cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14172
Views
8
Helpful
17
Replies

SSH and HTTPS over VPN

pootboy69
Level 1
Level 1

We have a functioning tunnel set up between two ASA5510s.  Traffic passes normally between the two.  Both ASAs are configured for aaa, ssh, and http access.  I can ping the outside ASA address of either ASA from the other's ASA, but neither ssh, nor ASDM access works from either network to the other ASA..  What do I need to look for in the configuration?  I did not set these up originally and the configurations are rather large.  Thanx!

17 Replies 17

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Are you trying to access the outside interface of the firewalls or inside

interface? If you are accessing the inside interface, can you please ensure

that you have the following lines on both devices:

management-access inside

Once you have these lines, you will be able to access the inside interface

from the other network.

Hope this helps.

Regards,

NT

Jennifer Halim
Cisco Employee
Cisco Employee

If you are trying to SSH/HTTPS to the ASA from the LAN-to-LAN VPN tunnel, you would need to SSH/HTTPS to the inside interface of the ASA as I assume that would already be included as part of the interesting traffic (crypto ACL) between the 2 sites.

You would also need to make sure that the remote network subnet where you are trying to SSH/HTTPS from has been configured, ie:

ssh inside

http inside

Plus you would also need "management-access inside" on the ASA that you are trying to SSH/HTTPS to.

Hope that helps.

I verified that allof these configurations are in place at both ends of the tunnel.  This is the reason I reached out to this community.  I don't understand what's missing.  Thank you!

Hello,

Can you please post corresponding configurations from both devices?

Regards,

NT

Certainly and I appreciate your time!  But, I will have to clean them both up considerably to maintain confidentiality.  I'll try to work on them today.  Thank you!

Here are tha pared down configurations.  I made every effort to retain all settings pertinent to our tunnel and ssh/http access.  Thanks so much for your kind consideration!

Hello,

The commands:

"http 10.10.30.0 255.255.255.0 inside" command is missing in the Remote

firewall configuration.

I also did not find any crypto man match rule in the local firewall (you

might have removed it for sanitizing the config).

Can you please check these two things?

Regards,

NT

Hello,

Also, on the remote firewall, the nonat rule seems to be incorrect:

access-list nonat extended permit ip 10.2.1.0 255.255.255.0 10.10.31.0

255.255.255.0

access-list nonat extended permit ip 10.2.1.0 255.255.255.0 10.10.40.96

255.255.255.224

The rule for 10.2.1.0/24 to 10.10.30.0/24 is missing.

Regards,

NT

You're right!  Overzealous editing of the config files.  I believe the corrected configs have provided the data you mentioned.  Thanx!

Hello,

Have you tried to SSH/HTTPS from the remote network to your local ASA? On

the remote ASA, I still did not find the http configurations for your local

network:

http server enable

http 10.2.1.0 255.255.255.0 IN_Corp

http 192.168.1.0 255.255.255.0 management

http 192.168.3.0 255.255.255.0 management

ssh 0.0.0.0 0.0.0.0 Out_IAXS

ssh 10.2.1.0 255.255.255.0 IN_Corp

Can you please try adding:

http 0.0.0.0 0.0.0.0 IN_Corp

ssh 0.0.0.0 0.0.0.0 IN_Corp

on the remote ASA and see if that helps.

Regards,

NT

I have confirmed the http commands on the local ASA.  I must have accidentally erased them.  I have also ensured that the recommended ssh commands have been added to the remote ASA.  That's what I find so frustrating.  I still can't ssh from either end nor http from the local network.  I don't have a way to http from the remote end.  It appears that everything is correct for ssh/http access from both sides, but it still won't work.  I've worked with Cisco IOS and CatOS for nearly 20 years, but these ASAs are a bit trickier.  Unfortumately, I never had one, or a PIX to work with before as all we ever used were Nokias and Junipers.  Best regards, Wolf

Hello,

Let us try configuring packet capture and see if we can figure out

something:

On the local firewall:

access-list cap permit tcp 10.2.1.0 255.255.255.0 interface inside eq ssh

access-list cap permit tcp interface inside eq ssh 10.2.1.0 255.255.255.0

capture capin access-list cap interface inside

On the remote firewall:

access-list cap permit tcp 10.10.30.0 255.255.255.0 interface inside eq ssh

access-list cap permit tcp interface inside eq ssh 10.10.30.0 255.255.255.0

capture capin access-list cap interface inside

Also, let us try the packet-tracer:

on the local firewall:

packet-tracer input inside tcp 10.10.30.101 1024 10.2.1.211 22 detailed

On the remote firewall:

packet-tracer input inside tcp 10.2.1.101 1024 10.10.30.1 22 detailed

Also, can you please post the output of "show version" from both devices?

Regards,

NT

I shall do that, but, unfortunately, it will have to be put off until Monday.  I must tend to the network at the moment.  In the mean time, here are the show version outputs of both.  Thank you!

Regards,

Wolf

Hi Guys,

     Not sure but may be following statement will hint something.

@Local ASA#

"asdm location 10.2.1.0 255.255.255.0 Out_SPWL"

Review Cisco Networking for a $25 gift card