Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
642
Views
0
Helpful
2
Replies

Unable to access ASA interface using SSH from remote LAN

sharathpk0912
Level 1
Level 1

‎09-01-2016 07:10 AM

Hi,

I am facing some issues in accessing ASA interface using SSH from remote LAN.
site to site tunnel created in VPN device. Local subnet is 192.168.208/21 and remote subnet is 192.168.144.0/24.

From local LAN I am able to access inside interface of ASA using SSH.
From remote LAN (192.168.144.110) I can't access inside or outside interface using SSH.

Please find the below information.
#show run interfaces
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 192.168.215.17 255.255.255.240 standby 192.168.215.18


interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 192.168.215.33 255.255.255.240 standby 192.168.215.34

#sh run access-list
access-list out_in extended permit ip host 192.168.144.110 host 192.168.215.33
access-list out_in extended permit ip host 192.168.144.110 host 192.168.215.34
access-list out_in extended permit ip host 192.168.144.110 host 192.168.215.17


ssh stricthostkeycheck
ssh 192.168.144.124 255.255.255.255 OUTSIDE
ssh 192.168.144.110 255.255.255.255 OUTSIDE
ssh 192.168.210.240 255.255.255.255 INSIDE
ssh 192.168.210.33 255.255.255.255 INSIDE
ssh 0.0.0.0 0.0.0.0 INSIDE
ssh 192.168.144.110 255.255.255.255 INSIDE
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access INSIDE

access-list out_in extended permit ip host 192.168.144.110 host 192.168.215.33
access-list out_in extended permit ip host 192.168.144.110 host 192.168.215.34
access-list out_in extended permit ip host 192.168.144.110 host 192.168.215.17


Any help will be appreciated.

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎09-01-2016 09:25 AM

If the sites are connected by a site to site VPN can you tell us what traffic is selected to go through the tunnel, and can you verify that this SSH traffic to the ASA interface is included in the tunnel traffic? Also can you check to be sure that this traffic is exempted from address translation?

HTH

Rick

HTH

Rick
0 Helpful

Shakti Kumar
Cisco Employee
Cisco Employee

‎09-09-2016 05:14 AM

Hi sharathpk0912 ,

I see that you don't have g0/1 (inside) interface as a management interface  as a security rule firewall will not allow traffic control plane traffic coming from outside to the inside interface . But for VPN it is much needed . So whatever interface you have defined as a management interface would be accessible from the remote end . For more information on management interface please refer to below document

Below KB article might be helpful for you

Management access over VPN

Thanks

Shakti

0 Helpful
Customers Also Viewed These Support Documents