08-12-2010 11:26 AM - edited 03-11-2019 11:24 AM
We have a functioning tunnel set up between two ASA5510s. Traffic passes normally between the two. Both ASAs are configured for aaa, ssh, and http access. I can ping the outside ASA address of either ASA from the other's ASA, but neither ssh, nor ASDM access works from either network to the other ASA.. What do I need to look for in the configuration? I did not set these up originally and the configurations are rather large. Thanx!
08-12-2010 03:29 PM
Hello,
Are you trying to access the outside interface of the firewalls or inside
interface? If you are accessing the inside interface, can you please ensure
that you have the following lines on both devices:
management-access inside
Once you have these lines, you will be able to access the inside interface
from the other network.
Hope this helps.
Regards,
NT
08-12-2010 03:31 PM
If you are trying to SSH/HTTPS to the ASA from the LAN-to-LAN VPN tunnel, you would need to SSH/HTTPS to the inside interface of the ASA as I assume that would already be included as part of the interesting traffic (crypto ACL) between the 2 sites.
You would also need to make sure that the remote network subnet where you are trying to SSH/HTTPS from has been configured, ie:
ssh
http
Plus you would also need "management-access inside" on the ASA that you are trying to SSH/HTTPS to.
Hope that helps.
08-13-2010 06:18 AM
I verified that allof these configurations are in place at both ends of the tunnel. This is the reason I reached out to this community. I don't understand what's missing. Thank you!
08-13-2010 09:15 AM
Hello,
Can you please post corresponding configurations from both devices?
Regards,
NT
08-13-2010 09:18 AM
Certainly and I appreciate your time! But, I will have to clean them both up considerably to maintain confidentiality. I'll try to work on them today. Thank you!
08-13-2010 12:06 PM
08-13-2010 12:25 PM
Hello,
The commands:
"http 10.10.30.0 255.255.255.0 inside" command is missing in the Remote
firewall configuration.
I also did not find any crypto man match rule in the local firewall (you
might have removed it for sanitizing the config).
Can you please check these two things?
Regards,
NT
08-13-2010 12:28 PM
Hello,
Also, on the remote firewall, the nonat rule seems to be incorrect:
access-list nonat extended permit ip 10.2.1.0 255.255.255.0 10.10.31.0
255.255.255.0
access-list nonat extended permit ip 10.2.1.0 255.255.255.0 10.10.40.96
255.255.255.224
The rule for 10.2.1.0/24 to 10.10.30.0/24 is missing.
Regards,
NT
08-13-2010 12:56 PM
08-13-2010 01:02 PM
Hello,
Have you tried to SSH/HTTPS from the remote network to your local ASA? On
the remote ASA, I still did not find the http configurations for your local
network:
http server enable
http 10.2.1.0 255.255.255.0 IN_Corp
http 192.168.1.0 255.255.255.0 management
http 192.168.3.0 255.255.255.0 management
ssh 0.0.0.0 0.0.0.0 Out_IAXS
ssh 10.2.1.0 255.255.255.0 IN_Corp
Can you please try adding:
http 0.0.0.0 0.0.0.0 IN_Corp
ssh 0.0.0.0 0.0.0.0 IN_Corp
on the remote ASA and see if that helps.
Regards,
NT
08-13-2010 01:35 PM
I have confirmed the http commands on the local ASA. I must have accidentally erased them. I have also ensured that the recommended ssh commands have been added to the remote ASA. That's what I find so frustrating. I still can't ssh from either end nor http from the local network. I don't have a way to http from the remote end. It appears that everything is correct for ssh/http access from both sides, but it still won't work. I've worked with Cisco IOS and CatOS for nearly 20 years, but these ASAs are a bit trickier. Unfortumately, I never had one, or a PIX to work with before as all we ever used were Nokias and Junipers. Best regards, Wolf
08-13-2010 01:45 PM
Hello,
Let us try configuring packet capture and see if we can figure out
something:
On the local firewall:
access-list cap permit tcp 10.2.1.0 255.255.255.0 interface inside eq ssh
access-list cap permit tcp interface inside eq ssh 10.2.1.0 255.255.255.0
capture capin access-list cap interface inside
On the remote firewall:
access-list cap permit tcp 10.10.30.0 255.255.255.0 interface inside eq ssh
access-list cap permit tcp interface inside eq ssh 10.10.30.0 255.255.255.0
capture capin access-list cap interface inside
Also, let us try the packet-tracer:
on the local firewall:
packet-tracer input inside tcp 10.10.30.101 1024 10.2.1.211 22 detailed
On the remote firewall:
packet-tracer input inside tcp 10.2.1.101 1024 10.10.30.1 22 detailed
Also, can you please post the output of "show version" from both devices?
Regards,
NT
08-13-2010 02:17 PM
08-15-2010 07:29 AM
Hi Guys,
Not sure but may be following statement will hint something.
@Local ASA#
"asdm location 10.2.1.0 255.255.255.0 Out_SPWL"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide