Solved: Cannot get SSH or TFTP to travel accross VPN Tunnel

Jon Moots · ‎03-24-2015

OK, I am at my wit's end here. I have read that other people have had this issue at some point in time, but their fix never seems to work for me.

I have a tunnel between 2 locations. The tunnel works fine, as I can ping devices from both ends of the tunnel. But I cannot get SSH or TFTP traffic to travel across the tunnel, nor can I ping from the inside port (gig0/1) to anything on the other end of the tunnel. I have attached my configs (sanitized as much as I can) and separated the areas that I think are important. Can someone look at it and see what I am missing please! I do not want to trouble shoot this in production so I would like to get it up and running now why I have the ability to.

The two devices are attached via the outside (gig0/0) port to one another by the way to simulate ISP connections. Don't know if that would mean anything or not. The code below is only from one end, both ASA's are mirror image of each other with the exception of the local and remote network objects and the port IP's.

Thank you

-Jon

--------------------- CODE ---------------------------------------

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.03.24 07:59:17 =~=~=~=~=~=~=~=~=~=~=~=

SHO run

: Saved

:

ASA Version 9.1(2)

!

hostname COL-PrivateASA

domain-name XXXXXXXXXXXXXXXXXXX.com

enable password XXXXXXXXXXXXXXXX encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 20.20.217.20 255.255.0.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.2.0.1 255.255.0.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name XXXXXXXXXXXXXXXXXXXX.com

object network net-local

subnet 10.2.0.0 255.255.0.0

object network net-remote-DAY

subnet 10.1.0.0 255.255.0.0

access-list outside_DAY_cryptomap extended permit ip object net-local object net-remote-DAY

log notifications

access-list outside_DAY_cryptomap extended permit udp any any

access-list outside_DAY_cryptomap extended permit tcp any any eq ssh

access-list outside_DAY_cryptomap extended permit udp any any eq tftp

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static net-local net-local

destination static net-remote-DAY net-remote-DAY

route outside 0.0.0.0 0.0.0.0 20.20.214.14 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 3 match address outside_DAY_cryptomap

crypto map outside_map 3 set pfs group1

crypto map outside_map 3 set peer 20.30.214.20

crypto map outside_map 3 set ikev1 transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 10

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username jmoots password Q3X06C6r/HDZcoWk encrypted privilege 15

tunnel-group 20.30.214.20 type ipsec-l2l

tunnel-group 20.30.214.20 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:0ac82d88d6aac4cb9a4e0fc9bb308553

: end

COL-PrivateASA# Sho run crypto

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 3 match address outside_DAY_cryptomap

crypto map outside_map 3 set pfs group1

crypto map outside_map 3 set peer 20.30.214.20

crypto map outside_map 3 set ikev1 transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

COL-PrivateASA# sho access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list outside_DAY_cryptomap; 4 elements; name hash: 0xa630e5b0

access-list outside_DAY_cryptomap line 1 extended permit ip object net-local object net-remote-DAY log notifications interval 300 (hitcnt=0) 0xe11775c5

access-list outside_DAY_cryptomap line 1 extended permit ip 10.2.0.0 255.255.0.0 10.1.0.0 255.255.0.0 log notifications interval 300 (hitcnt=0) 0xe11775c5

access-list outside_DAY_cryptomap line 2 extended permit udp any any (hitcnt=0) 0x3fe5f981

access-list outside_DAY_cryptomap line 3 extended permit tcp any any eq ssh (hitcnt=0) 0x9720f0ce

access-list outside_DAY_cryptomap line 4 extended permit udp any any eq tftp (hitcnt=0) 0x88058956

COL-PrivateASA# sho tunnel

COL-PrivateASA# sho run tunnel-group

tunnel-group 20.30.214.20 type ipsec-l2l

tunnel-group 20.30.214.20 ipsec-attributes

ikev1 pre-shared-key *****

COL-PrivateASA#

COL-PrivateASA# sho nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source static net-local net-local destination static net-remote-DAY net-remote-DAY

translate_hits = 0, untranslate_hits = 0

Adeolu Owokade · ‎03-24-2015

Ah you are right. I forgot about the Identity NAT configuration you have there.

You need to add the route-lookup option behind your Identity NAT configuration so it looks something like:

nat (inside,outside) source static net-local net-local destination static net-remote-DAY net-remote-DAY route-lookup

Again you can find the explanation here: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#pgfId-1286039

View solution in original post

Adeolu Owokade · ‎03-24-2015

Hi Jon,

Where are you trying to SSH/TFTP/Ping from (source) and to (destination)?

Jon Moots · ‎03-24-2015

Adeolu,

I cannot ping or ssh/tftp from either side.

The VPN tunnel portion works fine for all equipment on both side (I can ping from laptop in 10.2.0.0 subnet to laptop in 10.1.0.0 subnet just fine, and vice-versa). Where I have my problem is if I want to ssh from laptop in subnet 10.2.0.0 subnet across the tunnel to control ASA on interface 10.1.0.1. or TFTP that ASA's configuration. This does not work in either direction.

I read in one post from a few years back to check that the tftp/ssh traffic is being routed across the tunnel, I assume that the tunnel traffic of 10.2.0.0 is all being routed due to the access-list statement so that ssh/tftp should be as well. I have tried all types of access list both on the crypto access list and a separate access-list placed on the inside and the outside interface to no success.

If needed, I Can diagram this out and attach if it would help to visualize it.

-Jon

Adeolu Owokade · ‎03-24-2015

I just wanted to confirm that you were trying to manage the ASA.

You need to use the management-access command to manage the ASA on another interface other than the one you accessed it through. In your case, you should configure management-access inside. Here's the Cisco guide: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_management.html#wp1485100

Jon Moots · ‎03-24-2015

I added the statement manage-access inside to both ASA's. No luck again. It gives the error time-out attempting to connect.

This is the error I have been getting from the start on tftp.

ssh just will not connect at all from a putty session.

Adeolu Owokade · ‎03-24-2015

Ah you are right. I forgot about the Identity NAT configuration you have there.

You need to add the route-lookup option behind your Identity NAT configuration so it looks something like:

nat (inside,outside) source static net-local net-local destination static net-remote-DAY net-remote-DAY route-lookup

Again you can find the explanation here: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#pgfId-1286039

Jon Moots · ‎03-25-2015

Thank you Adeolu,

I had tried that line before and it did not work, but for some reason I put it in again on both ends and it is now working for SSH. Not sure why but I will take it.

Now just have to get TFTP working, it still want s to time out when crossing the tunnel even though I can ping from the ASA to the tftp server on the other side.

-Jon

Adeolu Owokade · ‎03-25-2015

Hi Jon,

I found the solution to this here: https://supportforums.cisco.com/discussion/10650026/how-copy-tftp-remote-site-through-vpn

In your case, just enter the command tftp-server inside <TFTP_SERVER_IP_ADDR> <path or filename>

For example: tftp-server inside 10.2.0.10 ASAconfig.txt

Jon Moots · ‎03-26-2015

This is the command that I normally use and its still not working. Time's out every time. I guess I was wrong when I said yesterday that I had connection between the ASA and the tftp server. I still do not have any connection between the two and cannot ping either from the ASA->TFTP or from the TFTP->ASA.