03-07-2020 11:13 AM
Hi All,
I am trying to ssh and launch ASDM for management IP of ASA.
I have ASA with SFR Module. (SFR Module is using mgmt0/0 port for communication, no ip assigned physically on interface and port is connected to management vlan as access , works fine)
interface Port-channel1.999
description MGMT_NW
vlan 999
nameif MGMT_NW_NW
security-level 100
ip address 10.10.10.1 255.255.255.128
!
interface Port-channel1.15
description USER
vlan 15
nameif USER
security-level 100
ip address 10.10.15.1 255.255.255.0
So when I try to ping or ssh or ASDM or HTTPS to ASA IP 10.10.10.1, it doesn't work (connection fails). From user VLAN 10.10.15.12 (on my laptop)
I don't see arp entry for 10.10.10.1 in arp table of ASA. However I do see entries for 10.10.10.8 which is switch management IP and I am able to access it.
can someone help how do I resolve it
03-07-2020 11:22 AM - edited 03-07-2020 11:44 AM
make sure interface Port-channel1.999 connected to switch port-channel is configured as trunk.
!
username admin password cisco123 privilege 15
!
crypto key generate rsa modulus 2048
!
aaa authentication ssh console LOCAL
!
ssh x.x.x.x 255.255.255.0 MGMT_NW_NW
ssh xx.xx.xx.xx 255.255.255.0 USER
!
ssh timeout 60
ssh version 1 2
ssh key-exchange group dh-group1-sha1
!
http server enable
https x.xx.x.x 255.255.255.0 MGMT_NW_NW
https xx.xx.xx.xx 255.255.255.0 USER
!
same-security-traffic permit inter-interface
!
share the ouput of show arp | i 10.10.15.12 and why you except to see arp 10.10.10.1 it as firewall interface ip address.
test and confirm what you see the output.
03-07-2020 11:27 AM
I didn't get this part.
ssh 192.168.100.0 255.255.255.0 INSDIE/MANGMET
what should i replace it with from my config ? and I have some similar routes configured
03-07-2020 11:32 AM
make sure interface Port-channel1.999 connected to switch port-channel is configured as trunk.
yes it is trunk. and all vlans allowed
I already have following ssh commands configured but still didn't work.
ssh 10.10.10.0 255.255.255.128 MGMT_NW (works)
ssh 10.10.15.0 255.255.255.0 USER (doesn't work)
03-07-2020 12:30 PM
can you ping from ASA USER ip address 10.10.15.1 to switch svi or at your laptop if its connected to in subnet 10.10.15.0 ?
03-07-2020 12:36 PM
yes I can ping it. no problem.
03-07-2020 12:51 PM - edited 03-07-2020 01:15 PM
your laptop address 10.10.15.12 and you trying to do ssh on 10.10.10.1 and ASDM 10.10.10.1 is this correct. if so this is not going to work due to No route to host. in order for you to reach SSH/ASDM if your laptop in subnet 10.10.10.x than you have to ssh/asdm to 10.10.10.1.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide