Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2226
Views
0
Helpful
14
Replies

SSH management not working

Go to solution
Jon Moots
Level 1
Level 1

‎03-09-2015 11:01 AM - edited ‎03-11-2019 10:36 PM

I have a question on an old 8.0(3) ASA. I inherited these from a previous developer and am having trouble getting into them through SSH from a remote location.

Here is a rough setup for them:

  - I am in a remote office with 10.10.10.0 IP Subnet setup.

  - I have a VPN tunnel going to a Data Center from the remote office with the IP subnet for the DC as 20.20.0.0

  - On the 20.20.0.0. subnet I have an ASA with the inside address of 20.20.0.1/24, and 3 server with the IP address of 20.20.0.2-4/24.

 

GIVEN: I can remote into the servers via SSH from the office 10.10.0.0.network with no problems.

             I can also use SSH from the servers to the ASA and get into the ASA.

Where I have a problem is trying to get to the ASA with SSH from the remote office location. I have SSH turned on for the inside interface for 0.0.0.0 0.0.0.0

I have AAA authentication via LOCAL database, all of that is there, I just cant get to the ASA from the remote site and not sure what to look for with it being an older version of the ASA software.

 

It does have an access list for no-nat:

access-list nonat extended permit ip 20.20.0.0 255.255.0.0 office 255.255.255.0         ****(Where office is defined as 10.10.0.0.)****

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

 

 

Am I looking in the right direction or way off here?  Any help would be appreciated.

-Jon

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎03-09-2015 11:13 AM

Is the VPN terminating on the ASA you are trying to manage?

If so do you have the command management-access inside (where inside is the name of the interface) configured?

If adding that command doesn't work, try generating a new RSA key to use for the SSH session

crypto key generate rsa modulus 1024

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
14 Replies 14

Go to solution
Marius Gunnerud
VIP
VIP

‎03-09-2015 11:13 AM

Is the VPN terminating on the ASA you are trying to manage?

If so do you have the command management-access inside (where inside is the name of the interface) configured?

If adding that command doesn't work, try generating a new RSA key to use for the SSH session

crypto key generate rsa modulus 1024

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Jon Moots
Level 1
Level 1
In response to Marius Gunnerud

‎03-09-2015 11:31 AM

Thank you Marius,

 The management-access interface command worked. There was nothing in there at all for that. Did not know it needed one.

 

Thanks again.

 

0 Helpful

Go to solution
Tushar Bangia
Level 1
Level 1
In response to Jon Moots

‎03-09-2015 08:45 PM

Hi Jon,

 

For your reference "management-access interface" can be used to source the traffic from the same interface for site to site vpn, incase we don't have access to any internal host machine.

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s4.html

 

Hope the information is helpful!!

 

Regards,

 

Tushar Bangia

 

Note : Please do rate the post if you find it helpful!!

0 Helpful

Go to solution
Jon Moots
Level 1
Level 1
In response to Tushar Bangia

‎03-10-2015 05:23 AM

Thank you Tushar, I will look into this as well.

-Jon

0 Helpful

Go to solution
Jon Moots
Level 1
Level 1
In response to Marius Gunnerud

‎03-09-2015 11:39 AM

One last question for you. Once I am in, I am trying to copy via tftp back to the server on the remote office network. The ASA will not connect to it or ping it. Do I have to add something into it to get it to see the office network?

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Jon Moots

‎03-09-2015 01:28 PM

How are you copying and what are you copying to the server?

Since VPN terminates on the ASA, you may need to add the commands:

tftp-sever inside <server IP> disk0:/

replace disk0 with the location where the file you want to copy is.

then issue the command copy disk0: tftp: and fill in the require information.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Jon Moots
Level 1
Level 1
In response to Marius Gunnerud

‎03-10-2015 05:22 AM

I am trying to do a Copy running-config tftp command to get the running configs backed up to an offsite location.

So the command above, do I replace the disk0:/ with running-config? Disk0: will give me all of the files but nothing for configurations.

-Jon

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Jon Moots

‎03-10-2015 05:36 AM

disk0 was just an example as that is where my config file is located on my ASA.

yes, you would just need to replace disk0 with running-config.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Jon Moots
Level 1
Level 1
In response to Marius Gunnerud

‎03-10-2015 05:46 AM

OK, I got the command down, now I am getting a time-out error when trying to connect. I cannot ping from the ASA interface to the remote office interface or the workstation.

 That does not sound right since I can remote from the workstation to the ASA and its fine.

AM I missing something?

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Jon Moots

‎03-10-2015 05:55 AM

You will not be able to ping from the ASA to the workstation over the VPN, to test connectivity you would need to ping from a workstation on the inside interface.  So this is expected behavior.

try changing the command to tftp-server outside and test

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Jon Moots
Level 1
Level 1
In response to Marius Gunnerud

‎03-10-2015 07:51 AM

Still time-out. Could it be something on the remote PIX that is stopping it from coming back in to the tftp workstation?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Jon Moots

‎03-10-2015 07:52 AM

That would be the next thing to check.  It is very likely that there is something stopping it on the PIX.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Jon Moots
Level 1
Level 1
In response to Marius Gunnerud

‎03-10-2015 10:13 AM

from my remote PIX I see in the logs:

  710003: UDP access denied by ACL from 10.10.0.109/xxxx to inside:10.10.0.1/snmp

 

where xxxx are random numners, 10.10.0.109 is my TFTP server and 10.10.0.1 is my inside interface on the PIX.

I do not see any ACL listed in the PIX that should be blocking anything, I have several of these messages in the logs could this be what is stopping the tftp transfer?

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Jon Moots

‎03-11-2015 01:33 AM

The log you posted is for SNMP, if you filter the logs, do you see one for TFTP?  Or if you monitor the logs when trying to copy the config do you see the TFTP being denied?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card