Solved: Cannot SSH to subinterface IP on 5506-X from the Inside

Dean Romanelli · ‎07-18-2018

Hi All,

I have an ASA 5506-X that I am trying to SSH from another site over a LAN-to-LAN MPLS.

Site PC @ 192.168.33.26---------MPLS----------Inside Interface of ASA @ 192.168.172.1

There is no internet or outside interfacing in play here.

The ASA is subinterfaced on the LAN side because the MPLS provider needed the IP info on vlan 11. Before they requested that, the IP info was on the physical interface of the ASA (gi1/2) and I could SSH it from 33.26 no problem.

interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.11
vlan 11
nameif inside
security-level 100
ip address 192.168.172.1 255.255.255.0

When I try to SSH to the ASA from my PC at 192.168.33.26 after the subinterface change, now I get a timeout, but I see the end to end traffic in wireshark which shows the ASA responding to my SSH request, which I've attached. Packet-tracer also shows it is allowed.

What am I missing?

Dean Romanelli · ‎07-18-2018

This is resolved. Had to add a host route on my server to point the next hop for the subnet of the ASA I'm trying to SSH to to the local MPLS router and not the site firewall. Don't quite understand it since my site firewall is routing for that subnet, so it should have known what to do with it but it is resolved in any case.

View solution in original post

Jewgeni Uschegow · ‎07-18-2018

Hi,

can you show output from:

- sh run | include ssh

- sh run | include aaa

Best regards,

Dean Romanelli · ‎07-18-2018

FWCoreSANOC-SC5506(config)# show run | inc ssh
aaa authentication ssh console LOCAL
ssh stricthostkeycheck
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.255 outside
ssh <scrubbed> 255.255.255.0 inside
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.192.0 255.255.255.0 inside
ssh 192.168.193.0 255.255.255.0 inside
ssh 192.168.16.0 255.255.255.0 inside
ssh 192.168.158.0 255.255.255.0 inside
ssh 192.168.165.0 255.255.255.0 inside
ssh 192.168.168.0 255.255.255.0 inside
ssh 192.168.177.0 255.255.255.0 inside
ssh 192.168.178.0 255.255.255.0 inside
ssh 192.168.33.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
privilege show level 3 mode exec command ssh
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command ssh

FWCoreSANOC-SC5506# show run | inc aaa
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authentication login-history
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode configure command aaa-server

Dean Romanelli · ‎07-18-2018

This is resolved. Had to add a host route on my server to point the next hop for the subnet of the ASA I'm trying to SSH to to the local MPLS router and not the site firewall. Don't quite understand it since my site firewall is routing for that subnet, so it should have known what to do with it but it is resolved in any case.