Solved: cannot ssh despite of having management access and nat configured

sawasa · ‎01-27-2021

Hello there,

I got an ASA 5508 which I recently configured to connect to AWS cloud via BGP (through the AWS direct connect).
Now I simply need to ssh my inside interface from an IP in cloud but in the ASA I can see the message:

Failed to locate egress interface for TCP from directConnect:10.15.1.1/34514 to 10.50.1.1/22

I double checked that my NAT configuration is in place, and that I got management-access configured for my if-inside.
Also there is a rule to permit ssh from the given IP 10.15.1.1
It happens that my Radius server is in that very same IP but I don't think I got auth problems given the message above.

!
interface GigabitEthernet1/3.2
description "direct connect to AWS"
vlan 2
nameif directConnect
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet1/5
nameif if-inside
security-level 100
ip address 10.50.1.1 255.255.255.0
!
nat (any,any) source static inside-net inside-net destination static AWS15 AWS15
!

aaa-server RA-Server protocol radius
aaa-server RA-Server (if-inside) host 10.15.1.1
key *****
authentication-port 1812
aaa authentication ssh console RA-Server LOCAL
!
ssh 10.15.1.1 255.255.255.255 if-inside
ssh timeout 10
ssh version 1 2
ssh key-exchange group dh-group1-sha1
console timeout 5
management-access if-inside

If someone can give me a hand with this, I would be very grateful! thanks!!

Panos Bouras · ‎01-28-2021

Hi @sawasa

Can you try to add the following

ssh 10.15.1.1 255.255.255.255 directConnect

Also change your NAT to

nat (if-inside,directConnect) source static inside-net inside-net destination static AWS15 AWS15

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

View solution in original post

Marius Gunnerud · ‎01-28-2021

If this is not a VPN then you are going about connecting to the ASA wrong. the management-access <interface> command is only for admin connection to the ASA over a VPN. So this will have no effect in your setup. You will need to access the ASA through the directConnect interface meaning you will need to change or add an ssh statement for the directConnect interface, or setup an AnyConnect VPN or site2site VPN and access the ASA through the if-inside interface.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Heino Human · ‎01-27-2021

That is not a subnet, its a port number, in your case SSH

sawasa · ‎01-28-2021

thanks you are totally right

Rob Ingram · ‎01-28-2021

@sawasa

Add "route-lookup" to the end of your NAT rule.

Also try to use the specific interface names instead of "any" in the NAT rules.

sawasa · ‎01-28-2021

Hi Rob,

Thanks, I have added route-lookup and change the any for my interface names.
Still no luck and I keep having the same error message.
This is how my nat looks now:

nat (if-inside,directConnect) source static inside-net inside-net destination static AWS15 AWS15 route-lookup
nat (directConnect,if-inside) source static AWS15 AWS15 destination static inside-net inside-net route-lookup

Rob Ingram · ‎01-28-2021

You don't need 2 NAT rules, the rules are bi-directional. You can remove the 2nd rule

Run packet-tracer from the CLI to simulate traffic and provide the output for review.

Can you provide your routing configuration please

sawasa · ‎01-28-2021

Thanks again Rob.
When I modified the NAT I left is as only one rule I got the same result, and I keep reading in other posts about "double NAT rule" so I added it just in case. I will remove it again.

Running the packet tracert results on:
"no route to host"
this is confusing since the 10.50.1.1 is my if-inside.

Do you think it might be because the directConnect is on VLAN 2? it is a virtual interface created for the AWS direct connect.

interface GigabitEthernet1/3.2
description "direct connect to AWS"
vlan 2
nameif directConnect

About the routing configuration, I actually only have BGP here configured for AWS and that is. The traffic from the 10.15.1.0/22 to the 10.50.1.0/24 works with no problem.

Marius Gunnerud · ‎01-28-2021

Is the VPN setup as split-tunnel? if so is the subnet that the if-inside interface is configured with included as interesting traffic?

If you are used vpn-filter, make sure that the ASA IPs are also allowed there.

--
Please remember to select a correct answer and rate helpful posts

sawasa · ‎01-28-2021

Hi Marius, thanks for your reply.
There is no VPN actually, it is a direct connection through a cross connect in the datacenter and AWS.

Marius Gunnerud · ‎01-28-2021

If this is not a VPN then you are going about connecting to the ASA wrong. the management-access <interface> command is only for admin connection to the ASA over a VPN. So this will have no effect in your setup. You will need to access the ASA through the directConnect interface meaning you will need to change or add an ssh statement for the directConnect interface, or setup an AnyConnect VPN or site2site VPN and access the ASA through the if-inside interface.

--
Please remember to select a correct answer and rate helpful posts

sawasa · ‎01-28-2021

thanks, I needed this explanation, I used to have VPN and I didn't realized about this when I changed to a direct connection

adding the ssh statement to the directConnect interface did the trick as you and Panos suggested.

I'm super glad to have this working!!
Thanks a lot!

Panos Bouras · ‎01-28-2021

Hi @sawasa

Can you try to add the following

ssh 10.15.1.1 255.255.255.255 directConnect

Also change your NAT to

nat (if-inside,directConnect) source static inside-net inside-net destination static AWS15 AWS15

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

sawasa · ‎01-28-2021

Hi Panos,
I mis read you before, will try the ssh statement