Solved: Changing the Radius to the

BrianEschen · ‎10-01-2014

I cant get SSH access working for the inside interface on the other end of the L2L tunnel. I also cant SSH into any of my Switches. I cant ping either interface but I can ping the phones on the other end. I am not even close to sure what I am missing for this to work..

RandomHostName# sho run
: Saved
:
ASA Version 9.1(2)8
!
hostname RandomHostname
domain-name random.domain.name
enable password blahblahblahblah12345 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd blahblahblahblah12345 encrypted
names
!
interface Ethernet0/0
switchport access vlan 999
!
interface Ethernet0/1
switchport access vlan 582
!
interface Ethernet0/2
switchport access vlan 311
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
switchport access vlan 321
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan582
nameif OUTSIDE
security-level 0
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface Vlan999
description LAN Failover Interface
!
interface Vlan321
nameif INSIDE-Phones
security-level 100
ip address 10.129.0.1 255.255.255.0 standby 10.129.0.2
!
boot system disk0:/asa912-8-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
object network InsidePhones
subnet 10.129.0.0 255.255.255.0
access-list tunnel_all extended permit ip 10.129.0.0 255.255.255.0 any4
pager lines 24
logging enable
logging buffer-size 8182
logging buffered debugging
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE-Phones 1500
failover
failover lan unit primary
failover lan interface failover-int Vlan999
failover interface ip failover-int 10.129.20.1 255.255.255.0 standby 10.129.20.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server admin protocol radius
aaa-server admin (OUTSIDE) host 192.168.50.1
key *****
authentication-port 1812
accounting-port 1813
aaa-server admin (OUTSIDE) host 192.168.50.2
key *****
authentication-port 1812
accounting-port 1813
aaa-server vpn protocol radius
aaa-server vpn (OUTSIDE) host 192.168.50.1
key *****
aaa-server vpn (OUTSIDE) host 192.168.50.2
key *****
aaa-server RADIUS protocol radius
aaa-server RADIUS (OUTSIDE) host 192.168.50.1
key *****
authentication-port 1812
accounting-port 1813
aaa-server RADIUS (OUTSIDE) host 192.168.50.2
key *****
authentication-port 1812
accounting-port 1813
user-identity default-domain LOCAL
aaa authentication http console RADIUS LOCAL
aaa authentication serial console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa accounting enable console RADIUS
aaa accounting ssh console RADIUS
aaa authorization exec authentication-server
http server enable
http 10.129.30.0 255.255.255.0 OUTSIDE
http 10.129.10.0 255.255.255.0 OUTSIDE
http 192.168.50.1 255.255.255.0 OUTSIDE
http 10.129.10.0 255.255.255.0 INSIDE-Phones
http 10.129.1.0 255.255.255.0 INSIDE-Phones
http redirect OUTSIDE 80
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address tunnel_all
crypto map outside_map 1 set peer 192.168.50.1
crypto map outside_map 1 set ikev2 ipsec-proposal ESP-AES-256-SHA
crypto map outside_map interface OUTSIDE
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev2 policy 10
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable OUTSIDE
telnet timeout 5
ssh 10.129.10.0 255.255.255.0 OUTSIDE
ssh 192.168.50.1 255.255.255.0 OUTSIDE
ssh 10.129.1.0 255.255.255.0 OUTSIDE
ssh 10.129.1.0 255.255.255.0 INSIDE-Phones
ssh 192.168.50.1 255.255.255.0 INSIDE-Phones
ssh 10.129.10.0 255.255.255.0 INSIDE-Phones
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 192.168.50.1 192.168.50.2
dhcpd domain contoso.net
dhcpd option 150 ip 10.129.100.12 10.129.70.50
dhcpd option 3 ip 10.129.1.1
!
dhcpd address 10.129.1.10-10.129.1.254 INSIDE-Phones
dhcpd enable INSIDE-Phones
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.50.1
ntp server 192.168.50.1 prefer
username LukeSkywalker password pBoKSJVICSq encrypted privilege 15
tunnel-group 192.168.50.1 type ipsec-l2l
tunnel-group 192.168.50.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:23239ba79ec5f2de8c11d850e7087c57
: end

Marius Gunnerud · ‎10-02-2014

Run the following command

test aaa authentication RADIUS host 192.168.50.1

username: xxxxx

password: xxxxx

do you see any hits on the radius server?

Also run some debugs while trying to authenticate.

debug radius

debug aaa authen

I suggest changing the radius configuration so it points to the inside interface. This way authentication requests are sent with a source IP of the inside interface instead of the outside interface.

it will help to see a network diagram so we have an idea of how your network is set up.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

BrianEschen · ‎10-01-2014

I figured out the SSH by doing management access but my radius stuff still isnt working.

Marius Gunnerud · ‎10-02-2014