Hi Rick,

Thanks for replying. Yes I can ping desktops (e.g. 192.168.10.1) which gets dhcp lease from ASA but not able to ping or connect to ASA which has ip 192.168.10.254 and is gateway for desktops. I know it sounds strange. Also ASA has management interface 10.15.8.254 which again I am not able to reach from HO.

I have attached config from ASA. I have removed vpn related config.

Regards,

Diwa

Diwa

So the issue is not that you can not access the networks but is that you can not access the ASA that is on those networks. You have provided a partial config but you have removed much more than just the VPN part. What I was looking for, in particular, is what addresses you have configured to permit SSH and/or telnet access to the ASA. But that is not in the config that you posted.

HTH

Rick

Hi Rick,

Sorry for that. 

dynamic-access-policy-record DfltAccessPolicy
aaa-server NPS protocol radius
aaa-server NPS (Management) host 192.168.200.5
key *****
radius-common-pw *****
aaa-server NPS (Management) host 192.168.201.5
key *****
radius-common-pw *****
user-identity default-domain LOCAL

aaa authentication enable console NPS LOCAL
aaa authentication ssh console NPS LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.200.0 255.255.255.0 Management
http 192.168.201.0 255.255.0.0 inside
http 192.168.10.0 255.255.255.0 Management
http 192.168.101.1 255.255.255.224 Management
http 192.168.101.1 255.255.255.224 inside
http 192.168.101.1 255.255.255.224 outside

Diwa

We are getting closer. What I was looking for was for statements permitting SSH access and permitting telnet access. What you have posted is permitting HTTP access.

As I think about it I realize that I am assuming that when you talk about accessing the 5505 that you mean access via SSH or via telnet. But perhaps you have some different access in mind. So perhaps we should start by clarifying what kind of access you are attempting. Once we know that we can figure out why it is not working.

I will offer the comment that I note that you give one subnet at the head office HTTP access via management and another subnet at the head office HTTP access via the inside. Is there a reason for that? I would probably suggest giving both subnets access via both interfaces unless there is some specific reason not to.

HTH

Rick

Thanks for your patience. Below is what I have.

telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.200.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.200.0 255.255.255.0 Management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

Diwa

Thanks for the additional information. According to this output you are not permitting any telnet access from the head office. And you are permitting SSH access only from one subnet at the head office. Is this intentional?

Can you confirm that you are attempting to access the 5505 via SSH from a device at the head office that is in subnet 192.168.200.0?

And can you confirm that SSH to the ASA does work successfully from a device in the branch office? (checking to be sure that SSH is correctly enabled)

HTH

Rick

Yes, it wasnt intentionally done. But the IP I am trying to connect from is on that subnet. It is 192.168.200.33

Yes I can connect from branch office by ssh and ASDM both.

Hi Rick,

I trying on both. If I can access on inside only, that would be sufficient. At the moment I will have to find a desktop that is free and rdp onto it to connect to ASA.

I am unable to see management-access on my config. I can add it but would have to wait until tomorrow to check with guys at the site to find a free desktop for me. I am finishing for the day. I will try that and will come back to you.

Thanks for your help.

Diwa

Understood. We will wait till tomorrow when you would be able to add that to the config.

HTH

Rick

Hi Rick,

That command worked like magic. Thanks a lot. I can access it on inside interface via ASDM. Is this command required only when accessing over VPN tunnel? I am still unable to connect via SSH but that is also the case from internal network. It was my mistake, I told you yesterday it is accessible on SSH on internal network. I can access on telnet. I think this is because of SSH key.

I get follwoing error when trying to access on SSH ("Fail to establish SSH session because RSA host key retrieval failed.")

I think I will have to create ssh key pair using command: "crypto key generate rsa modulus 2048" but thinking of doing it after hours, just being extra careful not to lose connection for users at brach office. Do you think this command will do the job? 

Thanks again.

Diwakar

Diwakar

I am glad that my suggestion did solve part of your problem. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions that have helpful information.

Yes it does sound like you need to generate an RSA key. You certainly could wait till after hours to generate the key if you are concerned about it. In my experience generating the RSA key has not been disruptive to the network.

HTH

Rick

Dear Richards,

I have one issue to access the firewall in the branch connected through ISP.

When I checked inside branch office all network is reachable and firewall is also accessible. Routes also there ssh is configured properly but i dont know why is not accessible from HQ.

Please help