04-19-2023 03:30 PM
Hey,
I have set multi tunnels between few ASA's + Anyconnect VPN gateway on the 'main' ASA with public IP (lets say 150.1.0.1)
I can communicate between the remote locations, connect to the VPN via my laptop, and communicate with all locations.
I would like to access the management (ASDM\SSH) via my laptop when connected to the VPN.
I have set the static IP in the ACL of the GroupPolicy. Created rule for SSH+HTTPS connection via the pool IP set in the VPN (lets say 10.22.0.0/24)
I can confirm the VPN is routing the static IP address, but no success when trying to login via SSH\HTTPS.
I tried to ping the static IP via my laptop, and I can see in the syslog the ICMP is from my ISP IP address and not the VPN address.
Any suggestion what else I could have missed?
*I can login to SSH+HTTPS via one of my remote locations, (via the tunnel)
Thank you
04-29-2023 10:32 AM
That will be too open to allow SSH from all ip's.
There is other solution I can use to allow SSH access via the VPN? for the user's which are connected to the VPN.
Thanks
04-29-2023 10:36 AM
Instead of ssh 0.0.0.0 use
Ssh <vpn pool>
Check this.
Also you can add vpn-filter permit/deny specific ip to access mgmt ip
04-29-2023 10:41 AM
Its what I did. but somehow when I set it like that, I can't connect. only if I keep it on 0.0.0.0.
How can I add the VPN-filter?
04-29-2023 11:11 AM
04-30-2023 11:55 AM
I have tried adding the filter, but still I get no access when trying to access via the anyconnect VPN.
I guess as @Rob Ingram mentioned, I am trying to achieve something that is not possible?
There is maybe another way to do that?
Maybe set another interface and allow the access via this interface via the VPN?
04-30-2023 12:31 PM - edited 04-30-2023 12:46 PM
You mention before you can access with ssh 0.0.0.0 ??
https://howdoesinternetwork.com/2016/asa-packet-processing
04-30-2023 01:40 PM
@MHM Cisco World He is able to access with SSH 0.0.0.0 , thats because in both case with or without vpn , the traffic is going via PC's local internet only and not through Anyconnect .
04-30-2023 01:46 PM
He ssh using public IP' the traffic hit outside and drop' so he use vpn anyconnect that why he can bypass outside low security level access to high security level.
The vpn can bypass the allow all traffic.
So sure he use vpn to ssh to asa.
04-30-2023 01:54 PM
I bet SSH traffic is not going via Anyconnect in anycase . It would have otherwise worked when CLI is SSH 10.22.0.0 255.255.255.0 outside .
At first he has to add Outside Ip in SPLIT ACL so that it appears in " Secure Routes " of Anyconnect for it to send it via tunnel ( i am assuming he has ) . Even with that , the route on PC for ASA outside ip will have next hop as Local Gateway and not Anyconnect Gateway ip - which is due to Outside IP address being the terminating IP for Anyconnect .
04-30-2023 02:03 PM
SORRY maybe I am not clear
I MEAN by ssh 0.0.0.0 is
Ssh 0.0.0.0 0.0.0.0 (mgmt or IN)
Please @gal.avichid please confirm that you not use OUT as interface for SSH
04-30-2023 02:05 PM
It should work via Anyconnect with SSH 0.0.0.0 ( any interface but not OUT ) .
04-30-2023 01:37 PM
Hi @gal.avichid ,
Management/SSH access to Outside interface via RA-VPN will not work if RA-VPN terminating interface is the same as management . I suggest to set another interface for the same . It is expected to work when CLI " SSH 0.0.0.0 0.0.0.0 outside " .
Please feel free to ask if you still have any query on the same
Kindly mark my response as Helpful if it helps your issue !
05-17-2023 01:11 PM
Hi @Salman Mahajan
I am not sure what you meant? The idea is to set another interface and allow SSH via this interface?
Where this ASA is connected there is only internet connection, no any computer\network or any devices besides of the ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide