vpning in and then asdm or ssh

Unanswered Question
Jun 24th, 2008

ciscoasa# sh run

: Saved


ASA Version 8.0(2)


hostname ciscoasa

enable password xxx



interface Ethernet0/0

nameif outside

security-level 0

ip address internet_ip


interface Ethernet0/1

nameif inside

security-level 100

ip address


interface Ethernet0/2


no nameif

no security-level

no ip address


interface Ethernet0/3


no nameif

no security-level

no ip address


interface Management0/0

nameif management

security-level 100

ip address



passwd xxx

ftp mode passive

clock timezone mst -7

access-list split_tunnel_list standard permit

access-list inside_nat0_outbound extended permit ip

access-list outside_access_in extended permit tcp any host internet_ip eq www

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnuserspool mask

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

static (inside,outside) tcp interface www www netmask

access-group outside_access_in in interface outside

route outside isp_gateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http internet_ip_2 outside

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh scopy enable

ssh internet_ip_2 outside

ssh timeout 60

console timeout 0

dhcpd address inside

dhcpd dns dns_1 dns_2 interface inside

dhcpd enable inside


dhcpd address management

dhcpd enable management


threat-detection basic-threat

threat-detection statistics access-list


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global


enable outside

svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1

svc enable

group-policy vpnuserspolicy internal

group-policy vpnuserspolicy attributes

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

address-pools value vpnuserspool

username admin password xxx encrypted privilege 15

username vpnuser1 password xxx encrypted

username vpnuser1 attributes

vpn-group-policy vpnuserspolicy

prompt hostname context


: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
support.edm Tue, 06/24/2008 - 12:24

VPN works. What I want to do is vpning into the device as admin, and then load up ssh or asdm and connect to the device (presumably since that's the inside interface).

I tried:

ssh outside

http outside

but it doesn't work.

smjaggers Tue, 06/24/2008 - 13:02

The best way to do this is to just have a single internal host that can access the SSH/ASDM. Allow RDP(Windows Box) or SSH (*nix box) access to it. This does not give blanket access to a huge range of IP's, much more secure.

But if you do wish to do it the other way, you are going to have to add and entry to your ACL:

access-list outside_access_in extended permit tcp host eq ssh and https


access-list outside_access_in extended permit ip host

You will also need a nat exempt for source destination

hope this helps.

support.edm Wed, 06/25/2008 - 13:44

I did this:

access-list outside_access_in extended permit ip host

access-group outside_access_in in interface outside

ssh inside

nat (outside) 0 access-list outside_access_in

ssh didn't work. Getting

3 Jun 25 2008 15:46:23 710003 TCP access denied by ACL from to outside:


This Discussion