Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
594
Views
5
Helpful
5
Replies

Manage ASA 5512 with SSH over VPN

Go to solution
opticomDA
Level 1
Level 1

‎03-21-2016 02:05 AM

Hi,

we are facing some problems with ssh access on our ASA5512 over a VPN Site-2-Site tunnel.

SSH seems to be set up correctly, because we can initiate the session from inside and from outside on both Interfaces.

But when we try to connect the ASA from remote site with SSH Putty reports a time out.

We setup up a lot of these configurations with ASA5510 and ASA Image 8.x without any problems, so I guess it must have something to do with the new ASA version.

The default-rsa-key was generated successfully.

VPN is ok and the log viewer shows: 

6 Mar 21 2016 10:21:44 302013 192.168.0.100 51682 192.168.1.1 22

Built inbound TCP connection 597903 for outside:192.168.0.100/51682 (192.168.0.100/51682) to inside:192.168.1.1/22 (192.168.1.1/22)

That's how we setup the configuration:

aaa authentication ssh console LOCAL

ssh 192.168.0.0 255.255.255.0 inside (192.168.0.0 is the remote VPN network)

management-access inside

username USER password PASSWORT privilege 15

Did we missed anything?

Thanks

Best regards

Dennis

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎03-21-2016 02:35 AM

Hi Dennis,

The config looks fine.

Are you able to ping the inside interface through the tunnel.

If not can you check the nat for the traffic and add route-lookup keyword to it.

If you are not using any certificates on the ASA you can use the command to zeroize the rsa keys on the ASA:

crypto key zeroize rsa or try to be specific: crypto key zeroize rsa  label <>

Try to remove the SSH config and reapply it.

Let me know if it works or not.If not then take debug ssh 255 and share.

Regards,

Aditya

Please rate helpful posts.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎03-21-2016 02:35 AM

Hi Dennis,

The config looks fine.

Are you able to ping the inside interface through the tunnel.

If not can you check the nat for the traffic and add route-lookup keyword to it.

If you are not using any certificates on the ASA you can use the command to zeroize the rsa keys on the ASA:

crypto key zeroize rsa or try to be specific: crypto key zeroize rsa  label <>

Try to remove the SSH config and reapply it.

Let me know if it works or not.If not then take debug ssh 255 and share.

Regards,

Aditya

Please rate helpful posts.

0 Helpful

Go to solution
opticomDA
Level 1
Level 1
In response to Aditya Ganjoo

‎03-21-2016 03:17 AM

Hi Aditya,

That's it :-)

I added the route-lookup keyword and it worked immediately.

Thank you!

Could you please give me a hint, why I need this and why it worked on old ASAs without this keyword?

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to opticomDA

‎03-21-2016 03:18 AM

Hi Dennis,

Happy to help :)

Regards,

Aditya

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to opticomDA

‎03-21-2016 05:21 PM

Hello,

There have been a lot of changes with how NAT works on a particular ASA OS version.
This document will give insight regarding how natting works on ASA.

In the older codes, there were few lesser checks with how natting and routing were leveraged together to determine the egress interface. With newer code, it has been a bit stricter so as to confirm the nat and routing configuration points to same egress interface and then only the packet is sent out.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Go to solution
opticomDA
Level 1
Level 1
In response to Dinesh Moudgil

‎03-22-2016 01:02 AM

Thank you, Dinesh

0 Helpful
Customers Also Viewed These Support Documents