ASA 5506-x | SSH failed | Site to site VPN tunnel

Antony.xavier · ‎11-16-2021

Hi Team,

I have build Site to Site vpn tunnel with the peer ip 1.1.1.1, the VPN tunnel is up and everything is working fine as expected. However when I am trying to take SSH session from outside interface to the inside interface of the ASA its fails and also same error to any of the network devices located inside the network like access switches and core switch. When VPN tunnel is disconnected I am able to access the inside network through SSH. I assume that ISP is blocking the SSH service could you please suggest the steps to check the logs so that I can share it to my ISP.

Regards,

Antony Xavier

balaji.bandi · ‎11-16-2021

as per my understanding your issue - Some steps not clear here is :

1. with out VPN it works ? from outside to inside ? that means you have NAT outside to inside ?

2. Tunnel not working outside to inside ( that means you need excempt NAT inside tunnel for the source and destination to work ?

If you are success access ssh with out tunnel ? i do not see here ISP blocking ? Same traffic coming from inside tunnel is encrypted ISP not aware that traffic.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎11-16-2021

Hello,

hard to say without seeing the configs. Make sure you have a NAT exemption configured for your VPN pool and the inside IPs, it should look something like this:

nat (outside,any) source static VPN_POOL_NET VPN_POOL_NET destination static INSIDE_NET INSIDE_NET no-proxy-arp