cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1125
Views
0
Helpful
4
Replies
Beginner

SSH/SNMP access to ASA through VTI tunnel

Hi,

my setup is pretty simple:

(LAN1)ASA1 <-IPsec tunnel -> ASA2(LAN2)

Previously, I have IPsec tunnel with Crypto Map and I could connect to ASA2's inside interface with ssh from LAN1.

Now it's ipsec with VTI, nothing else was changed, so all access-rules, nat exemptions, routing, IP addressing stays the same, but I can't access ASA2 inside interface anymore, but LAN2 is accessible without any problem.

May be someone also faced this issue and can share any solution, what needs to be added to config in that situation? Is there any solution at all?

 

4 REPLIES 4
Beginner

Re: SSH/SNMP access to ASA through VTI tunnel

From logs I can see:

%ASA-3-710003: TCP access denied by ACL from <LAN1_IP>/51797 to <VTI_NAME>:<ASA2_IP>/22

 

It's not interface ACL. That's from Cisco docs:

Error Message %PIX|ASA-3-710003: {TCP|UDP} access denied by ACL from
source_address/source_port to interface_name:dest_address/service

Explanation This message appears when the security appliance denies 
an attempt to connect to the interface service. 
Recommended Action Use the show http, show ssh, or show telnet 
command to verify that the security appliance is configured to permit 
the service access from the host or network. If this message appears 
frequently, it can indicate an attack.

 

asa# show ssh

Hosts allowed to ssh into the system:
<LAN1>inside

 

The problem is that ASA think that I'm connecting not to LAN interface, but to VTI interface! Don't care that I'm specifying LAN2-IP!

command ssh <LAN1> <interface> doesn't allow to put there VTI interface, only physical ones.

 

Any thoughts what to do?

Zip Beginner
Beginner

Re: SSH/SNMP access to ASA through VTI tunnel

Update to 9.9(1).

Beginner

Re: SSH/SNMP access to ASA through VTI tunnel

Is this confirmed?  I didn't see it on the list of fixed bugs in 9.9(1).

Highlighted
Beginner

Re: SSH/SNMP access to ASA through VTI tunnel

NOTE:  I went to 9.9.2-18 ( and some testing with 9.9.2-25)

 

I'm seeing spotty effects with SNMP THROUGH VTI-BGP.

 

Desgin:     two separate EIGRP Pools internal :   VTI_BGP on firewalls (5506 & 5545) between them.

BGP and EIGRP redistribute.

 

Effect #1 :    SNMP to the MDF switch (direct connected by copper) :   The SNMP works RIGHT UP until the BGP session flaps.

WAN flap happens, the BGP session goes down and comes back up (only down 1 minute from ISP latency or such) ....When BGP comes back EIGRP shows the route timer reset to 00:00 .....SNMP DOES NOT WORK NOW:

WORK AROUND :  change the IP address(es) we send SNMP toward a DIFFERENT ip address on the same switch:  ie.  if you have two loop back you just move to the OTHER loopb and the SNMP starts reporting again.   HAPPENS again,  change back to the Other Loopb and it comes right back.

I've Always seen SNMP as "session-Less" traffic because it is UDP 161 traffic so why would it be affected by a flap.

BUT I'm open to learning more : IS SNMP actually sessionful and it's just initiated with sessionless udp 161 ? 

 

 

Effect 2:   SNMP fails on firewall's Inside IP :   Take out "management-interface inside" and then put it back right away....SNMP starts working again:  this one bothers me less....but still a quirk.