Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1253
Views
0
Helpful
2
Replies

asa 5510 telnet/ssh problem through vpn

fashour
Level 1
Level 1

‎09-03-2008 02:29 PM

I have an ASA 5510 running ver 7.0.7. I have an L2L tunnel connecting to it. I am trying to manage the ASA via ssh or telnet to the inside interface from the L2L remote end and not able to.

I have the command management-access inside configured as well as allowing telnet and ssh to the inside from any where:

telnet 0 0 inside

ssh 0 0 inside

I am still not able to get to it via ssh or telnet. Http and icmp work fine.

When looking at the encrypts and decrepts for the ipsec sa:

#pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26

#pkts decaps: 64, #pkts decrypt: 64, #pkts verify: 64

indicating my telnet or ssh packets are decrypted but not encrypted. The show asp table vpn-context details shows corresponding data:

CBS-ASA-5510# sh asp table vpn-context d

VPN Ctx = 0067441000 [0x04051168]

Peer IP = 2.0.2.105

State = UP

Flags = DECR+ESP

SA = 0x15855031

SPI = 0x875427A6

Group = 0

Pkts = 64

Bad Pkts = 0

Bad SPI = 0

Spoof = 0

Bad Crypto = 0

Rekey Pkt = 1

Rekey Call = 1

VPN Ctx = 0064172784 [0x03D332F0]

Peer IP = 2.0.2.105

State = UP

Flags = ENCR+ESP

SA = 0x1586F4A9

SPI = 0x7989DFA2

Group = 0

Pkts = 26

Bad Pkts = 0

Bad SPI = 0

Spoof = 0

Bad Crypto = 0

Rekey Pkt = 1

Rekey Call = 1

However in the asp crypto classifier, I do not see my packets:

out id=0x34f4f80, priority=70, domain=encrypt, deny=false

hits=26, user_data=0x3d332f0, cs_id=0x38a1908, reverse, flags=0x0, protocol=0

src ip=192.168.77.0, mask=255.255.255.0, port=0

dst ip=2.0.2.105, mask=255.255.255.255, port=0

in id=0x3d36ac0, priority=69, domain=ipsec-tunnel-flow, deny=false

hits=26, user_data=0x4051168, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=2.0.2.105, mask=255.255.255.255, port=0

dst ip=192.168.77.0, mask=255.255.255.0, port=0

Is this an existing bug or am I missing something?

Labels:
0 Helpful
2 Replies 2

aacole
Level 5
Level 5

‎09-04-2008 05:02 AM

If your packets are being received (decrypted) but not returned, are they exiting the ASA by not getting included in any NAT (0) statement you have configured? If they are not included in a NAT (0) the return packets will bypass encryption.

However if ICMP and HTTP works to the managment address, (I'm not sure that is what you meant) then I would expect telnet and ssh to work as well, so long as those protocols are enabled.

0 Helpful

fashour
Level 1
Level 1
In response to aacole

‎09-04-2008 06:21 AM

Thanks for the input. The issue has been resolved as it was related to a bug:

CSCsj53102

Externally found moderate defect: Verified (V)

SSH/Telnet access through VPN tunnel to management interface not working

0 Helpful
Customers Also Viewed These Support Documents