04-30-2010 10:56 AM
I am not able to SSH to the outside interface of the ASA when I login to VPN client. I belong to tech support group. Can you help me? Please let me know if you need additional information. Attached is the config file. Thanks.
04-30-2010 11:43 AM
Try SSH to the inside interface instead.
04-30-2010 11:46 AM
your 'ssh x.x.x.0 255.255.255.0 Outside' doesnt match your ip local pool vpnpool 192.168.101.1-192.168.101.250 mask 255.255.255.0 and since you are vpn'd in you must be getting an IP from that pool ?
04-30-2010 01:32 PM
Thanks both of you. I added "ssh 192.168.101.0 255.255.255.0 Inside". I was able to SSH to the inside interface when I login to VPN client.
May I ask you another question? Since I allow the VPN pool to SSH to the ASA, it means all VPN users can SSH to the ASA. Will it create a security issue to the ASA? Would you setup this way? I want to be able to do administration when I login to VPN client. Thanks.
04-30-2010 04:10 PM
Yes, you are correct this could be considered insecure.
Since you are defining the users locally why not assign your username a static IP (192.168.1.250) from the IP Pool and be sure to edit the pool to end at .249
use the 'vpn-framed-ip-address' command
" Enter the IP address and the net mask to be assigned to the client"
CiscoASA#1(config-username)# vpn-framed-ip-address ?
username mode commands/options:
A.B.C.D The IP address to be assigned to the client
After taking care of that change your ssh/http(ASDM) permissions to only allow the single host.instead of the range.
Good luck.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide