09-03-2008 02:29 PM
I have an ASA 5510 running ver 7.0.7. I have an L2L tunnel connecting to it. I am trying to manage the ASA via ssh or telnet to the inside interface from the L2L remote end and not able to.
I have the command management-access inside configured as well as allowing telnet and ssh to the inside from any where:
telnet 0 0 inside
ssh 0 0 inside
I am still not able to get to it via ssh or telnet. Http and icmp work fine.
When looking at the encrypts and decrepts for the ipsec sa:
#pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26
#pkts decaps: 64, #pkts decrypt: 64, #pkts verify: 64
indicating my telnet or ssh packets are decrypted but not encrypted. The show asp table vpn-context details shows corresponding data:
CBS-ASA-5510# sh asp table vpn-context d
VPN Ctx = 0067441000 [0x04051168]
Peer IP = 2.0.2.105
State = UP
Flags = DECR+ESP
SA = 0x15855031
SPI = 0x875427A6
Group = 0
Pkts = 64
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 1
Rekey Call = 1
VPN Ctx = 0064172784 [0x03D332F0]
Peer IP = 2.0.2.105
State = UP
Flags = ENCR+ESP
SA = 0x1586F4A9
SPI = 0x7989DFA2
Group = 0
Pkts = 26
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 1
Rekey Call = 1
However in the asp crypto classifier, I do not see my packets:
out id=0x34f4f80, priority=70, domain=encrypt, deny=false
hits=26, user_data=0x3d332f0, cs_id=0x38a1908, reverse, flags=0x0, protocol=0
src ip=192.168.77.0, mask=255.255.255.0, port=0
dst ip=2.0.2.105, mask=255.255.255.255, port=0
in id=0x3d36ac0, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=26, user_data=0x4051168, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=2.0.2.105, mask=255.255.255.255, port=0
dst ip=192.168.77.0, mask=255.255.255.0, port=0
Is this an existing bug or am I missing something?
09-04-2008 05:02 AM
If your packets are being received (decrypted) but not returned, are they exiting the ASA by not getting included in any NAT (0) statement you have configured? If they are not included in a NAT (0) the return packets will bypass encryption.
However if ICMP and HTTP works to the managment address, (I'm not sure that is what you meant) then I would expect telnet and ssh to work as well, so long as those protocols are enabled.
09-04-2008 06:21 AM
Thanks for the input. The issue has been resolved as it was related to a bug:
CSCsj53102
Externally found moderate defect: Verified (V)
SSH/Telnet access through VPN tunnel to management interface not working
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide