Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1465
Views
0
Helpful
4
Replies

Cannot ssh or ping ASA 5510 from the inside interface.

kywbcisco
Level 1
Level 1

‎04-05-2012 12:12 PM - edited ‎03-11-2019 03:51 PM

The ASA is configured in very simple transparent mode. As desired, traffic can flow in each direction between inside and outside. I can manage the ASA via console and direct connection to the management interface. The problem is that I cannot ping or ssh to the ASA via the inside interface. I need to be able to manage the ASA from any PC on the inside LAN. I suspect I am missing some easy aspect of the configuration but after a lot of hours I'm about at the end of my patience with it. Here is what I believe to be the relevant parts of the config.  Any assistance will be greatly appreciated.

ASA Version 8.2(1)

!

firewall transparent

hostname issr1

enable password 2alej83t5cqT0FWd encrypted

passwd 4kleUY438I93.4ljdh encrypted

names

name xxx.125.144.0 myLAN

!

interface Ethernet0/0

nameif Outside

security-level 0

!

interface Ethernet0/1

nameif inside

security-level 100

!

interface Ethernet0/2

shutdown

no nameif

no security-level

!

interface Ethernet0/3

shutdown

no nameif

no security-level

!

interface Management0/0

nameif management

security-level 100

ip address xxx.125.145.173 255.255.255.0

management-only

!

dns server-group DefaultDNS

domain-name myLAN.circ6.dcn

object-group protocol TCPUDP

protocol-object tcp

access-list inside_access_in_2 extended permit ip any any

access-list Outside_access_in_1 extended permit ip myLAN 255.255.254.0 any

mtu Outside 1500

mtu inside 1500

mtu management 1500

ip address xxx.125.145.175 255.255.254.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit host xxx.125.145.175 inside

asdm history enable

access-group Outside_access_in_1 in interface Outside

access-group inside_access_in_2 in interface inside control-plane

route inside myLAN 255.255.254.0 xxx.125.144.240 1

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http xxx.125.144.0 255.255.254.0 management

http myLAN 255.255.254.0 inside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

ssh xxx.125.144.14 255.255.255.255 inside

ssh xxx.125.145.174 255.255.255.255 management

ssh timeout 60

console timeout 0

!

Cryptochecksum:f1c9377arda5b6aef83928h0b0058f9

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎04-05-2012 01:00 PM

Hi,

I have never actually configured a transparent ASA firewall so I am just guessing.

What I am wondering is that if you have a transparent firewall acting as a L2 device in the network. Shouldnt you just have a default route pointing to the networks only L3 interfaces IP address.

Have you tried giving the management interface a totally different IP address? Something like 10.10.10.1/24 so it doesnt have anything to do with the actual network you have your ASA connected to?

Can you ping the IP address mentioned in the global configuration line "ip address" from your computer connected to the L2 network?

0 Helpful

kywbcisco
Level 1
Level 1

‎04-06-2012 07:02 AM

Thanks for the reply.

I had an error in a netmask. After fixing that I can ping and connect with ASDM from the inside to the global IP address. I still cannot SSH from the inside but I should be able to figure that out.

Thanks for the help. Although your suggestion wasn't exactly the solution, it did prompt me to review all of my network settings and find the immediate problem.

Thanks again.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to kywbcisco

‎04-06-2012 07:44 AM

Hey,

When you say that you have been able to manage the ASA directly from Management interface, does that mean also with SSH?

I was just wondering if you've issued the "crypto key generate rsa modules 1024" from the console CLI? Or same from the ASDM tools -> Command Line Interface (or something similiar)

Atleast thats the most common mistake I sometimes make when starting configuraitons with ASA on console (forget to create the keys)

- Jouni

0 Helpful

kywbcisco
Level 1
Level 1
In response to kywbcisco

‎04-06-2012 10:29 AM

From the management interface I can use SSH and ASDM.

I had already done the 'crypto..." command.

After tweaking another netmask I can now do SSH and ASDM from the inside interface. So my immediate problems are all resolved.

Thanks again,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card