08-03-2010 02:05 PM
We have a pair of ASA5510s with a VPN tunnel that connects the local networks at each location. Tunnel traffic passes fine, but I cannot ssh or http from my location to the other. Http and ssh access is configured correctly as I can browse to it from a "real" outside IP address. I CAN ssh to hosts inside the romote network. I have no way to open an http session from the remote end back here, so I can't test that. Thanx!
Solved! Go to Solution.
08-04-2010 03:40 PM
Hi Wolfgang, I think I am missunderstanding your post, appologies for that .. perhaps we should clarify !
in your original post..
"Tunnel traffic passes fine, but I cannot ssh or http from my location to the other, Http and ssh access is configured correctly as I can browse to it from a "real" outside IP address."
To what host are you trying to connect ? are you trying to https/ssh to the far end firewall for management through the tunnel? or is it that you are trying to ssh/https to a Host Server/PC?
Could you clarigy the above
08-03-2010 03:41 PM
If you are referring to managing each end firewall using ssh/https through Ipsec tunnel you need two statements for that, if I have missunderstood please correct me.
management-access mgmt_if
and allow ssh/https for the host that will access security applience
ssh
generally for devices like asa5505 that do not have specific management interface like the 5510's you would have something as:
assuming Site1-asa local-lan 172.16.1.0/24 , and Site2-asa local lan 192.168.1.0/24 both nets are allow as your encryption domain
Site1-asa
management-access inside
ssh 192.168.1.0 255.255.255.0 inside (This is remote end network )
http 192.168.1.0 255.255.255.0 inside ( same as above for ssh)
Site2-asa
management-access inside
ssh 172.16.1.0 255.255.255.0 inside (This is remote end network )
http 172.16.1.0 255.255.255.0 inside ( same as above for ssh, and interface definition should be inside )
AS for ASA5510 if you have management0/0 defined as your management interface use example above replacing your management interface in the management-access statement.
If this is not your issue please let us know
Some guidelines
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985
Regards
08-04-2010 07:17 AM
Thanx! Implementing these commands allowed me http access to the remote site, but, when I browse to it and load the Java Applet, the window opens and hangs at "Please wait . . . main window is coming up" and the progress bar sits at 100% and seems t flicker. I have added the site as a trusted site and installed the certificate. Any clues? Thanx!
08-04-2010 07:54 AM
What version of Java are you using in the PC, and what version of ASDM teh ASA you are connecting to have?
Is your ssh now ok?
Regards
08-04-2010 08:22 AM
I have ASDM-507 on the remote 5510. Ssh still does not work to that machine. It times out. I'm running Windows 7 with Java version 6, update 20. When I https to the machine and try to download ASDM instead of running the Java app, it appears to download ok. When I try to start it, it appears to load and then disappears, leaving a task running in my system. I CAN run ASDM to either of the ASAs on the local network just fine.
08-04-2010 03:40 PM
Hi Wolfgang, I think I am missunderstanding your post, appologies for that .. perhaps we should clarify !
in your original post..
"Tunnel traffic passes fine, but I cannot ssh or http from my location to the other, Http and ssh access is configured correctly as I can browse to it from a "real" outside IP address."
To what host are you trying to connect ? are you trying to https/ssh to the far end firewall for management through the tunnel? or is it that you are trying to ssh/https to a Host Server/PC?
Could you clarigy the above
08-05-2010 05:55 AM
To the contrary, you are not misunderstanding it at all and I sincerely appreciate your help! I am trying to ssh and ASDM from our inside network to the inside address of a remote ASA5510 in our network, to which we have a fully operational tunnel. An ssh connection simply times out. When I open up an ASDM session to the remote ASA, it appears to load and then, simply vanishes. A process remains in Windows, but does nothing. If I try to connect via https and select the Java applet, it seems to load, but then hangs with "Please wait . . . main window is coming up" and the blue bar shows 100%. It stays there without ever bringing up the ASDM screen. I have applied all the changes suggested by you previously, to both ASAs. Thank you for your continued assistance!
08-05-2010 06:04 AM
Hello,
To verify that the connectivity is there, can you try to ping the IP and then try to telnet instead of ssh (you need to enable telnet)? If that part works, then we know for sure that the management traffic is flowing across the tunnel.
Hope this helps.
Regards,
NT
08-05-2010 06:20 AM
I am able to ping the inside address of the remote ASA, but, after configuring the remote ASA to allow telnet access, I cannot telnet to the inside interface, which has been designated the management interface. The attempt times out.
08-05-2010 04:50 PM
Hello,
Do you have "telnet 0.0.0.0 0.0.0.0 inside" in the configuration?
Regards,
NT
08-06-2010 06:01 AM
Hi,
Yes, I did enter that when I created the telnet test configuration. Here's some more information:
1. I can the remote ASA and an inside host from my host.
2. I cannot ping my host, nor the inside address of my ASA from the remote inside host.
3. I can ping the outside address of my ASA from the remote inside host.
4. I cannot SSH or http to the inside address of my ASA from the remote inside host.
5. I cannot ssh nor http to either the inside nor the outside address of the remote ASA.
6. The tunnel works just fine for all other traffic.
Hope this information helps lead to something. I'm drawing a blank.. I have examined the access rules on both ends and everything looks to allow all ip traffic from either network to the other network.
Thanks for your help!
Regards, Wolf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide