09-01-2016 07:10 AM
Hi,
I am facing some issues in accessing ASA interface using SSH from remote LAN.
site to site tunnel created in VPN device. Local subnet is 192.168.208/21 and remote subnet is 192.168.144.0/24.
From local LAN I am able to access inside interface of ASA using SSH.
From remote LAN (192.168.144.110) I can't access inside or outside interface using SSH.
Please find the below information.
#show run interfaces
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 192.168.215.17 255.255.255.240 standby 192.168.215.18
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 192.168.215.33 255.255.255.240 standby 192.168.215.34
#sh run access-list
access-list out_in extended permit ip host 192.168.144.110 host 192.168.215.33
access-list out_in extended permit ip host 192.168.144.110 host 192.168.215.34
access-list out_in extended permit ip host 192.168.144.110 host 192.168.215.17
ssh stricthostkeycheck
ssh 192.168.144.124 255.255.255.255 OUTSIDE
ssh 192.168.144.110 255.255.255.255 OUTSIDE
ssh 192.168.210.240 255.255.255.255 INSIDE
ssh 192.168.210.33 255.255.255.255 INSIDE
ssh 0.0.0.0 0.0.0.0 INSIDE
ssh 192.168.144.110 255.255.255.255 INSIDE
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access INSIDE
access-list out_in extended permit ip host 192.168.144.110 host 192.168.215.33
access-list out_in extended permit ip host 192.168.144.110 host 192.168.215.34
access-list out_in extended permit ip host 192.168.144.110 host 192.168.215.17
Any help will be appreciated.
09-01-2016 09:25 AM
If the sites are connected by a site to site VPN can you tell us what traffic is selected to go through the tunnel, and can you verify that this SSH traffic to the ASA interface is included in the tunnel traffic? Also can you check to be sure that this traffic is exempted from address translation?
HTH
Rick
09-09-2016 05:14 AM
Hi sharathpk0912 ,
I see that you don't have g0/1 (inside) interface as a management interface as a security rule firewall will not allow traffic control plane traffic coming from outside to the inside interface . But for VPN it is much needed . So whatever interface you have defined as a management interface would be accessible from the remote end . For more information on management interface please refer to below document
Below KB article might be helpful for you
Thanks
Shakti
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide