Solved: VPN and SSH Key Phenomena

rdml-operations · ‎02-18-2011

Hi All,

I have found myself in possession of a rather odd problem.

Problem Description

I can SSH to my ASA box from within my private network and from the internet when not connected to the VPN without a problem

If I SSH to my ASA box from within a remote-access VPN session, I receive the error "ssh_exchange_identification: Connection closed by remote host"

REMOTE_VPN_POOL = 192.168.250.1 - 192.168.250.5/24

LOCAL_LAN = 192.168.2.0/24

The odd thing here is that I can SSH to my wireless device (192.168.2.2) and then onto my ASA (192.168.2.1) - see bold text below.

The below cut and paste job gives a good example of what is going on. Other than this, the ASA is working quite fine in terms of RA VPN. Any help as to how to fix this issue would be greatly appreciated.

Cheers,

Conor

VPNC: A Linux VPN Client for Cisco. Works like a charm most of the time.

[root@analogue ~]# vpnc --local-port 501 /etc/vpnc/home.conf
VPNC started in background (pid: 15830)...

[root@analogue ~]# ping 192.168.2.1 (my firewall's private IP)
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=8.33 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=8.09 ms
^C
--- 192.168.2.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1310ms
rtt min/avg/max/mdev = 8.091/8.211/8.331/0.120 ms

[root@analogue ~]# ping 192.168.2.2 (my wireless device private IP)
PING 192.168.2.2 (192.168.2.2) 56(84) bytes of data.
64 bytes from 192.168.2.2: icmp_seq=1 ttl=255 time=9.34 ms
64 bytes from 192.168.2.2: icmp_seq=2 ttl=255 time=8.90 ms
^C

--- 192.168.2.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1248ms
rtt min/avg/max/mdev = 8.902/9.122/9.343/0.240 ms
[root@analogue ~]# ^C
[root@analogue ~]# ssh conor@192.168.2.1
ssh_exchange_identification: Connection closed by remote host
[root@analogue ~]# ssh conor@192.168.2.2
Password:

wireless#
wireless#ssh -l conor 192.168.2.1

Password:
************************************************
* Private System. No Unauthorised Entry or Use *
************************************************
Type help or '?' for a list of available commands.
firewall>

andamani · ‎02-18-2011

Hi Conor,

Could you please paste the output of "sh run | in ssh" below.

Regards,

Anisha

View solution in original post

andamani · ‎02-18-2011

Hi Conor,

Could you please paste the output of "sh run | in ssh" below.

Regards,

Anisha

rdml-operations · ‎02-18-2011

Anisha,

You have solved the problem! As soon as you wrote 'sh run | i ssh' it dawned on me. The output is as follows

firewall(config)# sho run | in ssh

****REMOVED SOME ACLS*****

ssh 192.168.2.0 255.255.255.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE **** temporary testing *****
ssh 192.168.250.0 255.255.255.0 OUTSIDE
ssh 10.2.2.2 255.255.255.255 DMZ
ssh timeout 30
ssh version 2

The solution,

Change the interface of the 192.168.250.0 connections from OUTSIDE to INSIDE as we are connecting via a VPN tunnel!

firewall(config)# ssh 192.168.250.0 255.255.255.0 INSIDE
firewall(config)# http 192.168.250.0 255.255.255.0 INSIDE

Works like a charm now Anisha!

Cheers,

Conor

andamani · ‎02-18-2011

lol Conor..!! Pleasure to help..

Regards,

Anisha