Re: No SSH access to 7.2(2) after pasting 6.3(3) config into PIX

chrismoore63 · ‎01-14-2007

All the commands are in the new 7.2(2) config:

Management-access inside

SSH xxx.xxx.xxx.xxx inside

I also generated the RSA key

We try to go through our L2L tunnel and get nothing. Putty just times out. This worked fine as a 6.3(3) box.

We're also able to ping through the L2L tunnel, but can't ping the inside interface anymore too.

I basicly pasted all the 6.3 config commands into the 7.2 config. It almost appears that the return traffic is not getting dumped in the IPSEC tunnel. I'm scratching my head with this one. Who'd have thought 6.3 would less painful??? Any suggestions people???

m-haddad · ‎01-15-2007

ASA does not allow ping to any of it's interfaces. TO allow ping you need:

1- icmp permit any outside

2- As for the SSH you need to allow it on the outside interface if you are comming from a Site-To-Site VPN tunnel

SSH "L2L source Subnet" outside

Please let me know if this helps,

Regards,

chrismoore63 · ‎01-16-2007

I'm not sure I understand. The icmp and ssh traffic are coming through the L2L IPSEC tunnel. The access would be controlled by the remote 6.3(3) PIX through it's inside int ACL. The traffic would then come out on the inside int at the 7.2(2) side, so if I can ping an IP on the inside of the PIX I should be able to ping it as well. As far as the SSH traffic goes, on 6.3(3) you just configure SSH "source subnet that needs SSH access" inside, because that's what you set up ealier via the Management-access inside command. Am I missing something? I know there are big differences in the code, but I thought they basically still ran the same way.

m-haddad · ‎01-16-2007

Hello,

If you can ping an IP address on the Inside behing the ASA this does not mean you should be able to ping the ASA inside interface IP address. THis is how the ASA works. You need to explicitly allow ICMP to the inside interface of the ASA from the subnet you want.

As for SSH you what you said is correct. However, you still need to add this command

"management-access inside" to allow management from VPN to the inside interface of the PIX.

Please let me know if this solves problems,

Regards,

chrismoore63 · ‎01-17-2007

On a PIX 535 with the 6.3(3) code you do not need to allow echos in the outside interface. I can go through a L2L IPSEC tunnel and ping the inside interface of my remote PIX just fine. The sysopt permit IPSEC command bypasses the outside ACL.

As far as the SSH traffic goes...I have the management-access inside command in my config. I have an SSH xx.xx.xx.xx inside statement as well. I added a fqdn to the config and deleted the original RSA key pair I originally generated. I then regenerated a new key pair. It just seems like my new PIX with the 7.2(2) code is not dumping the return SSH or icmp traffic back into the IPSEC tunnel. When I try to SSH the session just times out. There's no response from the remote PIX saying seesion closed by remote peer, just nothing....

ulf.paternoga · ‎01-16-2007

Do you have specify a domain-name for your engine? Without a bind-like domain-name can't go any rsa-key.

chrismoore63 · ‎01-17-2007

I didn't originally. I entered a fqdn and them deleted the rsa key and regenerated a new one. Still can't SSH to inside int, nor ping it even though I have proper icmp statements, SSH statements, and management-access inside statement. Almost like return traffic is NOT being dumped back into the L2L tunnel....strange

No SSH access to 7.2(2) after pasting 6.3(3) config into PIX535