07-18-2018 08:32 AM - edited 02-21-2020 08:00 AM
Hi All,
I have an ASA 5506-X that I am trying to SSH from another site over a LAN-to-LAN MPLS.
Site PC @ 192.168.33.26---------MPLS----------Inside Interface of ASA @ 192.168.172.1
There is no internet or outside interfacing in play here.
The ASA is subinterfaced on the LAN side because the MPLS provider needed the IP info on vlan 11. Before they requested that, the IP info was on the physical interface of the ASA (gi1/2) and I could SSH it from 33.26 no problem.
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.11
vlan 11
nameif inside
security-level 100
ip address 192.168.172.1 255.255.255.0
When I try to SSH to the ASA from my PC at 192.168.33.26 after the subinterface change, now I get a timeout, but I see the end to end traffic in wireshark which shows the ASA responding to my SSH request, which I've attached. Packet-tracer also shows it is allowed.
What am I missing?
Solved! Go to Solution.
07-18-2018 01:34 PM - edited 07-18-2018 01:35 PM
This is resolved. Had to add a host route on my server to point the next hop for the subnet of the ASA I'm trying to SSH to to the local MPLS router and not the site firewall. Don't quite understand it since my site firewall is routing for that subnet, so it should have known what to do with it but it is resolved in any case.
07-18-2018 12:56 PM - edited 07-18-2018 12:58 PM
Hi,
can you show output from:
- sh run | include ssh
- sh run | include aaa
Best regards,
07-18-2018 01:12 PM
FWCoreSANOC-SC5506(config)# show run | inc ssh
aaa authentication ssh console LOCAL
ssh stricthostkeycheck
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.0 inside
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.192.0 255.255.255.0 inside
ssh 192.168.193.0 255.255.255.0 inside
ssh 192.168.16.0 255.255.255.0 inside
ssh 192.168.158.0 255.255.255.0 inside
ssh 192.168.165.0 255.255.255.0 inside
ssh 192.168.168.0 255.255.255.0 inside
ssh 192.168.177.0 255.255.255.0 inside
ssh 192.168.178.0 255.255.255.0 inside
ssh 192.168.33.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
privilege show level 3 mode exec command ssh
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command ssh
FWCoreSANOC-SC5506# show run | inc aaa
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authentication login-history
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode configure command aaa-server
07-18-2018 01:34 PM - edited 07-18-2018 01:35 PM
This is resolved. Had to add a host route on my server to point the next hop for the subnet of the ASA I'm trying to SSH to to the local MPLS router and not the site firewall. Don't quite understand it since my site firewall is routing for that subnet, so it should have known what to do with it but it is resolved in any case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide