SSH and HTTPS over VPN

Unanswered Question
Aug 12th, 2010
User Badges:

We have a functioning tunnel set up between two ASA5510s.  Traffic passes normally between the two.  Both ASAs are configured for aaa, ssh, and http access.  I can ping the outside ASA address of either ASA from the other's ASA, but neither ssh, nor ASDM access works from either network to the other ASA..  What do I need to look for in the configuration?  I did not set these up originally and the configurations are rather large.  Thanx!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Nagaraja Thanthry Thu, 08/12/2010 - 15:29
User Badges:
  • Cisco Employee,

Hello,


Are you trying to access the outside interface of the firewalls or inside

interface? If you are accessing the inside interface, can you please ensure

that you have the following lines on both devices:


management-access inside


Once you have these lines, you will be able to access the inside interface

from the other network.


Hope this helps.


Regards,


NT

Jennifer Halim Thu, 08/12/2010 - 15:31
User Badges:
  • Cisco Employee,

If you are trying to SSH/HTTPS to the ASA from the LAN-to-LAN VPN tunnel, you would need to SSH/HTTPS to the inside interface of the ASA as I assume that would already be included as part of the interesting traffic (crypto ACL) between the 2 sites.


You would also need to make sure that the remote network subnet where you are trying to SSH/HTTPS from has been configured, ie:

ssh inside

http inside


Plus you would also need "management-access inside" on the ASA that you are trying to SSH/HTTPS to.


Hope that helps.

pootboy69 Fri, 08/13/2010 - 06:18
User Badges:

I verified that allof these configurations are in place at both ends of the tunnel.  This is the reason I reached out to this community.  I don't understand what's missing.  Thank you!

Nagaraja Thanthry Fri, 08/13/2010 - 09:15
User Badges:
  • Cisco Employee,

Hello,


Can you please post corresponding configurations from both devices?


Regards,


NT

pootboy69 Fri, 08/13/2010 - 09:18
User Badges:

Certainly and I appreciate your time!  But, I will have to clean them both up considerably to maintain confidentiality.  I'll try to work on them today.  Thank you!

pootboy69 Fri, 08/13/2010 - 12:06
User Badges:

Here are tha pared down configurations.  I made every effort to retain all settings pertinent to our tunnel and ssh/http access.  Thanks so much for your kind consideration!

Nagaraja Thanthry Fri, 08/13/2010 - 12:25
User Badges:
  • Cisco Employee,

Hello,


The commands:


"http 10.10.30.0 255.255.255.0 inside" command is missing in the Remote

firewall configuration.


I also did not find any crypto man match rule in the local firewall (you

might have removed it for sanitizing the config).


Can you please check these two things?


Regards,


NT

Nagaraja Thanthry Fri, 08/13/2010 - 12:28
User Badges:
  • Cisco Employee,

Hello,


Also, on the remote firewall, the nonat rule seems to be incorrect:


access-list nonat extended permit ip 10.2.1.0 255.255.255.0 10.10.31.0

255.255.255.0

access-list nonat extended permit ip 10.2.1.0 255.255.255.0 10.10.40.96

255.255.255.224


The rule for 10.2.1.0/24 to 10.10.30.0/24 is missing.


Regards,


NT

pootboy69 Fri, 08/13/2010 - 12:56
User Badges:

You're right!  Overzealous editing of the config files.  I believe the corrected configs have provided the data you mentioned.  Thanx!

Nagaraja Thanthry Fri, 08/13/2010 - 13:02
User Badges:
  • Cisco Employee,

Hello,


Have you tried to SSH/HTTPS from the remote network to your local ASA? On

the remote ASA, I still did not find the http configurations for your local

network:


http server enable

http 10.2.1.0 255.255.255.0 IN_Corp

http 192.168.1.0 255.255.255.0 management

http 192.168.3.0 255.255.255.0 management


ssh 0.0.0.0 0.0.0.0 Out_IAXS

ssh 10.2.1.0 255.255.255.0 IN_Corp


Can you please try adding:


http 0.0.0.0 0.0.0.0 IN_Corp

ssh 0.0.0.0 0.0.0.0 IN_Corp


on the remote ASA and see if that helps.


Regards,


NT

pootboy69 Fri, 08/13/2010 - 13:35
User Badges:

I have confirmed the http commands on the local ASA.  I must have accidentally erased them.  I have also ensured that the recommended ssh commands have been added to the remote ASA.  That's what I find so frustrating.  I still can't ssh from either end nor http from the local network.  I don't have a way to http from the remote end.  It appears that everything is correct for ssh/http access from both sides, but it still won't work.  I've worked with Cisco IOS and CatOS for nearly 20 years, but these ASAs are a bit trickier.  Unfortumately, I never had one, or a PIX to work with before as all we ever used were Nokias and Junipers.  Best regards, Wolf

Nagaraja Thanthry Fri, 08/13/2010 - 13:45
User Badges:
  • Cisco Employee,

Hello,


Let us try configuring packet capture and see if we can figure out

something:


On the local firewall:


access-list cap permit tcp 10.2.1.0 255.255.255.0 interface inside eq ssh

access-list cap permit tcp interface inside eq ssh 10.2.1.0 255.255.255.0


capture capin access-list cap interface inside


On the remote firewall:


access-list cap permit tcp 10.10.30.0 255.255.255.0 interface inside eq ssh

access-list cap permit tcp interface inside eq ssh 10.10.30.0 255.255.255.0


capture capin access-list cap interface inside


Also, let us try the packet-tracer:


on the local firewall:


packet-tracer input inside tcp 10.10.30.101 1024 10.2.1.211 22 detailed


On the remote firewall:


packet-tracer input inside tcp 10.2.1.101 1024 10.10.30.1 22 detailed


Also, can you please post the output of "show version" from both devices?


Regards,


NT

pootboy69 Fri, 08/13/2010 - 14:17
User Badges:

I shall do that, but, unfortunately, it will have to be put off until Monday.  I must tend to the network at the moment.  In the mean time, here are the show version outputs of both.  Thank you!


Regards,


Wolf

rameshwarhiwale Sun, 08/15/2010 - 07:29
User Badges:

Hi Guys,

     Not sure but may be following statement will hint something.

@Local ASA#

"asdm location 10.2.1.0 255.255.255.0 Out_SPWL"

pootboy69 Mon, 08/16/2010 - 07:00
User Badges:

Well, you came up with something there! I changed the command to use the

In_Laker interface and started ASDM to the remote's address. After the

login screen, ASDM said it was loading and then the ASDM start splash screen

disappeared nothing else happened. At least we're getting somewhere, but

why would that happen. Is it a case of mismatched versions of software?

Any additional clues on this issue would be appreciated. I had done some

preliminary research which seemed to point to a specific version of Java,

but I have since corrected that. Thank you!


Regards,


Wolf

pootboy69 Mon, 08/16/2010 - 08:06
User Badges:

I set up the packet tracer and have attached the output. Unfortunately, the

remote OS does not have this capability. I am trying to convince my manager

that we need to upgrade the OS and ASDM version so they are at the same

revision level as our local ASA. I configured the captures on both

machines. Am I supposed to manually start a capture? I've used Wireshark

and dedicated sniffers in the past, but I have not used the ASA to capture

packets yet. Thanx!


Regards,


Wolf

Eric Boadu Mon, 08/16/2010 - 08:26
User Badges:

looks like inside route is necessary.


main site
route inside 10.0.0.0 255.0.0.0 (your LAN switch IP addy) 1
route inside 10.0.0.0 255.0.0.0 10.10.30.x 1

route inside 10.10.250.0 255.255.255.248 (your remote switch IP addy) 1
route inside 10.10.250.0 255.255.255.248 10.2.1.x 1


On Remote site
route inside 10.0.0.0 255.0.0.0 (your LAN switch IP addy) 1
route inside 10.0.0.0 255.0.0.0 10.2.1.x 1

Where does Norlight PPP goes to?
properly enable your http and ssh inside access on both firewalls.

Thx,
Eric

Actions

This Discussion

Related Content