Solved: Unable to SSH

dianewalker · ‎03-17-2011

I am unable to SSH to the inside interface of the ASA when I login to Cisco VPN client. When I tried to SSH, nothing is displayed on the screen. There was no error message. Do you have any suggestions?

ip local pool vpnpool 10.10.0.1-10.10.7.240 mask 255.255.248.0

username diane password iikdieiieikdieikdk privilege 15
username diane attributes
vpn-framed-ip-address 10.10.7.241 255.255.255.255

ssh 10.10.7.241 255.255.255.255 Inside
ssh timeout 5
ssh version 2

Thanks.

Diane

Jennifer Halim · ‎03-17-2011

You would need to add the following:

management-access inside

ssh 10.10.0.0 255.255.248.0 inside

View solution in original post

Jennifer Halim · ‎03-17-2011

1. No, there is no way to limit the number of SSH connection unfortunately.

2. What is your split tunnel ACL, and has it included the subnet or the IP address of the ASA inside interface?

View solution in original post

Jennifer Halim · ‎03-17-2011

You can't restrict only user "Dianne" to SSH to the ASA when you VPN in as it is not based on username. It's based on the ip address.

You can assign a vpn ip address statically to user "Dianne", and only configure that ip address in the SSH command. That would restrict only the vpn ip address assigned to user "Dianne" to SSH while on VPN.

View solution in original post

Jennifer Halim · ‎03-17-2011

You would need to add the following:

management-access inside

ssh 10.10.0.0 255.255.248.0 inside

dianewalker · ‎03-17-2011

Thanks Jennifer for your prompt response. Your suggestions worked!!!

1. Is there a way to limit for one person to SSH when logging in to Cisco VPN client?

2. Also, I can only SSH to the ASA when I am in full tunnel. If I am in Split tunnel, I cannot SSH to the inside interface of the ASA. Is it normal or is it something that I need to add in Split tunnel?

I setup a user account "diane" and I was able to SSH to the inside interface of the ASA when I login to Cisco VPN client. Here is the user account config

username diane password iikdieiieikdieikdk privilege 15
username diane attributes
vpn-group-policy fulltunnel
vpn-tunnel-protocol IPSec
service-type admin

However if I setup another account with Split-tunnel, I am NOT able to SSH to the inside interface of the ASA when I login to Cisco VPN client. Here is the user account config

username jane password eikdieideiid privilege 15
username jane attributes
vpn-group-policy split
vpn-tunnel-protocol IPSec
service-type admin

Please let me know if you need additional info.

Thanks.

Diane

Jennifer Halim · ‎03-17-2011

1. No, there is no way to limit the number of SSH connection unfortunately.

2. What is your split tunnel ACL, and has it included the subnet or the IP address of the ASA inside interface?

dianewalker · ‎03-17-2011

Jennifer,

I will add the IP address of the inside interface of the ASA to the split tunnel ACLs and get back to you later.

Thanks.

Jennifer Halim · ‎03-17-2011

You can't restrict only user "Dianne" to SSH to the ASA when you VPN in as it is not based on username. It's based on the ip address.

You can assign a vpn ip address statically to user "Dianne", and only configure that ip address in the SSH command. That would restrict only the vpn ip address assigned to user "Dianne" to SSH while on VPN.

dianewalker · ‎03-17-2011

Thanks Jennifer. You are a genius!!! Your suggestions work!!!

Diane

Jennifer Halim · ‎03-17-2011

You are welcome, thanks for the update and ratings.