cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
659
Views
0
Helpful
7
Replies

Unable to SSH

dianewalker
Beginner
Beginner

I am unable to SSH to the inside interface of the ASA when I login to Cisco VPN client.  When I tried to SSH, nothing is displayed on the screen.  There was no error message.  Do you have any suggestions?

ip local pool vpnpool 10.10.0.1-10.10.7.240 mask 255.255.248.0


username diane password iikdieiieikdieikdk privilege 15
username diane attributes
vpn-framed-ip-address 10.10.7.241 255.255.255.255


ssh 10.10.7.241 255.255.255.255 Inside
ssh timeout 5
ssh version 2

Thanks.

Diane

3 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to add the following:

management-access inside

ssh 10.10.0.0 255.255.248.0 inside

View solution in original post

1. No, there is no way to limit the number of SSH connection unfortunately.

2. What is your split tunnel ACL, and has it included the subnet or the IP address of the ASA inside interface?

View solution in original post

You can't restrict only user "Dianne" to SSH to the ASA when you VPN in as it is not based on username. It's based on the ip address.

You can assign a vpn ip address statically to user "Dianne", and only configure that ip address in the SSH command. That would restrict only the vpn ip address assigned to user "Dianne" to SSH while on VPN.

View solution in original post

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to add the following:

management-access inside

ssh 10.10.0.0 255.255.248.0 inside

Thanks Jennifer for your prompt response.  Your suggestions worked!!!

1.  Is there a way to limit for one person to SSH when logging in to Cisco VPN client?

2.  Also, I can only SSH to the ASA when I am in full tunnel.  If I am in Split tunnel, I cannot SSH to the inside interface of the ASA.  Is it normal or is it something that I need to add in Split tunnel?

I setup a user account "diane" and I was able to SSH to the inside interface of the ASA when I login to Cisco VPN client.  Here is the user account config

username diane password iikdieiieikdieikdk privilege 15
username diane attributes
vpn-group-policy fulltunnel
vpn-tunnel-protocol IPSec
service-type admin

However if I setup another account with Split-tunnel, I am NOT able to SSH to the inside interface of the ASA when I login to Cisco VPN client.  Here is the user account config

username jane password eikdieideiid privilege 15
username jane attributes
vpn-group-policy split
vpn-tunnel-protocol IPSec
service-type admin

Please let me know if you need additional info.

Thanks.

Diane

1. No, there is no way to limit the number of SSH connection unfortunately.

2. What is your split tunnel ACL, and has it included the subnet or the IP address of the ASA inside interface?

Jennifer,

I will add the IP address of the inside interface of the ASA to the split tunnel ACLs and get back to you later.

Thanks.

You can't restrict only user "Dianne" to SSH to the ASA when you VPN in as it is not based on username. It's based on the ip address.

You can assign a vpn ip address statically to user "Dianne", and only configure that ip address in the SSH command. That would restrict only the vpn ip address assigned to user "Dianne" to SSH while on VPN.

Thanks Jennifer.  You are a genius!!!  Your suggestions work!!!

Diane

You are welcome, thanks for the update and ratings.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: