Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5510 telnet/ssh access problem

I have an ASA 5510 running ver 7.0.7. I have an L2L tunnel connecting to it. I am trying to manage the ASA via ssh or telnet to the inside interface from the L2L remote end and not able to.

I have the command management-access inside configured as well as allowing telnet and ssh to the inside from any where:

telnet 0 0 inside

ssh 0 0 inside

I am still not able to get to it via ssh or telnet. Http and icmp work fine.

When looking at the encrypts and decrepts for the ipsec sa:

#pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26

#pkts decaps: 64, #pkts decrypt: 64, #pkts verify: 64

indicating my telnet or ssh packets are decrypted but not encrypted. The show asp table vpn-context details shows corresponding data:

CBS-ASA-5510# sh asp table vpn-context d

VPN Ctx = 0067441000 [0x04051168]

Peer IP = 2.0.2.105

State = UP

Flags = DECR+ESP

SA = 0x15855031

SPI = 0x875427A6

Group = 0

Pkts = 64

Bad Pkts = 0

Bad SPI = 0

Spoof = 0

Bad Crypto = 0

Rekey Pkt = 1

Rekey Call = 1

VPN Ctx = 0064172784 [0x03D332F0]

Peer IP = 2.0.2.105

State = UP

Flags = ENCR+ESP

SA = 0x1586F4A9

SPI = 0x7989DFA2

Group = 0

Pkts = 26

Bad Pkts = 0

Bad SPI = 0

Spoof = 0

Bad Crypto = 0

Rekey Pkt = 1

Rekey Call = 1

However in the asp crypto classifier, I do not see my packets:

out id=0x34f4f80, priority=70, domain=encrypt, deny=false

hits=26, user_data=0x3d332f0, cs_id=0x38a1908, reverse, flags=0x0, protocol=0

src ip=192.168.77.0, mask=255.255.255.0, port=0

dst ip=2.0.2.105, mask=255.255.255.255, port=0

in id=0x3d36ac0, priority=69, domain=ipsec-tunnel-flow, deny=false

hits=26, user_data=0x4051168, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=2.0.2.105, mask=255.255.255.255, port=0

dst ip=192.168.77.0, mask=255.255.255.0, port=0

Is this an existing bug or am I missing something?

4 REPLIES

Re: ASA 5510 telnet/ssh access problem

Make sure you have in fw this statement

management-access

e.i for interface name inside

fw(config)#management-access inside

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/mr.html#wp1578189

Rgds

Jorge

New Member

Re: ASA 5510 telnet/ssh access problem

it is there:

management-access inside

https access to the inside interface works.

Re: ASA 5510 telnet/ssh access problem

Sorry.. read fast your post.. I have to say it could be a bug discribed here, even though you can ping fine but telnet and ssh is affected by this bug which is open caveats in 7.0.7

bug details CSCej04099

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCej04099

open in 7.0.7

http://www.cisco.com/en/US/customer/docs/security/asa/asa70/release/notes/rn707.html#wp339364

New Member

Re: ASA 5510 telnet/ssh access problem

Thank you for the response. I was looking into the bug and I am not sure if it applies as there is not static tht includes the inside interface address and it is included in the nat 0. Upon furthr searching into the bug kit, I actually found the bug that must be a match:

CSCsj53102

SSH/Telnet access through VPN tunnel to management interface not working

Thank you very much for the input.

958
Views
9
Helpful
4
Replies
CreatePlease to create content