08-02-2016 06:25 AM - edited 03-05-2019 04:25 AM
Hi
I recently replaced a Juniper firewall with a Cisco ASA 5505 at a branch office. This branch office has a site to site VPN to another head office. Firewall at head office is a Juniper and managed by third party. I configured the ASA and replaced Juniper. Everything at branch office is working and can reach all subnets and servers. As far as user is concerned, there is no issue.
But from head office I am unable to reach this ASA on data or management interface.See the image, I am unable to ping or reach 192.168.10.0 and 10.15.8.0 network from 192.168.200.0 or any other subnet in head office. However I can ping desktops at branch office which is in the same subnet as data interface.
Could you guys help me what do I need to be able to reach branch office ASA from head office. I have allowed all networks on both side on inside and outside interface. I have also created a NAT as below. Have I mis-configured NAT
nat (inside,outside) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static HO_Subnets HO_Subnets no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic obj_any interface
Solved! Go to Solution.
08-02-2016 09:17 AM
Diwa
This information is helpful. Are you attempting to SSH to the address of inside or of management? May I suggest that we focus for now on access to inside? After we get that working we can look at access via management.
It does not show up in what you have posted but I am not sure whether it might be something that you removed before posting. Have you configured management-access? If not may I suggest that you add management-access inside to the config.
HTH
Rick
08-02-2016 07:17 AM
I am confused. At one place you say that you are not able to access the 192.168.10.0 network and then you say that you are able to ping the desktops, which sounds like you are able to access that network. Can you clarify?
It would be easier for us to find what is the problem if you would post the config of the 5505 after disguising any public IP or other sensitive information.
HTH
Rick
08-02-2016 07:40 AM
Hi Rick,
Thanks for replying. Yes I can ping desktops (e.g. 192.168.10.1) which gets dhcp lease from ASA but not able to ping or connect to ASA which has ip 192.168.10.254 and is gateway for desktops. I know it sounds strange. Also ASA has management interface 10.15.8.254 which again I am not able to reach from HO.
I have attached config from ASA. I have removed vpn related config.
Regards,
Diwa
08-02-2016 08:00 AM
Diwa
So the issue is not that you can not access the networks but is that you can not access the ASA that is on those networks. You have provided a partial config but you have removed much more than just the VPN part. What I was looking for, in particular, is what addresses you have configured to permit SSH and/or telnet access to the ASA. But that is not in the config that you posted.
HTH
Rick
08-02-2016 08:06 AM
Hi Rick,
Sorry for that.
dynamic-access-policy-record DfltAccessPolicy
aaa-server NPS protocol radius
aaa-server NPS (Management) host 192.168.200.5
key *****
radius-common-pw *****
aaa-server NPS (Management) host 192.168.201.5
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication enable console NPS LOCAL
aaa authentication ssh console NPS LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.200.0 255.255.255.0 Management
http 192.168.201.0 255.255.0.0 inside
http 192.168.10.0 255.255.255.0 Management
http 192.168.101.1 255.255.255.224 Management
http 192.168.101.1 255.255.255.224 inside
http 192.168.101.1 255.255.255.224 outside
08-02-2016 08:33 AM
Diwa
We are getting closer. What I was looking for was for statements permitting SSH access and permitting telnet access. What you have posted is permitting HTTP access.
As I think about it I realize that I am assuming that when you talk about accessing the 5505 that you mean access via SSH or via telnet. But perhaps you have some different access in mind. So perhaps we should start by clarifying what kind of access you are attempting. Once we know that we can figure out why it is not working.
I will offer the comment that I note that you give one subnet at the head office HTTP access via management and another subnet at the head office HTTP access via the inside. Is there a reason for that? I would probably suggest giving both subnets access via both interfaces unless there is some specific reason not to.
HTH
Rick
08-02-2016 08:44 AM
Thanks for your patience. Below is what I have.
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.200.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.200.0 255.255.255.0 Management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
08-02-2016 08:58 AM
Diwa
Thanks for the additional information. According to this output you are not permitting any telnet access from the head office. And you are permitting SSH access only from one subnet at the head office. Is this intentional?
Can you confirm that you are attempting to access the 5505 via SSH from a device at the head office that is in subnet 192.168.200.0?
And can you confirm that SSH to the ASA does work successfully from a device in the branch office? (checking to be sure that SSH is correctly enabled)
HTH
Rick
08-02-2016 09:01 AM
Yes, it wasnt intentionally done. But the IP I am trying to connect from is on that subnet. It is 192.168.200.33
Yes I can connect from branch office by ssh and ASDM both.
08-02-2016 09:17 AM
Diwa
This information is helpful. Are you attempting to SSH to the address of inside or of management? May I suggest that we focus for now on access to inside? After we get that working we can look at access via management.
It does not show up in what you have posted but I am not sure whether it might be something that you removed before posting. Have you configured management-access? If not may I suggest that you add management-access inside to the config.
HTH
Rick
08-02-2016 09:23 AM
Hi Rick,
I trying on both. If I can access on inside only, that would be sufficient. At the moment I will have to find a desktop that is free and rdp onto it to connect to ASA.
I am unable to see management-access on my config. I can add it but would have to wait until tomorrow to check with guys at the site to find a free desktop for me. I am finishing for the day. I will try that and will come back to you.
Thanks for your help.
08-02-2016 09:28 AM
Diwa
Understood. We will wait till tomorrow when you would be able to add that to the config.
HTH
Rick
08-03-2016 03:20 AM
Hi Rick,
That command worked like magic. Thanks a lot. I can access it on inside interface via ASDM. Is this command required only when accessing over VPN tunnel? I am still unable to connect via SSH but that is also the case from internal network. It was my mistake, I told you yesterday it is accessible on SSH on internal network. I can access on telnet. I think this is because of SSH key.
I get follwoing error when trying to access on SSH ("Fail to establish SSH session because RSA host key retrieval failed.")
I think I will have to create ssh key pair using command: "crypto key generate rsa modulus 2048" but thinking of doing it after hours, just being extra careful not to lose connection for users at brach office. Do you think this command will do the job?
Thanks again.
Diwakar
08-03-2016 09:48 AM
Diwakar
I am glad that my suggestion did solve part of your problem. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions that have helpful information.
Yes it does sound like you need to generate an RSA key. You certainly could wait till after hours to generate the key if you are concerned about it. In my experience generating the RSA key has not been disruptive to the network.
HTH
Rick
02-12-2023 12:18 PM
Dear Richards,
I have one issue to access the firewall in the branch connected through ISP.
When I checked inside branch office all network is reachable and firewall is also accessible. Routes also there ssh is configured properly but i dont know why is not accessible from HQ.
Please help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide