Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2269
Views
0
Helpful
6
Replies

Unable to ssh to the inside interface of ASA over site-to-site VPN

Go to solution
shaun barrs
Level 1
Level 1

‎05-09-2016 01:52 AM - edited ‎03-12-2019 12:43 AM

Hi All,

I am having a problem accessing a couple of newly setup ASA's via the inside interface over a site-to-site VPN.  I can SSH etc to nodes either side of the ASA no problem and from the ASA to the Monitoring Server at the other end of the tunnel that I want to model the ASA's on but for the life of me I can't seem to be able to manage them from the inside interface.

Snippet of relevant config below.  VPN is all up and working correctly so have left that part of the config out for now.

no ssh stricthostkeycheck
ssh ***.***.***.*** 255.255.255.0 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh 10.0.0.0 255.0.0.0 MGT
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Inside

Any help would be much appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎05-09-2016 01:56 AM

Hi,

Are you able to ping the inside IP ?

If you are using a NAT statement for the VPN traffic please add route-lookup keyword to it and then check.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎05-09-2016 01:56 AM

Hi,

Are you able to ping the inside IP ?

If you are using a NAT statement for the VPN traffic please add route-lookup keyword to it and then check.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
shaun barrs
Level 1
Level 1
In response to Aditya Ganjoo

‎05-09-2016 02:32 AM

Thanks Aditya - I believed with the NAT statement we had in place we did not need the Route-lookup keyword at the end.  However after adding the route lookup I can now access the inside interface so we must have been wrong.

Thanks for your help, much appreciated :)

Shaun

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to shaun barrs

‎05-09-2016 02:33 AM

Hi Shaun,

Glad to assist. :)

Regards,

Aditya

0 Helpful

Go to solution
ramakrishnan.bj1
Level 1
Level 1
In response to shaun barrs

‎04-13-2020 12:32 AM

Hi,

 

Im also facing same issue. unable to access inside interface IP over S2S VPN. after configuring route lookup in NAT , able to ssh inside IP (primary FW).  im unable to access secondary FW of HA pair. Please help.

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to ramakrishnan.bj1

‎04-13-2020 01:18 AM - edited ‎04-13-2020 01:20 AM

Unfortunately this is not supported:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCte84561/?rfs=iqvred

0 Helpful

Go to solution
ramakrishnan.bj1
Level 1
Level 1
In response to Aditya Ganjoo

‎04-13-2020 01:58 AM

Thanks for your quick response.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card