cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1533
Views
5
Helpful
6
Replies

Need assistance with configuration to ssh into inside private host in AWS over VPN

JMJr
Level 1
Level 1

Trying to configure the FW to allow ssh from a remote vpn user to an inside private host over Mgt interface and allow traffic out Outside interface

VPN is working correctly, ssh is not working to internal host in private subnet

(traffic from the VPN subnet is allowed in sg for host 10.0.6.129: 192.168.10.0/24

 

VPN POOL subnet - 192.168.10.0

Mgmt Public IP - 96.127.51.x

Inside subnet - 10.0.3.0

Outside Public IP - 160.1.68.x

Object host IP - 10.0.6.129

 

Config as follows:

 

ip local pool Network-10 192.168.10.2-192.168.10.252 mask 255.255.255.0

 

interface GigabitEthernet0/0

description AWS Eth1 Inside interface

nameif Inside

security-level 100

ip address 10.0.3.33 255.255.255.0

!

interface GigabitEthernet0/1

description AWS Eth2 Outside interface

nameif Outside

security-level 0

ip address 15.200.26.219 255.255.255.240

!

interface Management0/0

description AWS Eth0 Management

nameif management

security-level 100

ip address dhcp setroute

 

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object network AWS-Inside_01

subnet 10.0.1.0 255.255.255.0

object network AWS-Inside_03

subnet 10.0.3.0 255.255.255.0

object service Linux_ssh

service tcp source eq ssh destination eq ssh

object service Windows_rdp

service tcp source eq 3389 destination eq 3389

object network NLB-6.14

host 10.0.6.14

object network Linux-ssh-6.129

host 10.0.6.129

object-group network AWS-Internal

description AWS Internal networks

network-object 10.0.1.0 255.255.255.0

network-object 10.0.3.0 255.255.255.0

network-object 10.0.5.0 255.255.255.0

network-object 10.0.6.0 255.255.255.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list SplitTunnel standard permit 10.0.4.0 255.255.255.0

access-list SplitTunnel standard permit 10.0.6.0 255.255.255.0

access-list vpn-acl extended permit ip any any log

access-list vpn-acl extended deny ip any any log

access-list management_access_in remark Allow remote VPN users access to the internal AWS network over the Network-10 subnet

access-list managament_access_in extended permit ip object-group AWS-Internal object NETWORK_OBJ_192.168.10.0_24 log

access-list PrivateHost-Inside extended permit tcp any host 96.127.51.193 eq ssh log

access-list PrivateHost-Inside extended permit icmp any4 any4

 

nat (Inside,management) source static AWS-Internal AWS-Internal destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup

!

object network NLB-6.14

nat (Inside,management) static 96.127.51.193

!

object network Linux-ssh-6.129

nat (Inside,management) static 96.127.51.193

!

nat (Inside,management) after-auto source dynamic any interface

access-group PrivateHost-Inside in interface management

route Inside 10.0.4.0 255.255.255.0 10.0.3.1 1

route Inside 10.0.6.0 255.255.255.0 10.0.3.1 1

 

0.0.0.0 0.0.0.0 [1/0] via 10.0.1.1, management

C        10.0.1.0 255.255.255.0 is directly connected, management

L        10.0.1.24 255.255.255.255 is directly connected, management

C        10.0.3.0 255.255.255.0 is directly connected, Inside

L        10.0.3.33 255.255.255.255 is directly connected, Inside

S        10.0.4.0 255.255.255.0 [1/0] via 10.0.3.1, Inside

S        10.0.6.0 255.255.255.0 [1/0] via 10.0.3.1, Inside

V        192.168.10.2 255.255.255.255

           connected by VPN (advertised), management

 

ASAv-p1(config)#   sh asp table socket

 

 

Protocol   Socket    State      Local Address                                Foreign Address

SSL        186a8938  LISTEN     10.0.1.24:443                                0.0.0.0:*                                    

DTLS      186b7ea8  LISTEN     10.0.1.24:443                                0.0.0.0:*                                    

TCP        186babe8  LISTEN     10.0.1.24:22                                 0.0.0.0:*                                    

SVC        2de68238  ESTAB      10.0.1.24:443                                10.0.1.223:13607                             

TCP        660a1e58  ESTAB      10.0.1.24:22                                 10.0.1.216:48524    

 

Thanks.....

 

 

 

 

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni
Hi

I do see an acl SplitTunnel which i believe is given to your vpn clients but it's missing subnet 10.0.3.0.

Also you need to make sure devices in aws have the route in the rtb to join back client vpn pool.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

6 Replies 6

Francesco Molino
VIP Alumni
VIP Alumni
Hi

I do see an acl SplitTunnel which i believe is given to your vpn clients but it's missing subnet 10.0.3.0.

Also you need to make sure devices in aws have the route in the rtb to join back client vpn pool.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

 

Thanks for that observation, I'll make that change.

 

You mentioned the devices in AWS should have the route in the rtb to join back client vpn pool, can you explain this as all Outgoing traffic is allowed back out the IGW. Would that need to be the VPN Pool subnet or something else?

 

Is there any other config changes I need to make on the ASA to allow the connectivity to return back to the remote users through the tunnel ?

 

Thank you

I looked at the config quickly over my phone and didn't see any other thing missing.
If it still didn't work, can you give the output of packet tracer command. If you don't know how packet-tracer works, let me know and I'll give you the command.
For aws, machines on 10.0.3.0 subnet had csr ip as default gateway? If so no need to configure anything on the rtb.
Can you give maybe a drawing of how everything is interconnected to make sure?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks for responding.

 

I have included an attachment of the arch setup.

 

For the packet tracer command, let me know if this is correct:

If so, the results are below.

 

-packet-tracer input management tcp 192.168.10.3 2022 96.127.x.x 22

(192.168.10.3 is IP of machine obtained from VPN pool)

(96.127.x.x is the management public IP)

 

ASAv-p1# packet-tracer input management tcp 192.168.10.3 2022 96.127.x.x 22

 

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

 

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

 

Phase: 3

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 10.0.1.1 using egress ifc  management

              

Phase: 4      

Type: ACCESS-LIST

Subtype:      

Result: DROP 

Config:       

Implicit Rule

Additional Information:

              

Result:       

input-interface: management

input-status: up

input-line-status: up

output-interface: management

output-status: up

output-line-status: up

Action: drop 

Drop-reason: (acl-drop) Flow is denied by configured rule

 

Thank you...

This issue has been resolved.
The route table for the private instance in AWS needed to have a route back to the ASA inside network interface.
Thank you Francesco.

It would help to see a diagram of how this connection is happening.  To me it looks like you have the VPN terminating on the management interface.  You also have several NAT statement translating the inside to the managment interface, one of these statements is the after-auto dynamic NAT statement.  Are there any NAT statement for the outside interface also?  For VPN traffic entering the MGMT interface and also leaving the MGMT interface be sure you have the command same-security-traffic permit intra-interface configured globally.  

For traffic leaving the outside interface be sure to have a dynamic NAT statment configured with source MGMT interface, destination outside translating the VPN address range to the outside interface.

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card