Unable to SSH

Unanswered Question
Apr 30th, 2010

I am not able to SSH to the outside interface of the ASA when I login to VPN client.  I belong to tech support group.  Can you help me?  Please let me know if you need additional information.  Attached is the config file.  Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Paul Carco Fri, 04/30/2010 - 11:46

your 'ssh x.x.x.0 255.255.255.0 Outside'   doesnt match your ip local pool vpnpool 192.168.101.1-192.168.101.250 mask 255.255.255.0 and since you are vpn'd in you must be getting an IP from that pool ?

laurabolda Fri, 04/30/2010 - 13:32

Thanks both of you.  I added "ssh 192.168.101.0 255.255.255.0 Inside".  I was able to SSH to the inside interface when I login to VPN client.

May I ask you another question?   Since I allow the VPN pool to SSH to the ASA, it means all VPN users can SSH to the ASA.   Will it create a security issue to the ASA?  Would you setup this way?  I want to be able to do administration when I login to VPN client.  Thanks.

Paul Carco Fri, 04/30/2010 - 16:10

Yes, you are correct this could be considered insecure.

Since you are defining the users locally why not assign your username a static IP (192.168.1.250) from the IP Pool  and be sure to edit the pool to end at .249

use the 'vpn-framed-ip-address' command

"   Enter the IP address and the net mask to be assigned to the client"

CiscoASA#1(config-username)# vpn-framed-ip-address ?

username mode commands/options:
  A.B.C.D  The IP address to be assigned to the client

After taking care of that change your ssh/http(ASDM)  permissions to only allow the single host.instead of the range.

Good luck.

Actions

This Discussion