Re: SSH on Management 0/0 ? - ASA 5510 8.0(4)

technerd207 · ‎05-26-2010

Greetings,

I have been struggling to get SSH up on management-only interface (M0/0) on an ASA 5510. It has SSH working on an outside interface, but not in M0/0.

After setting up the interface, I can ping it (only after I declare it a management interface from ASDM oddly), but SSH is closed.

My question at this point, is this even possible?

Here are the relevant parts of my config; let me know if there is any other details needed to figure out this issue, if in fact SSH "is" possible on a management interface:

firewall1#sh run all int management 0/0
!
interface Management0/0
speed auto
duplex full
nameif management
security-level 0
ip address X.X.X.X 255.255.255.252
ospf cost 10
delay 10

firewall1# show run | inc ssh
aaa authentication ssh console LOCAL
aaa authentication ssh console LOCAL
ssh ME 255.255.255.252 Outside
ssh ME 255.255.255.252 management
ssh timeout 60
ssh version

firewall1# sh int m0/0
Interface Management0/0 "management", is up, line protocol is up
Hardware is i82557, BW 100 Mbps, DLY 100 usec
Full-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 001e.f760.XXXX, MTU 1500
IP address X.X.X.X, subnet mask 255.255.255.252
5540 packets input, 430250 bytes, 0 no buffer
Received 116 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
5085 packets output, 325440 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/1) software (0/20)
output queue (curr/max packets): hardware (0/20) software (0/1)
Traffic Statistics for "management":
5536 packets input, 352374 bytes
5085 packets output, 203100 bytes
5353 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 1 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Management-only interface. Blocked 2 through-the-device packets

If anyone can point me in the right direction, I would greatly appreciate it.

Thanks in advance!

Todd Pula · ‎05-26-2010

What happens if you add the management-access management command to your configuration? Where is the connecting client PC located in the topology? If not connected to the management VLAN, make sure that routing is in place to keep the traffic flow symmetrical. SSH debugs should tell you more.

technerd207 · ‎05-26-2010

The connecting client is connecting from our office (shown as "ME" in the configuration) and the ASA is at a data center outside of the office.

A bit of background into this, we were given a second ethernet drop at the data center, with a /30 IP range that we want to use exclusively for managing the ASA remotely; we have another external IP range setup on another interface and we are currently using that for SSH access as well.

Regarding the route, I actually do not see one set for the management interface - all I see is the one set for the outside interface. If this is, in fact an issue, what what I need to set it as?

firewall1# sh run all | inc route
route Outside 0.0.0.0 0.0.0.0 X.X.X.X 1

(nothing for "management")

management-access management had already been added:

fireall1# sh run all | inc management
nameif management
management-only
access-list management_access_in extended permit ip host OFFICE any log debugging
access-list management_access_in extended permit ip ME 255.255.255.248 any
mtu management 1500
no monitor-interface management
access-group management_access_in in interface management
http ME 255.255.255.248 management
fragment size 200 management
fragment chain 24 management
fragment timeout 5 management
no fragment reassembly full management
no sysopt noproxyarp management
crypto ipsec fragmentation before-encryption management
crypto ipsec df-bit copy-df management
ssh ME 255.255.255.248 management
ssh OFFICE 255.255.255.255 management
management-access management
enable management
no password-management
no password-management
no password-management
authentication-server-group (management) LOCAL
authorization-server-group (management) LOCAL
no password-management

TIA!

Jennifer Halim · ‎05-26-2010

From the posted configuration, your management 0/0 subnet is a /30, that means only 2 usable ip addresses in that subnet. Since you have assigned 1 to your management interface, you have one other ip address to use in that subnet. You would need to be directly connected to that interface to SSH to the management interface. Alternatively, you can VPN into the ASA, and SSH to the management ip address if you have the following configured:

ssh management

And another thing to check is if you have split tunnel configured for your VPN client, you would need to make sure that you include the management interface subnet in the split tunnel ACL.

So rule of thumb for SSH to ASA:

1) You need to be directly connected to the interface that you are trying to manage, ie: if you try to manage the ASA by connecting to the management interface, you would need to be connected through the management interface.

OR/

2) If you are not directly connected, you would need to VPN in, and you can manage the opposite interface where the session is sourced from. In VPN scenario, you would VPN to the outside interface, and you can manage the ASA through SSH on the management interface.

Hope that helps.

technerd207 · ‎05-26-2010

halijenn,

Thank you for responding.

So in essence, there isn't a way to directly attach two seperate physical ethernet WAN connections to a 5510 - and being able to remotely SSH to both interfaces on both IP addresses?

If that is the case, then I have a dilemna. This second ethernet line was setup so that we would have a secondary means (a 2nd ISP on a seperate ethernet line) to manage the ASA at the data center location. Is this just not possible? Must we use the outside interface to SSH in no matter what?

Thanks in advance!

Jennifer Halim · ‎05-27-2010

Not too sure how you are going to connect the 2nd ISP line to your ASA because you can not have 2 default gateway configured on the ASA on 2 different interfaces. Unless you only route specific traffic towards the 2nd ISP, you wouldn't even be able to have both ISP routing at the same time on 2 ASA interfaces using default gateway.

From your description, it seems like you would like to manage the ASA from both connections, hence I assume that you are under the impression that ASA can have 2 default gateways through 2 different interfaces which is not a supported config. Please let me know if it's otherwise.

To answer your question, you can only SSH to a different interface then the interface you are connecting to if you VPN to the ASA. Otherwise, if the session is coming inbound from outside interface, you can only SSH to the outside interface, not any other interfaces.

technerd207 · ‎05-27-2010

That's quite disappointing , but thank you for enlightening me.

Ok, back to the drawing board. The goal is to have a secondary connection for access to our production ASA. Can you tell me if there is a possiblity in this situation:

We also have a 2nd ASA 5510 sitting on the rack right next to the other one! (it's not currently being used); we also have a 3560 switch with about 13 free ports.

The 1st ASA has these two free interfaces: M0/0 and E0/3.

Would there be a way to do some network wizardy make this work, to overcome the issue of not being able to have >1 deault routes on the production ASA?

TIA

technerd207 · ‎05-27-2010

halijenn wrote:
Not too sure how you are going to connect the 2nd ISP line to your ASA because you can not have 2 default gateway configured on the ASA on 2 different interfaces. Unless you only route specific traffic towards the 2nd ISP, you wouldn't even be able to have both ISP routing at the same time on 2 ASA interfaces using default gateway.

From your description, it seems like you would like to manage the ASA from both connections, hence I assume that you are under the impression that ASA can have 2 default gateways through 2 different interfaces which is not a supported config. Please let me know if it's otherwise.
To answer your question, you can only SSH to a different interface then the interface you are connecting to if you VPN to the ASA. Otherwise, if the session is coming inbound from outside interface, you can only SSH to the outside interface, not any other interfaces.

Ha, I solved ths by adding this route:

route management

The only drawback to this is, any machines behind the ASA cannot route traffic to the , (which is fine since it is a spare on our /28), but I get symmetry when connecting to the ASA remotely now.

Cheers

Jennifer Halim · ‎05-28-2010

Perfect, thanks for the update.

dflick · ‎07-06-2010

You can use the dual ISPs by using IP SLA to check the primary and when/if it fails, switch to the backup.

This example uses 2 outside interfaces called "outside" and "outside2"

sla monitor 10
type echo protocol ipIcmpEcho interface outside
num-packets 3
frequency 15
sla monitor schedule 10 life forever start-time now
track 1 rtr 10 reachability

route outside 0.0.0.0 0.0.0.0 1 track 1
route outside2 0.0.0.0 0.0.0.0 100

If you need an extra interface, you can convert the management port to a useable interface like this:

interface management0/0

 no management-only

Cisco does not recomment this however.