Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1724
Views
5
Helpful
6
Replies

unable to ssh or ASDM from inside subnet to FW management IP

network1215
Level 1
Level 1

‎03-07-2020 11:13 AM

Hi All,

 

I am trying to ssh and launch ASDM for management IP of ASA. 

 

I have ASA with SFR Module. (SFR Module is using mgmt0/0 port for communication, no ip assigned physically on interface and port is connected to management vlan as access , works fine) 

 

interface Port-channel1.999
description MGMT_NW
vlan 999
nameif MGMT_NW_NW
security-level 100
ip address 10.10.10.1 255.255.255.128

!

interface Port-channel1.15
description USER
vlan 15
nameif USER
security-level 100
ip address 10.10.15.1 255.255.255.0

 

So when I try to ping or ssh or ASDM or HTTPS to ASA IP 10.10.10.1, it doesn't work (connection fails). From user VLAN 10.10.15.12 (on my laptop)

I don't see arp entry for 10.10.10.1 in arp table of ASA. However  I do see entries for 10.10.10.8 which is switch management IP and I am able to access it. 

 

can someone help how do I resolve it 

 

0 Helpful
6 Replies 6

Sheraz.Salim
VIP
VIP

‎03-07-2020 11:22 AM - edited ‎03-07-2020 11:44 AM

make sure interface Port-channel1.999 connected to switch port-channel is configured as trunk.

!

username admin password cisco123 privilege 15

!

crypto key generate rsa modulus 2048

!

aaa authentication ssh console LOCAL

!

ssh x.x.x.x 255.255.255.0 MGMT_NW_NW

ssh xx.xx.xx.xx 255.255.255.0 USER

!

ssh timeout 60
ssh version 1 2
ssh key-exchange group dh-group1-sha1

!

http server enable

https x.xx.x.x 255.255.255.0 MGMT_NW_NW

https xx.xx.xx.xx 255.255.255.0 USER

!

same-security-traffic permit inter-interface

!

share the ouput of show arp | i 10.10.15.12  and why you except to see  arp  10.10.10.1 it as firewall interface ip address.

test and confirm what you see the output.

please do not forget to rate.
0 Helpful

network1215
Level 1
Level 1
In response to Sheraz.Salim

‎03-07-2020 11:27 AM

I didn't get this part. 

 

ssh 192.168.100.0 255.255.255.0 INSDIE/MANGMET 

 

what should i replace it with from my config ? and I have some similar routes configured

0 Helpful

network1215
Level 1
Level 1
In response to Sheraz.Salim

‎03-07-2020 11:32 AM

make sure interface Port-channel1.999 connected to switch port-channel is configured as trunk. 

 

yes it is trunk. and all vlans allowed 

 

I already have following ssh commands configured but still didn't work. 


ssh 10.10.10.0 255.255.255.128 MGMT_NW (works)
ssh 10.10.15.0 255.255.255.0 USER (doesn't work)

0 Helpful

Sheraz.Salim
VIP
VIP
In response to network1215

‎03-07-2020 12:30 PM

can you ping from ASA USER ip address 10.10.15.1 to switch svi or at your laptop if its connected to in subnet 10.10.15.0 ?

please do not forget to rate.
0 Helpful

network1215
Level 1
Level 1
In response to Sheraz.Salim

‎03-07-2020 12:36 PM

yes I can ping it. no problem. 

0 Helpful

Sheraz.Salim
VIP
VIP
In response to network1215

‎03-07-2020 12:51 PM - edited ‎03-07-2020 01:15 PM


your laptop address 10.10.15.12 and you trying to do ssh on 10.10.10.1 and ASDM 10.10.10.1 is this correct. if so this is not going to work due to No route to host. in order for you to reach SSH/ASDM if your laptop in subnet 10.10.10.x than you have to ssh/asdm to 10.10.10.1.

please do not forget to rate.
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card