ssh and http not working after vpn

Unanswered Question
Jul 7th, 2008
User Badges:

ciscoasa(config)# sh run

: Saved


ASA Version 8.0(2)


hostname ciscoasa

enable password xxx



interface Ethernet0/0

nameif outside

security-level 0

ip address ext_ip


interface Ethernet0/1

nameif inside

security-level 100

ip address 172.x.x.1


interface Ethernet0/2


no nameif

no security-level

no ip address


interface Ethernet0/3


no nameif

no security-level

no ip address


interface Management0/0

nameif management

security-level 100

ip address



passwd xxx

ftp mode passive

clock timezone mst -6

access-list split_tunnel_list standard permit

access-list inside_nat0_outbound extended permit ip

access-list admin_access_thru_vpn extended permit ip host

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

ip local pool vpnuserspool mask

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

access-group admin_access_thru_vpn in interface outside

route outside gw_ip 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http inside

http inside

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto dynamic-map dyn1 1 set transform-set FirstSet

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

telnet timeout 5

ssh inside

ssh inside

ssh timeout 60

console timeout 0

dhcpd address management

dhcpd enable management


dhcpd address inside

dhcpd dns dns_ip_1 dns_ip_2 interface inside

dhcpd enable inside


threat-detection basic-threat

threat-detection statistics access-list


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
support.edm Mon, 07/07/2008 - 12:17
User Badges:

service-policy global_policy global

ntp server source outside

group-policy vpnuserspolicy internal

group-policy vpnuserspolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

address-pools value vpnuserspool

username admin password xxx encrypted privilege 15

username admin attributes

vpn-group-policy vpnuserspolicy

tunnel-group vpnusersgroup type remote-access

tunnel-group vpnusersgroup ipsec-attributes

pre-shared-key *

prompt hostname context


: end


support.edm Mon, 07/07/2008 - 12:19
User Badges:

After VPNing in, I want to be able to access the inside interface of ASA using ASDM and SSH. I did the following:

ciscoasa(config)# access-list admin_access_thru_vpn extended permit ip host

ciscoasa(config)# access-group admin_access_thru_vpn in interface outside

ciscoasa(config)# http inside

ciscoasa(config)# ssh inside

Getting the below when trying to SSH or ASDM to

3 Jul 07 2008 14:18:24 710003 TCP access denied by ACL from to outside:

3 Jul 07 2008 14:18:58 710003 TCP access denied by ACL from to outside:

Any ideas?

a.alekseev Mon, 07/07/2008 - 14:20
User Badges:
  • Gold, 750 points or more

try this

ciscoasa(config)# http outside

ciscoasa(config)# ssh outside

srue Mon, 07/07/2008 - 18:49
User Badges:
  • Blue, 1500 points or more

try adding the command:

management access inside


This Discussion