ASA 8.4(2) asdm-ssh access issues from vpn

jaime.pedraza · ‎09-22-2011

Hi, I have a 5585 with version 8.4.2

I have issues accessing the asa using ssh or asdm via remote access vpn. The configuration details are the following:

10.8.251.30 -- addess assigned from the pool

10.8.251.4 -- inside interface address in the ASA

1.The VPN establishes without problems and I can reach any inside resource, also I can ping the firewall.

group-policy pol1 attributes

vpn-tunnel-protocol ikev1 ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value pol1_splitTunnelAcl

ip local pool Temp-pool 10.8.251.16-10.8.251.31 mask 255.255.255.240

access-list pol1_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

2. The configuration of ssh, http and management features are the following:

ssh 0.0.0.0 0.0.0.0 inside

ssh 10.8.251.16 255.255.255.240 outside

ssh timeout 60

ssh version 2

http server enable

http 0.0.0.0 0.0.0.0 inside

http 10.8.251.16 255.255.255.240 outside

management-access inside

This configuration works with another device that has the 8.2.3 version.

I can ping the if. address but the telnet, ssh and asdm do not work. The following is the output of the logs.

!!! PING OK!!!

%ASA-6-302020: Built inbound ICMP connection for faddr 10.8.251.30/62218(LOCAL\xxxx) gaddr 10.8.251.4/0 laddr 10.8.251.4/0 (xxxx)

%ASA-6-302021: Teardown ICMP connection for faddr 10.8.251.30/62218(LOCAL\xxxx) gaddr 10.8.251.4/0 laddr 10.8.251.4/0 (xxxx)

!!! SSH CONNECTION FAILS!!!

%ASA-6-302013: Built inbound TCP connection 6573714 for outside:10.8.251.30/58550 (10.8.251.30/58550)(LOCAL\xxx) to identity:10.8.251.4/22 (10.8.251.4/22) (xxxx)

%ASA-7-710005: TCP request discarded from 10.8.251.30/58548 to outside:10.8.251.4/22

%ASA-6-106015: Deny TCP (no connection) from 10.8.251.30/58548 to 10.8.251.4/22 flags FIN ACK on interface outside

%ASA-7-710005: TCP request discarded from 10.8.251.30/58548 to outside:10.8.251.4/22

If I allow the direct http/ssh connection to the outside/inside interface, it works perfectly.

Any idea what am I doing wrong? Thank you in advance for your comments and help.

Jaime

jaime.pedraza · ‎09-22-2011

An update: the ssh connection seems to establish but for any reason after the initial connection, the firewall does not allow the traffic flow and the connection screen just does not show anything. This behavior is evidenced in the log.

varrao · ‎09-22-2011

Hi,

You might also be affected be affected by this bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr16184

Yuo can try the workaround mentioned.

Let me know if this helps.

Thanks,

Varun

Thanks,
Varun Rao

jaime.pedraza · ‎09-28-2011

Hi Varun,

Thank you for your answer. I tried it, but the result was the same

nat (inside,outside) source static Inside_Network Inside_Network destination static temp-pool temp-pool route-lookup

management-access inside

Any other ideas?

Jaime

jocamare · ‎09-22-2011

Hi Jaime,

Does it happen the same when you connect from one of your internal users?

Did you generate the hased key for ssh? if not, the command will be:

"crypto key generate rsa modulus 1024"

Be sure to have applied this command too:

aaa authentication ssh console LOCAL

This should be your last resource ( i don´t believe you will need it, you can go back if it doesn´t work)

no ssh 10.8.251.16 255.255.255.240 outside

ssh 0 0 outside

Hope it helps!

-Jorell

jaime.pedraza · ‎09-28-2011

Hi Jorell,

Thank you for your answer. SSH works seamlessly from if the connection comes from the inside, even the outside interface.

Jaime

yao yu jiang · ‎11-03-2012

i have the same issue, asa inside is not accesed from the vpn , even it iwas wkrign in 8.2, with manageent inside cli.

Julio Carvajal · ‎11-03-2012

Hello Yaou,

What version are you running?

Can you add the keyword route-lookup to the NAT 0 setup

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC