Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
792
Views
0
Helpful
14
Replies

Unable to ssh switch from PC

mahesh18
Level 6
Level 6

‎08-28-2015 08:26 PM - edited ‎03-11-2019 11:31 PM

 

Hi,

 

I am trying to ssh from PC to Switch.

PC IP 192.168.2.5

Switch IP 10.31.2.34

log shows

 

Aug 28 2015 21:10:41: %ASA-6-302013: Built outbound TCP connection 673 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.5/1556 (192.168.2.5/1556)
Aug 28 2015 21:10:41: %ASA-6-302014: Teardown TCP connection 673 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.5/1556 duration 0:00:00 bytes 0 TCP Reset-I
Aug 28 2015 21:10:44: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.5/1556 to 10.31.2.34/22 flags RST  on interface VISITOR
Aug 28 2015 21:10:44: %ASA-6-302013: Built outbound TCP connection 675 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.5/1556 (192.168.2.5/1556)
Aug 28 2015 21:10:44: %ASA-6-302014: Teardown TCP connection 675 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.5/1556 duration 0:00:00 bytes 0 TCP Reset-I
Aug 28 2015 21:10:47: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.5/1556 to 10.31.2.34/22 flags RST  on interface VISITOR
Aug 28 2015 21:10:50: %ASA-6-302013: Built outbound TCP connection 677 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.5/1556 (192.168.2.5/1556)
Aug 28 2015 21:10:50: %ASA-6-302014: Teardown TCP connection 677 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.5/1556 duration 0:00:00 bytes 0 TCP Reset-I

 

Confi g

interface Ethernet0/0
 nameif MGMT
 security-level 10
 ip address 10.31.2.33 255.255.255.0
!


!
interface Ethernet0/3
 nameif VISITOR
 security-level 50
 ip address 192.168.2.1 255.255.255.0

 

ACL is there to allow ssh to 10.31.2.34 but i see no hit counts.

Packet tracer shows that ssh is allowed.

Also from PC i can ping the IP 10.31.2.34 but ssh does not work is this due to design?

 

Regards

MAhesh

Labels:
0 Helpful
14 Replies 14

Richard Bradfield
Level 6
Level 6

‎08-28-2015 10:52 PM

Mahesh,

You say a switch but actually an ASA firewall, can you share more of the ASA configuration and a show access-list command

thanks

Richard.

 

0 Helpful

mahesh18
Level 6
Level 6
In response to Richard Bradfield

‎08-28-2015 11:52 PM

 

Its not ASA it is switch directly connected to ASA.

ASA config

 

access-list MGMT_access_in extended permit ip any any
access-list VISITOR_access_in extended permit udp 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 eq domain
access-list VISITOR_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq www
access-list VISITOR_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq https
access-list VISITOR_access_in extended permit icmp 192.168.2.0 255.255.255.0 any
access-list VISITOR_access_in extended permit tcp 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 eq ssh

 

Regards

Mahesh

0 Helpful

Marius Gunnerud
VIP
VIP
In response to mahesh18

‎08-29-2015 11:44 AM

the Reset-I in your logs indicates that the reset is coming from the VISITOR interface.  Are you sure that the switch is correctly configured for SSH access?

Also could you post all your NAT configuration.  I have also seen this issue being cause by incorrectly configured NAT statements.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎08-29-2015 01:11 PM

 

Hi Marius,

 

Switch is allowing the ssh.

Here is all NAT config

 

global (outside) 1 interface
nat (MGMT) 1 0.0.0.0 0.0.0.0
nat (VISITOR) 1 0.0.0.0 0.0.0.0
static (WLC_ASA_5505,MGMT) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (VISITOR,MGMT) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (VISITOR,WLC_ASA_5505) 192.168.2.0 192.168.2.0 netmask 255.255.255.0


Regards

Mahesh

0 Helpful

Marius Gunnerud
VIP
VIP
In response to mahesh18

‎08-29-2015 11:57 PM

what are you trying to accomplish with this NAT statement:

static (VISITOR,MGMT) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

I believe your issues are coming freom incorrect NAT usage.  The above NAT statement translates a destination address of 192.168.2.0 to itself.  This is an incorrect usase of NAT for the version you are running.  This should be a NAT 0 statement.

access-list NAT0 extended permit ip <VISITOR subnet> <MGMT subnet>

nat (VISITOR) 0 access-list NAT0

You could probably solve this issue by using the no nat-control command and removing your current static nat entries.  Though then you would need to be more specific with your nat (MGMT) and nat (VISITOR) subnets and not have them as 0.0.0.0 0.0.0.0.

--

Please remember to select a correct answer and rate helpful posts

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎08-30-2015 05:02 AM

 

here is setup

 

WLC------switch-----------ASA

 

WLC Management IP 10.31.2.35

Switch Management IP 10.31.2.34

Switch has default gateway to the ASA IP--10.31.2.33

With that NAT I am trying to reach the 10.31.2.0 subnet from user IP 192.168.2.0.

 

Now I have removed that NAT but I am still able to ping and ssh to WLC IP 10.31.2.35?

Can you please tell how this is happening without any NAT from Visitor to Management interface of ASA ?

I put the no nat as you said

nat (VISITOR) 0 access-list NAT0
 

still same issue

 

Aug 30 2015 05:51:56: %ASA-6-302013: Built outbound TCP connection 40004 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.28/1498 (192.168.2.28/1498)
Aug 30 2015 05:51:56: %ASA-6-302014: Teardown TCP connection 40004 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.28/1498 duration 0:00:00 bytes 0 TCP Reset-I
Aug 30 2015 05:51:58: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.28/1498 to 10.31.2.34/22 flags RST  on interface VISITOR
Aug 30 2015 05:51:59: %ASA-6-302013: Built outbound TCP connection 40007 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.28/1498 (192.168.2.28/1498)
Aug 30 2015 05:51:59: %ASA-6-302014: Teardown TCP connection 40007 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.28/1498 duration 0:00:00 bytes 0 TCP Reset-I
Aug 30 2015 05:52:02: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.28/1498 to 10.31.2.34/22 flags RST  on interface VISITOR
Aug 30 2015 05:52:05: %ASA-6-302013: Built outbound TCP connection 40009 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.28/1498 (192.168.2.28/1498)
Aug 30 2015 05:52:05: %ASA-6-302014: Teardown TCP connection 40009 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.28/1498 duration 0:00:00 bytes 0 TCP Reset-I
Aug 30 2015 05:52:10: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.28/1498 to 10.31.2.34/22 flags RST  on interface VISITOR
Aug 30 2015 05:51:56: %ASA-6-302013: Built outbound TCP connection 40004 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.28/1498 (192.168.2.28/1498)
Aug 30 2015 05:51:56: %ASA-6-302014: Teardown TCP connection 40004 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.28/1498 duration 0:00:00 bytes 0 TCP Reset-I
Aug 30 2015 05:51:58: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.28/1498 to 10.31.2.34/22 flags RST  on interface VISITOR
Aug 30 2015 05:51:59: %ASA-6-302013: Built outbound TCP connection 40007 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.28/1498 (192.168.2.28/1498)
Aug 30 2015 05:51:59: %ASA-6-302014: Teardown TCP connection 40007 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.28/1498 duration 0:00:00 bytes 0 TCP Reset-I
Aug 30 2015 05:52:02: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.28/1498 to 10.31.2.34/22 flags RST  on interface VISITOR
Aug 30 2015 05:52:05: %ASA-6-302013: Built outbound TCP connection 40009 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.28/1498 (192.168.2.28/1498)
Aug 30 2015 05:52:05: %ASA-6-302014: Teardown TCP connection 40009 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.28/1498 duration 0:00:00 bytes 0 TCP Reset-I
Aug 30 2015 05:52:10: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.28/1498 to 10.31.2.34/22 flags RST  on interface VISITOR
 

 

Also if I do no nat control then how would visitor subnet access the internet?

Regards

MAhesh

 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to mahesh18

‎08-30-2015 12:11 PM

Did you define the NAT0 access list?

Also if I do no nat control then how would visitor subnet access the internet?

nat-control only tells the ASA that it REQUIRES an ACL to allow traffic between interfaces.  Removing it does not prevent NAT.  As long as you have a dynamic NAT for internet traffic you are fine for internet access.

Could you please provide your full running config for your ASA.  Remove any public IPs and passwords.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎08-30-2015 01:01 PM

yes i define nat 0.

here is full config


ASA5520# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname ASA5520

names
!
interface Ethernet0/0
 nameif MGMT
 security-level 10
 ip address 10.31.2.33 255.255.255.0
!
interface Ethernet0/1
 description Connection to ISP SHAW
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/2
 nameif WLC_ASA_5505
 security-level 67
 ip address 10.255.255.2 255.255.255.252

interface Ethernet0/3
 nameif VISITOR
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone MST -7
clock summer-time MST recurring
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 64.59.144.19
object-group network DM_INLINE_NETWORK_1
 network-object host 4.2.2.2
 network-object host 64.59.144.19
object-group network DM_INLINE_NETWORK_2
 network-object host 10.31.2.34
 network-object host 10.31.2.35
 network-object host 10.31.2.37
network-object host 10.255.255.1
access-list MGMT_access_in extended permit ip any any
access-list VISITOR_access_in extended permit udp 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 eq domain
access-list VISITOR_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq www
access-list VISITOR_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq https
access-list VISITOR_access_in extended permit icmp 192.168.2.0 255.255.255.0 any
access-list VISITOR_access_in extended permit tcp 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 eq ssh
access-list NAT0 extended permit ip 192.168.2.0 255.255.255.0 10.31.2.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 567890
logging buffered informational
logging history informational
logging asdm informational
mtu MGMT 1500
mtu outside 1500
mtu WLC_ASA_5505 1500
mtu VISITOR 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
<--- More --->

global (outside) 1 interface
nat (MGMT) 1 0.0.0.0 0.0.0.0
nat (VISITOR) 0 access-list NAT0
nat (VISITOR) 1 0.0.0.0 0.0.0.0
static (WLC_ASA_5505,MGMT) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (VISITOR,WLC_ASA_5505) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-group MGMT_access_in in interface MGMT
access-group VISITOR_access_in in interface VISITOR
route WLC_ASA_5505 10.0.0.0 255.255.255.0 10.255.255.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 WLC_ASA_5505
http 192.168.2.0 255.255.255.0 VISITOR
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5
ssh 10.0.0.0 255.255.255.0 WLC_ASA_5505
ssh 192.168.2.0 255.255.255.0 VISITOR
ssh timeout 60
console timeout 0
dhcpd address 192.168.2.4-192.168.2.61 VISITOR
dhcpd dns 64.59.144.19 interface VISITOR
dhcpd enable VISITOR
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 136.159.2.254 source outside
ntp server 128.100.56.135 source outside prefer

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:03ff1b71e63cf283ab4d7a146dfc367c
: end

 

Strange thing is that i can ssh 10.31.2.35 which is WLC IP but not switch.

 

Regards

MAhesh

0 Helpful

Marius Gunnerud
VIP
VIP
In response to mahesh18

‎08-30-2015 01:37 PM

If you can ssh to 10.31.2.35 but not 10.31.2.34, I suggest you take a look at the SSH and VTY configuration on the switch.  Also check if there are restrictions that have been added to the control-plane.

--

Please remember to select a correct answer and rate helpful posts

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎08-30-2015 03:10 PM

i can ssh to switch IP 192.168.2.2 but not 10.31.2.34 so that tells me that ssh config

on switch is correct.

There are no restrictions on switch.It is layer 2 switch with default gateway pointing to

ASA 10.31.2.33

below is config of switch

 

!
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh version 2
!
!
!
interface FastEthernet1/0/1
 description Connection to ASA 5510 Eth0/0
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet1/0/2
 description Connection to ASA 5510 Eth0/3
 switchport access vlan 361
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
interface FastEthernet1/0/24
 description Connection_to_WAP
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/1
 description WLC_P1
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
 description WLC_P2
 switchport access vlan 361
 switchport mode access
 spanning-tree portfast
!
interface Vlan1
 no ip address
 no ip route-cache
 no ip mroute-cache
 shutdown
!
interface Vlan2
 ip address 10.31.2.34 255.255.255.0
 no ip route-cache
 no ip mroute-cache
!
interface Vlan361
 ip address 192.168.2.2 255.255.255.0
 no ip route-cache
 no ip mroute-cache
!
ip default-gateway 10.31.2.33
ip classless
ip http server
ip http secure-server
!
!
!
!
!
line con 0
line vty 0 4
 login local
 transport input telnet ssh
 transport output ssh
line vty 5 15
 login local
 transport input telnet ssh
 transport output ssh
!
ntp clock-period 36029625
ntp server 128.100.56.135 prefer

 

Regards

Mahesh

0 Helpful

Marius Gunnerud
VIP
VIP
In response to mahesh18

‎08-31-2015 12:05 PM

What model switch is it?  Most L2 switches only support 1 active management VLAN interface.  I think that might the problem you are facing.  what is the output of show ip int bri showing you for interface vlan2?

Besides, If this was aL3 switch, traffic would never go through the ASA but be routed directly by the switch.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎08-31-2015 08:05 PM

 

here is info

Switch#sh inventory
NAME: "1", DESCR: "WS-C3750-24TS"
PID: WS-C3750-24TS-E   , VID: F0   , SN: CAT0832X1GX

NAME: "GigabitEthernet1/0/1", DESCR: "1000BaseSX SFP"
PID: Unspecified       , VID:      , SN: FNS111725W2

NAME: "GigabitEthernet1/0/2", DESCR: "1000BaseSX SFP"
PID: Unspecified       , VID:      , SN: FNS0928H4EY


Switch#sh ip int brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  unassigned      YES NVRAM  administratively down down
Vlan2                  10.31.2.34      YES NVRAM  up                    up
Vlan361                192.168.2.2     YES NVRAM  up                    up
FastEthernet1/0/1      unassigned      YES unset  up                    up
FastEthernet1/0/2      unassigned      YES unset  up                    up
FastEthernet1/0/3      unassigned      YES unset  down                  down
FastEthernet1/0/4      unassigned      YES unset  down                  down
FastEthernet1/0/5      unassigned      YES unset  down                  down
FastEthernet1/0/6      unassigned      YES unset  down                  down
FastEthernet1/0/7      unassigned      YES unset  down                  down
FastEthernet1/0/8      unassigned      YES unset  down                  down
FastEthernet1/0/9      unassigned      YES unset  down                  down
FastEthernet1/0/10     unassigned      YES unset  down                  down
FastEthernet1/0/11     unassigned      YES unset  down                  down
FastEthernet1/0/12     unassigned      YES unset  down                  down
FastEthernet1/0/13     unassigned      YES unset  down                  down
FastEthernet1/0/14     unassigned      YES unset  down                  down
FastEthernet1/0/15     unassigned      YES unset  down                  down
FastEthernet1/0/16     unassigned      YES unset  down                  down
FastEthernet1/0/17     unassigned      YES unset  down                  down
FastEthernet1/0/18     unassigned      YES unset  down                  down
FastEthernet1/0/19     unassigned      YES unset  down                  down
FastEthernet1/0/20     unassigned      YES unset  down                  down
FastEthernet1/0/21     unassigned      YES unset  down                  down
FastEthernet1/0/22     unassigned      YES unset  down                  down
FastEthernet1/0/23     unassigned      YES unset  down                  down
FastEthernet1/0/24     unassigned      YES unset  up                    up
GigabitEthernet1/0/1   unassigned      YES unset  up                    up
GigabitEthernet1/0/2   unassigned      YES unset  up                    up
Switch#

 

 

Regards

Mahesh

0 Helpful

Marius Gunnerud
VIP
VIP
In response to mahesh18

‎09-01-2015 12:54 AM

If you change the IP on the PC to be in the 10.31.2.0/24 subnet, and configure another port to be in that VLAN, are you able to ping 10.31.2.34?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎09-01-2015 09:19 AM

Ping is not issue i can ping the switch IP 10.31.2.34 from PC with 192.168.2.x subnet.

 

But i will to test as per you later today.

Regards

MAhesh

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card