09-22-2011 09:52 PM - edited 03-11-2019 02:29 PM
Hi, I have a 5585 with version 8.4.2
I have issues accessing the asa using ssh or asdm via remote access vpn. The configuration details are the following:
10.8.251.30 -- addess assigned from the pool
10.8.251.4 -- inside interface address in the ASA
1.The VPN establishes without problems and I can reach any inside resource, also I can ping the firewall.
group-policy pol1 attributes
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value pol1_splitTunnelAcl
ip local pool Temp-pool 10.8.251.16-10.8.251.31 mask 255.255.255.240
access-list pol1_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
2. The configuration of ssh, http and management features are the following:
ssh 0.0.0.0 0.0.0.0 inside
ssh 10.8.251.16 255.255.255.240 outside
ssh timeout 60
ssh version 2
http server enable
http 0.0.0.0 0.0.0.0 inside
http 10.8.251.16 255.255.255.240 outside
management-access inside
This configuration works with another device that has the 8.2.3 version.
I can ping the if. address but the telnet, ssh and asdm do not work. The following is the output of the logs.
!!! PING OK!!!
%ASA-6-302020: Built inbound ICMP connection for faddr 10.8.251.30/62218(LOCAL\xxxx) gaddr 10.8.251.4/0 laddr 10.8.251.4/0 (xxxx)
%ASA-6-302021: Teardown ICMP connection for faddr 10.8.251.30/62218(LOCAL\xxxx) gaddr 10.8.251.4/0 laddr 10.8.251.4/0 (xxxx)
!!! SSH CONNECTION FAILS!!!
%ASA-6-302013: Built inbound TCP connection 6573714 for outside:10.8.251.30/58550 (10.8.251.30/58550)(LOCAL\xxx) to identity:10.8.251.4/22 (10.8.251.4/22) (xxxx)
%ASA-7-710005: TCP request discarded from 10.8.251.30/58548 to outside:10.8.251.4/22
%ASA-6-106015: Deny TCP (no connection) from 10.8.251.30/58548 to 10.8.251.4/22 flags FIN ACK on interface outside
%ASA-7-710005: TCP request discarded from 10.8.251.30/58548 to outside:10.8.251.4/22
If I allow the direct http/ssh connection to the outside/inside interface, it works perfectly.
Any idea what am I doing wrong? Thank you in advance for your comments and help.
Jaime
09-22-2011 10:08 PM
An update: the ssh connection seems to establish but for any reason after the initial connection, the firewall does not allow the traffic flow and the connection screen just does not show anything. This behavior is evidenced in the log.
09-22-2011 11:17 PM
Hi,
You might also be affected be affected by this bug:
Yuo can try the workaround mentioned.
Let me know if this helps.
Thanks,
Varun
09-28-2011 11:31 AM
Hi Varun,
Thank you for your answer. I tried it, but the result was the same
nat (inside,outside) source static Inside_Network Inside_Network destination static temp-pool temp-pool route-lookup
management-access inside
Any other ideas?
Jaime
09-22-2011 11:21 PM
Hi Jaime,
Does it happen the same when you connect from one of your internal users?
Did you generate the hased key for ssh? if not, the command will be:
"crypto key generate rsa modulus 1024"
Be sure to have applied this command too:
aaa authentication ssh console LOCAL
This should be your last resource ( i don´t believe you will need it, you can go back if it doesn´t work)
no ssh 10.8.251.16 255.255.255.240 outside
ssh 0 0 outside
Hope it helps!
-Jorell
09-28-2011 11:27 AM
Hi Jorell,
Thank you for your answer. SSH works seamlessly from if the connection comes from the inside, even the outside interface.
Jaime
11-03-2012 12:58 PM
i have the same issue, asa inside is not accesed from the vpn , even it iwas wkrign in 8.2, with manageent inside cli.
11-03-2012 01:28 PM
Hello Yaou,
What version are you running?
Can you add the keyword route-lookup to the NAT 0 setup
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide