Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSH access from remote VPN site

Greetings.

As you can see by the configs, I have a simple two-way VPN tunnel from Virginia (10.10.50.x) to Houston (192.168.40.x). The tunnel is up and all is well. What I'd like to do (but for some reason am unable) is to allow users in Virginia (10.10.50.x) to administer the Houston (192.168.40.1) ASA box via ssh. For some reason I'm missing something because it isn't working.

*I can SSH to the Houston box from the Houston 192.168.40.x LAN so I know SSH does work.

*I've regenerated the keys on at least three occasions in Houston as a troubleshooting technique (crypto key generate rsa modulus 1024)

*From the Virginia site I can telnet to 192.168.40.1 over port 22 so I know SSH is open and accessible. It's just that when I try to launch from Putty that I get "network error: software caused connection abort".

*I've also tried:

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

with no luck at all.

Any thoughts?

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: SSH access from remote VPN site

Because you're actually trying to SSH to the inside interface IP, you'll need...

ssh 10.10.50.0 255.255.255.0 inside

However, if you try to SSH with just that, the log will indicate the connection was dropped by the TCP intercept at the outside interface. Therefore, you also need...

ssh 10.10.50.0 255.255.255.0 outside

However, I have had situations where, after doing this on an ASA 5510 running version 7, it did not work until after I saved the config and rebooted the ASA. Then it worked.

So, put in your SSH lines then save and reboot the ASA. Let me know.

6 REPLIES
Gold

Re: SSH access from remote VPN site

try adding the command "management-access inside"

New Member

Re: SSH access from remote VPN site

Thanks so much for the reply.

I forgot to mention that I'd already tried that command, too, with no luck.

I'll keep digging...

Re: SSH access from remote VPN site

try by removing the inside_acl on the houston ASA. If that works then you need to tweak the ACL.

hth

MS

joe Bronze
Bronze

Re: SSH access from remote VPN site

try simply turning on plain jane telnet

and see if that works-

houston#

telnet 10.10.50.0 255.255.255.0 inside

try telneting from a windows box plain telnet

if this works, switch your ssh client

New Member

Re: SSH access from remote VPN site

Because you're actually trying to SSH to the inside interface IP, you'll need...

ssh 10.10.50.0 255.255.255.0 inside

However, if you try to SSH with just that, the log will indicate the connection was dropped by the TCP intercept at the outside interface. Therefore, you also need...

ssh 10.10.50.0 255.255.255.0 outside

However, I have had situations where, after doing this on an ASA 5510 running version 7, it did not work until after I saved the config and rebooted the ASA. Then it worked.

So, put in your SSH lines then save and reboot the ASA. Let me know.

New Member

Re: SSH access from remote VPN site

BINGO!

As you indicated, it *did* require the reboot in order for it to take place. I added the config statements without the reboot originally and it did not work. But the reboot did it.

It never occurred to me that you'd have to place that subnet on the outside.

Thanks a million, man.

Cheers.

236
Views
0
Helpful
6
Replies