04-30-2010 10:56 AM
I am not able to SSH to the outside interface of the ASA when I login to VPN client. I belong to tech support group. Can you help me? Please let me know if you need additional information. Attached is the config file. Thanks.
04-30-2010 11:43 AM
Try SSH to the inside interface instead.
04-30-2010 11:46 AM
your 'ssh x.x.x.0 255.255.255.0 Outside' doesnt match your ip local pool vpnpool 192.168.101.1-192.168.101.250 mask 255.255.255.0 and since you are vpn'd in you must be getting an IP from that pool ?
04-30-2010 01:32 PM
Thanks both of you. I added "ssh 192.168.101.0 255.255.255.0 Inside". I was able to SSH to the inside interface when I login to VPN client.
May I ask you another question? Since I allow the VPN pool to SSH to the ASA, it means all VPN users can SSH to the ASA. Will it create a security issue to the ASA? Would you setup this way? I want to be able to do administration when I login to VPN client. Thanks.
04-30-2010 04:10 PM
Yes, you are correct this could be considered insecure.
Since you are defining the users locally why not assign your username a static IP (192.168.1.250) from the IP Pool and be sure to edit the pool to end at .249
use the 'vpn-framed-ip-address' command
" Enter the IP address and the net mask to be assigned to the client"
CiscoASA#1(config-username)# vpn-framed-ip-address ?
username mode commands/options:
A.B.C.D The IP address to be assigned to the client
After taking care of that change your ssh/http(ASDM) permissions to only allow the single host.instead of the range.
Good luck.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: