Site-to-Site VPN Issue

Answered Question
Aug 3rd, 2010
User Badges:

We have a pair of ASA5510s with a VPN tunnel that connects the local networks at each location.  Tunnel traffic passes fine, but I cannot ssh or http from my location to the other.  Http and ssh access is configured correctly as I can browse to it from a "real" outside IP address.  I CAN ssh to hosts inside the romote network.  I have no way to open an http session from the remote end back here, so I can't test that.  Thanx!

Correct Answer by JORGE RODRIGUEZ about 6 years 11 months ago

Hi Wolfgang,  I think  I am missunderstanding your post,  appologies for that  ..  perhaps  we should clarify !


in your original post..

"Tunnel traffic passes fine, but I cannot ssh or http from my location to the other, Http and ssh access is configured correctly as I can browse to it from a "real" outside IP address."


To what host are you trying to connect ?  are you trying to https/ssh to the far end firewall  for management through  the tunnel? or is it that you are  trying to ssh/https to a Host Server/PC?


Could you clarigy the above

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Tue, 08/03/2010 - 15:41
User Badges:
  • Green, 3000 points or more

If you are referring to  managing each end firewall using  ssh/https  through  Ipsec tunnel you need  two statements for that,  if I have missunderstood please correct me.


management-access mgmt_if 


and allow ssh/https for  the host that will access security applience


ssh


generally  for devices like asa5505 that do not have specific management interface like the  5510's  you would have something as:


assuming Site1-asa  local-lan 172.16.1.0/24 , and Site2-asa local lan 192.168.1.0/24  both  nets are allow as your encryption  domain


Site1-asa

management-access inside

ssh 192.168.1.0 255.255.255.0 inside  (This is remote end network )

http 192.168.1.0 255.255.255.0 inside ( same as above for ssh)


Site2-asa

management-access inside

ssh 172.16.1.0  255.255.255.0 inside  (This is remote end network )

http 172.16.1.0 255.255.255.0 inside  ( same as above for ssh, and interface definition  should be inside )


AS for ASA5510 if you have management0/0 defined as your management interface  use example above replacing your management interface in the management-access statement.


If this is not  your issue please let us know


Some guidelines

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985



Regards

pootboy69 Wed, 08/04/2010 - 07:17
User Badges:

Thanx!  Implementing these commands allowed me http access to the remote site, but, when I browse to it and load the Java Applet, the window opens and hangs at "Please wait . . . main window is coming up" and the progress bar sits at 100% and seems t flicker.  I have added the site as a trusted site and installed the certificate.  Any clues?  Thanx!

JORGE RODRIGUEZ Wed, 08/04/2010 - 07:54
User Badges:
  • Green, 3000 points or more

What version of Java are you using  in the PC, and what version of ASDM  teh ASA you are connecting to have?


Is your ssh now ok?



Regards

pootboy69 Wed, 08/04/2010 - 08:22
User Badges:

I have ASDM-507 on the remote 5510.  Ssh still does not work to that machine.  It times out.  I'm running Windows 7 with Java version 6, update 20.  When I https to the machine and try to download ASDM instead of running the Java app, it appears to download ok.  When I try to start it, it appears to load and then disappears, leaving a task running in my system.  I CAN run ASDM to either of the ASAs on the local network just fine.

Correct Answer
JORGE RODRIGUEZ Wed, 08/04/2010 - 15:40
User Badges:
  • Green, 3000 points or more

Hi Wolfgang,  I think  I am missunderstanding your post,  appologies for that  ..  perhaps  we should clarify !


in your original post..

"Tunnel traffic passes fine, but I cannot ssh or http from my location to the other, Http and ssh access is configured correctly as I can browse to it from a "real" outside IP address."


To what host are you trying to connect ?  are you trying to https/ssh to the far end firewall  for management through  the tunnel? or is it that you are  trying to ssh/https to a Host Server/PC?


Could you clarigy the above

pootboy69 Thu, 08/05/2010 - 05:55
User Badges:

To the contrary, you are not misunderstanding it at all and I sincerely appreciate your help!  I am trying to ssh and ASDM from our inside network to the inside address of a remote ASA5510 in our network, to which we have a fully operational tunnel.  An ssh connection simply times out.  When I open up an ASDM session to the remote ASA, it appears to load and then, simply vanishes.  A process remains in Windows, but does nothing.  If I try to connect via https and select the Java applet, it seems to load, but then hangs with "Please wait . . . main window is coming up" and the blue bar shows 100%.  It stays there without ever bringing up the ASDM screen.  I have applied all the changes suggested by you previously, to both ASAs.  Thank you for your continued assistance!

Nagaraja Thanthry Thu, 08/05/2010 - 06:04
User Badges:
  • Cisco Employee,

Hello,


To verify that the connectivity is there, can you try to ping the IP and then try to telnet instead of ssh (you need to enable telnet)? If that part works, then we know for sure that the management traffic is flowing across the tunnel.


Hope this helps.


Regards,


NT

pootboy69 Thu, 08/05/2010 - 06:20
User Badges:

I am able to ping the inside address of the remote ASA, but, after configuring the remote ASA to allow telnet access,  I cannot telnet to the inside interface, which has been designated the management interface.  The attempt times out.

Nagaraja Thanthry Thu, 08/05/2010 - 16:50
User Badges:
  • Cisco Employee,

Hello,


Do you have "telnet 0.0.0.0 0.0.0.0 inside" in the configuration?


Regards,


NT

pootboy69 Fri, 08/06/2010 - 06:01
User Badges:

Hi,


Yes, I did enter that when I created the telnet test configuration.  Here's some more information:

     1.  I can the remote ASA and an inside host from my host.

     2.  I cannot ping my host, nor the inside address of my ASA from the remote inside host.

     3.  I can ping the outside address of my ASA from the remote inside host.

     4.  I cannot SSH or http to the inside address of my ASA from the remote inside host.

     5.  I cannot ssh nor http to either the inside nor the outside address of the remote ASA.

     6.  The tunnel works just fine for all other traffic.


Hope this information helps lead to something.  I'm drawing a blank.. I have examined the access rules on both ends and everything looks to allow all ip traffic from either network to the other network.


Thanks for your help!


Regards,  Wolf

Actions

This Discussion