03-06-2018 12:39 AM - edited 02-21-2020 07:28 AM
Hello,
We have a cisco asa 5510 Firewall running the latest version 9.1(7)23 connected to our Office through an IPSec VPN Tunnel, and we are trying to configure a new management machine to connect remotly to the management ip address of the firewall, the traffic is reaching the management ip and so en domain encryption is working fine, and traffic is being tunnelled through IPSec, but when SSH traffic is hitting the firewall is being dropped and we have below logs :
fw01# show logging | include 10.49.3
Feb 08 2018 19:34:42: %ASA-7-609001: Built local-host outside:10.49.3.27
Feb 08 2018 19:34:42: %ASA-6-302013: Built inbound TCP connection 929708 for outside:10.49.3.27/41466 (10.49.3.27/41466) to identity:10.215.80.62/22 (10.215.80.62/22)
Feb 08 2018 19:34:42: %ASA-6-302014: Teardown TCP connection 929708 for outside:10.49.3.27/41466 to identity:10.215.80.62/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
Feb 08 2018 19:34:42: %ASA-7-609002: Teardown local-host outside:10.49.3.27 duration 0:00:00
Feb 08 2018 19:34:43: %ASA-7-609001: Built local-host outside:10.49.3.27
Feb 08 2018 19:34:43: %ASA-6-302013: Built inbound TCP connection 929712 for outside:10.49.3.27/41466 (10.49.3.27/41466) to identity:10.215.80.62/22 (10.215.80.62/22)
Feb 08 2018 19:34:43: %ASA-6-302014: Teardown TCP connection 929712 for outside:10.49.3.27/41466 to identity:10.215.80.62/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
Feb 08 2018 19:34:43: %ASA-7-609002: Teardown local-host outside:10.49.3.27 duration 0:00:00
Feb 08 2018 19:34:43: %ASA-6-106015: Deny TCP (no connection) from 10.215.80.62/22 to 10.49.3.27/41466 flags SYN ACK on interface outside
fw01#
Ip address of the remote management machine 10.49.3.27
Management ip address of the firewall 10.215.80.62
We have alrady tried to remove and reconfigure
management-access inside
But SSH is still failling.
Thank you
03-06-2018 02:40 AM
hi @Neji Jihed
try adding
ssh 10.49.3.0 255.255.255.0 inside
Please mark it as answered, if your querry is resolved. Appreciate your time!
03-06-2018 04:26 AM
Did already but SSH is still failing, forgot to mention that in the topic,
Thank you
03-06-2018 06:03 AM
You need to have a NAT policy with route-lookup option in place.
Identity NAT example:
nat (INSIDE,OUTSIDE) source static OBJ-LOCAL OBJ-LOCAL destination static OBJ-REMOTE OBJ-REMOTE no-proxy-arp route-lookup
HTH
Bogdan
03-06-2018 06:06 AM
Already there as well.
03-06-2018 06:18 AM
That is weird, the logs you posted are indicating that the packets are not being sent to the correct interface.
Are you sure the ips specified in the nat rule include 10.49.3.27 and 10.215.80.62 ?
Are there other nat rules above that could disturb the route lookup rule? If so you can move the route lookup nat rule to the first position.
Are you able to ping ? You may need to inspect icmp and allow icmp to the management interface.
03-06-2018 06:52 AM
Here is the NAT rule :
nat (inside,any) source static obj-10.215.80.0 obj-10.215.80.0 destination static obj-10.49.3.0 obj-10.49.3.0 no-proxy-arp route-lookup
object network obj-10.215.80.0
subnet 10.215.80.0 255.255.255.192
object network obj-10.49.3.0
subnet 10.49.3.0 255.255.255.0
There two NAT rules before this one which are doing same thing (management with route-lookup in plac
) and they are working fine.
03-06-2018 07:27 AM
NAT seems ok.
I had a better look at the logs and it seems that ssh session is blocked, but the ssh command should allow access.
There is a bug that you may be hitting: CSCta05045
Can you try:
no management-access inside
management-access inside
03-06-2018 07:32 AM
I am aware about the Bug, i have also tried the management-console trick but it did not work.
I even updated the firewall to the latest version,
i am out of thoughts.
Thank you;
01-08-2020 09:37 PM
I've run into this same issue and tried what the prior user is attempting and can't get ssh access to the inside interface over the vpn. any updates on this?
04-15-2024 02:23 PM
This one resolved my issue today. I'm on version ASA 9.12(4)62.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: