Site-to-Site VPN Issue

Answered Question
Aug 3rd, 2010

We have a pair of ASA5510s with a VPN tunnel that connects the local networks at each location.  Tunnel traffic passes fine, but I cannot ssh or http from my location to the other.  Http and ssh access is configured correctly as I can browse to it from a "real" outside IP address.  I CAN ssh to hosts inside the romote network.  I have no way to open an http session from the remote end back here, so I can't test that.  Thanx!

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 6 years 5 months ago

Hi Wolfgang,  I think  I am missunderstanding your post,  appologies for that  ..  perhaps  we should clarify !

in your original post..

"Tunnel traffic passes fine, but I cannot ssh or http from my location to the other, Http and ssh access is configured correctly as I can browse to it from a "real" outside IP address."

To what host are you trying to connect ?  are you trying to https/ssh to the far end firewall  for management through  the tunnel? or is it that you are  trying to ssh/https to a Host Server/PC?

Could you clarigy the above

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Tue, 08/03/2010 - 15:41

If you are referring to  managing each end firewall using  ssh/https  through  Ipsec tunnel you need  two statements for that,  if I have missunderstood please correct me.

management-access mgmt_if 

and allow ssh/https for  the host that will access security applience

ssh

generally  for devices like asa5505 that do not have specific management interface like the  5510's  you would have something as:

assuming Site1-asa  local-lan 172.16.1.0/24 , and Site2-asa local lan 192.168.1.0/24  both  nets are allow as your encryption  domain

Site1-asa

management-access inside

ssh 192.168.1.0 255.255.255.0 inside  (This is remote end network )

http 192.168.1.0 255.255.255.0 inside ( same as above for ssh)

Site2-asa

management-access inside

ssh 172.16.1.0  255.255.255.0 inside  (This is remote end network )

http 172.16.1.0 255.255.255.0 inside  ( same as above for ssh, and interface definition  should be inside )

AS for ASA5510 if you have management0/0 defined as your management interface  use example above replacing your management interface in the management-access statement.

If this is not  your issue please let us know

Some guidelines

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985

Regards

pootboy69 Wed, 08/04/2010 - 07:17

Thanx!  Implementing these commands allowed me http access to the remote site, but, when I browse to it and load the Java Applet, the window opens and hangs at "Please wait . . . main window is coming up" and the progress bar sits at 100% and seems t flicker.  I have added the site as a trusted site and installed the certificate.  Any clues?  Thanx!

JORGE RODRIGUEZ Wed, 08/04/2010 - 07:54

What version of Java are you using  in the PC, and what version of ASDM  teh ASA you are connecting to have?

Is your ssh now ok?

Regards

pootboy69 Wed, 08/04/2010 - 08:22

I have ASDM-507 on the remote 5510.  Ssh still does not work to that machine.  It times out.  I'm running Windows 7 with Java version 6, update 20.  When I https to the machine and try to download ASDM instead of running the Java app, it appears to download ok.  When I try to start it, it appears to load and then disappears, leaving a task running in my system.  I CAN run ASDM to either of the ASAs on the local network just fine.

Correct Answer
JORGE RODRIGUEZ Wed, 08/04/2010 - 15:40

Hi Wolfgang,  I think  I am missunderstanding your post,  appologies for that  ..  perhaps  we should clarify !

in your original post..

"Tunnel traffic passes fine, but I cannot ssh or http from my location to the other, Http and ssh access is configured correctly as I can browse to it from a "real" outside IP address."

To what host are you trying to connect ?  are you trying to https/ssh to the far end firewall  for management through  the tunnel? or is it that you are  trying to ssh/https to a Host Server/PC?

Could you clarigy the above

pootboy69 Thu, 08/05/2010 - 05:55

To the contrary, you are not misunderstanding it at all and I sincerely appreciate your help!  I am trying to ssh and ASDM from our inside network to the inside address of a remote ASA5510 in our network, to which we have a fully operational tunnel.  An ssh connection simply times out.  When I open up an ASDM session to the remote ASA, it appears to load and then, simply vanishes.  A process remains in Windows, but does nothing.  If I try to connect via https and select the Java applet, it seems to load, but then hangs with "Please wait . . . main window is coming up" and the blue bar shows 100%.  It stays there without ever bringing up the ASDM screen.  I have applied all the changes suggested by you previously, to both ASAs.  Thank you for your continued assistance!

Nagaraja Thanthry Thu, 08/05/2010 - 06:04

Hello,

To verify that the connectivity is there, can you try to ping the IP and then try to telnet instead of ssh (you need to enable telnet)? If that part works, then we know for sure that the management traffic is flowing across the tunnel.

Hope this helps.

Regards,

NT

pootboy69 Thu, 08/05/2010 - 06:20

I am able to ping the inside address of the remote ASA, but, after configuring the remote ASA to allow telnet access,  I cannot telnet to the inside interface, which has been designated the management interface.  The attempt times out.

pootboy69 Fri, 08/06/2010 - 06:01

Hi,

Yes, I did enter that when I created the telnet test configuration.  Here's some more information:

     1.  I can the remote ASA and an inside host from my host.

     2.  I cannot ping my host, nor the inside address of my ASA from the remote inside host.

     3.  I can ping the outside address of my ASA from the remote inside host.

     4.  I cannot SSH or http to the inside address of my ASA from the remote inside host.

     5.  I cannot ssh nor http to either the inside nor the outside address of the remote ASA.

     6.  The tunnel works just fine for all other traffic.

Hope this information helps lead to something.  I'm drawing a blank.. I have examined the access rules on both ends and everything looks to allow all ip traffic from either network to the other network.

Thanks for your help!

Regards,  Wolf

Actions

This Discussion