPN Ctx = 0064172784 [0x03D332F0]

Peer IP = 2.0.2.105

State = UP

Flags = ENCR+ESP

SA = 0x1586F4A9

SPI = 0x7989DFA2

Group = 0

Pkts = 26

Bad Pkts = 0

Bad SPI = 0

Spoof = 0

Bad Crypto = 0

Rekey Pkt = 1

Rekey Call = 1

However in the asp crypto classifier, I do not see my packets:

out id=0x34f4f80, priority=70, domain=encrypt, deny=false

hits=26, user_data=0x3d332f0, cs_id=0x38a1908, reverse, flags=0x0, protocol=0

src ip=192.168.77.0, mask=255.255.255.0, port=0

dst ip=2.0.2.105, mask=255.255.255.255, port=0

in id=0x3d36ac0, priority=69, domain=ipsec-tunnel-flow, deny=false

hits=26, user_data=0x4051168, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=2.0.2.105, mask=255.255.255.255, port=0

dst ip=192.168.77.0, mask=255.255.255.0, port=0

Is this an existing bug or am I missing something?

Labels:
0 Helpful
4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

‎09-03-2008 04:02 PM

Make sure you have in fw this statement

management-access

e.i for interface name inside

fw(config)#management-access inside

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/mr.html#wp1578189

Rgds

Jorge

Jorge Rodriguez
0 Helpful

fashour
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎09-03-2008 05:06 PM

it is there:

management-access inside

https access to the inside interface works.

JORGE RODRIGUEZ
Level 10
Level 10
In response to fashour

‎09-03-2008 06:01 PM

Sorry.. read fast your post.. I have to say it could be a bug discribed here, even though you can ping fine but telnet and ssh is affected by this bug which is open caveats in 7.0.7

bug details CSCej04099

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCej04099

open in 7.0.7

http://www.cisco.com/en/US/customer/docs/security/asa/asa70/release/notes/rn707.html#wp339364

Jorge Rodriguez

fashour
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎09-03-2008 06:38 PM

Thank you for the response. I was looking into the bug and I am not sure if it applies as there is not static tht includes the inside interface address and it is included in the nat 0. Upon furthr searching into the bug kit, I actually found the bug that must be a match:

CSCsj53102

SSH/Telnet access through VPN tunnel to management interface not working

Thank you very much for the input.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card