04-26-2012 01:59 AM - edited 03-11-2019 03:58 PM
Dear CSC,
I just stumbled upon a strange ASA / SSH problem.
First of all some specs:
ASA 5520 - Active /Standby Multi Context mode running 8.4.3
I’ve configured SSH login with local authentication and it works fine if I permit access from anywhere.
I wanted to tighten management access to the MGMT interface and MGMT network and applied the following SSH access restriction
ssh 10.0.0.0 255.255.255.240 MGMT
MGMT Interface IP address is 10.0.0.1 (2) and ssh client was 10.0.0.4
Surprisingly I could not connect to the ASA anymore. I than changed to configuration to
Ssh 10.0.0.0 255.255.255.0 MGMT - it was still not working
So I’ve opened the access to
Ssh 10.0.0.0 255.0.0.0 MGMT and it worked!
Has anyone an explanation for this? Did I miss anything?
Thanks in advance
Michael
04-26-2012 02:18 AM
Well the only explanation I can think of at this moment is that the subnet from where you were doing SSH is not the same as defined on the ASA, can you check the IP from where you are accessing it.
Thanks,
Varun
04-26-2012 02:30 AM
Hey Varoun
Just checked it again –
that was my first thought but well as mentioned ASA is using 10.0.0.1 (2)/28 and the client was using 10.0.0.4/28 in fact I could see the following log entry:
302013 - Build inbound TCP connection 564479 for MGMT:10.0.0.4/56858 (10.0.0.4/56858) to identity 10.0.0.1/22 (10.0.0.1/22)
So basically my ssh connection reached the ASA but never got processed until I changed the allowed ssh IPs.
I'll check tonight in my lab if this issue comes up on other devices.
Cheers Michael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide