I'm having a heck of a time trying to enable my spoke 5506 asa to allow remote management over a DMVPN tunnel from the hub side of the network. Finally got to a point where I can now ping the inside interface across the tunnel but when I try to ssh, I get the following error (Network error: Software caused connection abort)
I know that this is probably something stupid that I'm missing but I have gone over all the usual suspect commands and at this point could really use a second set of eyes to do a sanity check.
Config is attached
I’m specifically trying to ssh from the 192.168.20.X/24 subnet. Although I’m of the belief that I should be able to ssh from any of the subnets in the object-group dm_inline_network_1
Am I missing something that would allow ssh?
Your remote networks are:
object-group network DM_INLINE_NETWORK_1
network-object object NETWORK_OBJ_192.168.20.0_24
network-object object NETWORK_OBJ_192.168.250.0_24
network-object object NETWORK_OBJ_192.168.23.0_24
network-object object NETWORK_OBJ_10.250.0.0_16
Can you put this config in place and try out?
ssh 192.168.20.0 255.255.255.0 inside
ssh 192.168.250.0 255.255.255.0 inside
ssh 192.168.23.0 255.255.255.0 inside
ssh 10.250.0.0 255.255.0.0 inside
I've added those ssh commands. Unfortunately it didn't work and I suspected that it wouldn't due to the previously configured command of (ssh 0.0.0.0 0.0.0.0 inside_2) not working either. See below for updated output of show run ssh.
ASA(config)# show run ssh
ssh scopy enable
ssh 192.168.0.0 255.255.0.0 OUTSIDE
ssh 192.168.70.0 255.255.255.0 OUTSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh 192.168.102.0 255.255.255.0 inside_2
ssh 0.0.0.0 0.0.0.0 inside_2
ssh 10.250.0.0 255.255.0.0 inside_2
ssh 192.168.23.0 255.255.255.0 inside_2
ssh 192.168.250.0 255.255.255.0 inside_2
ssh 192.168.20.0 255.255.255.0 inside_2
ssh 192.168.102.0 255.255.255.0 inside_3
ssh 192.168.102.0 255.255.255.0 inside_4
ssh 192.168.102.0 255.255.255.0 inside_5
ssh 192.168.102.0 255.255.255.0 inside_6
ssh 192.168.102.0 255.255.255.0 inside_7
ssh 192.168.102.0 255.255.255.0 inside_8
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group1-sha1
Also worth mentioning, is that when I do a packet trace using port 22 from the hub ASA it appears to be pass all ACL's configured.