Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

SSH and HTTPS over VPN

We have a functioning tunnel set up between two ASA5510s.  Traffic passes normally between the two.  Both ASAs are configured for aaa, ssh, and http access.  I can ping the outside ASA address of either ASA from the other's ASA, but neither ssh, nor ASDM access works from either network to the other ASA..  What do I need to look for in the configuration?  I did not set these up originally and the configurations are rather large.  Thanx!

Everyone's tags (3)
17 REPLIES
Cisco Employee

Re: SSH and HTTPS over VPN

Hello,

Are you trying to access the outside interface of the firewalls or inside

interface? If you are accessing the inside interface, can you please ensure

that you have the following lines on both devices:

management-access inside

Once you have these lines, you will be able to access the inside interface

from the other network.

Hope this helps.

Regards,

NT

Cisco Employee

Re: SSH and HTTPS over VPN

If you are trying to SSH/HTTPS to the ASA from the LAN-to-LAN VPN tunnel, you would need to SSH/HTTPS to the inside interface of the ASA as I assume that would already be included as part of the interesting traffic (crypto ACL) between the 2 sites.

You would also need to make sure that the remote network subnet where you are trying to SSH/HTTPS from has been configured, ie:

ssh inside

http inside

Plus you would also need "management-access inside" on the ASA that you are trying to SSH/HTTPS to.

Hope that helps.

Community Member

Re: SSH and HTTPS over VPN

I verified that allof these configurations are in place at both ends of the tunnel.  This is the reason I reached out to this community.  I don't understand what's missing.  Thank you!

Cisco Employee

Re: SSH and HTTPS over VPN

Hello,

Can you please post corresponding configurations from both devices?

Regards,

NT

Community Member

Re: SSH and HTTPS over VPN

Certainly and I appreciate your time!  But, I will have to clean them both up considerably to maintain confidentiality.  I'll try to work on them today.  Thank you!

Community Member

Re: SSH and HTTPS over VPN

Here are tha pared down configurations.  I made every effort to retain all settings pertinent to our tunnel and ssh/http access.  Thanks so much for your kind consideration!

Cisco Employee

Re: SSH and HTTPS over VPN

Hello,

The commands:

"http 10.10.30.0 255.255.255.0 inside" command is missing in the Remote

firewall configuration.

I also did not find any crypto man match rule in the local firewall (you

might have removed it for sanitizing the config).

Can you please check these two things?

Regards,

NT

Cisco Employee

Re: SSH and HTTPS over VPN

Hello,

Also, on the remote firewall, the nonat rule seems to be incorrect:

access-list nonat extended permit ip 10.2.1.0 255.255.255.0 10.10.31.0

255.255.255.0

access-list nonat extended permit ip 10.2.1.0 255.255.255.0 10.10.40.96

255.255.255.224

The rule for 10.2.1.0/24 to 10.10.30.0/24 is missing.

Regards,

NT

Community Member

Re: SSH and HTTPS over VPN

You're right!  Overzealous editing of the config files.  I believe the corrected configs have provided the data you mentioned.  Thanx!

Cisco Employee

Re: SSH and HTTPS over VPN

Hello,

Have you tried to SSH/HTTPS from the remote network to your local ASA? On

the remote ASA, I still did not find the http configurations for your local

network:

http server enable

http 10.2.1.0 255.255.255.0 IN_Corp

http 192.168.1.0 255.255.255.0 management

http 192.168.3.0 255.255.255.0 management

ssh 0.0.0.0 0.0.0.0 Out_IAXS

ssh 10.2.1.0 255.255.255.0 IN_Corp

Can you please try adding:

http 0.0.0.0 0.0.0.0 IN_Corp

ssh 0.0.0.0 0.0.0.0 IN_Corp

on the remote ASA and see if that helps.

Regards,

NT

Community Member

Re: SSH and HTTPS over VPN

I have confirmed the http commands on the local ASA.  I must have accidentally erased them.  I have also ensured that the recommended ssh commands have been added to the remote ASA.  That's what I find so frustrating.  I still can't ssh from either end nor http from the local network.  I don't have a way to http from the remote end.  It appears that everything is correct for ssh/http access from both sides, but it still won't work.  I've worked with Cisco IOS and CatOS for nearly 20 years, but these ASAs are a bit trickier.  Unfortumately, I never had one, or a PIX to work with before as all we ever used were Nokias and Junipers.  Best regards, Wolf

Cisco Employee

Re: SSH and HTTPS over VPN

Hello,

Let us try configuring packet capture and see if we can figure out

something:

On the local firewall:

access-list cap permit tcp 10.2.1.0 255.255.255.0 interface inside eq ssh

access-list cap permit tcp interface inside eq ssh 10.2.1.0 255.255.255.0

capture capin access-list cap interface inside

On the remote firewall:

access-list cap permit tcp 10.10.30.0 255.255.255.0 interface inside eq ssh

access-list cap permit tcp interface inside eq ssh 10.10.30.0 255.255.255.0

capture capin access-list cap interface inside

Also, let us try the packet-tracer:

on the local firewall:

packet-tracer input inside tcp 10.10.30.101 1024 10.2.1.211 22 detailed

On the remote firewall:

packet-tracer input inside tcp 10.2.1.101 1024 10.10.30.1 22 detailed

Also, can you please post the output of "show version" from both devices?

Regards,

NT

Community Member

Re: SSH and HTTPS over VPN

I shall do that, but, unfortunately, it will have to be put off until Monday.  I must tend to the network at the moment.  In the mean time, here are the show version outputs of both.  Thank you!

Regards,

Wolf

Community Member

Re: SSH and HTTPS over VPN

Hi Guys,

     Not sure but may be following statement will hint something.

@Local ASA#

"asdm location 10.2.1.0 255.255.255.0 Out_SPWL"

Community Member

Re: SSH and HTTPS over VPN

Well, you came up with something there! I changed the command to use the

In_Laker interface and started ASDM to the remote's address. After the

login screen, ASDM said it was loading and then the ASDM start splash screen

disappeared nothing else happened. At least we're getting somewhere, but

why would that happen. Is it a case of mismatched versions of software?

Any additional clues on this issue would be appreciated. I had done some

preliminary research which seemed to point to a specific version of Java,

but I have since corrected that. Thank you!

Regards,

Wolf

Community Member

Re: SSH and HTTPS over VPN

I set up the packet tracer and have attached the output. Unfortunately, the

remote OS does not have this capability. I am trying to convince my manager

that we need to upgrade the OS and ASDM version so they are at the same

revision level as our local ASA. I configured the captures on both

machines. Am I supposed to manually start a capture? I've used Wireshark

and dedicated sniffers in the past, but I have not used the ASA to capture

packets yet. Thanx!

Regards,

Wolf

Community Member

Re: SSH and HTTPS over VPN

looks like inside route is necessary.

main site
route inside 10.0.0.0 255.0.0.0 (your LAN switch IP addy) 1
route inside 10.0.0.0 255.0.0.0 10.10.30.x 1

route inside 10.10.250.0 255.255.255.248 (your remote switch IP addy) 1
route inside 10.10.250.0 255.255.255.248 10.2.1.x 1

On Remote site
route inside 10.0.0.0 255.0.0.0 (your LAN switch IP addy) 1
route inside 10.0.0.0 255.0.0.0 10.2.1.x 1

Where does Norlight PPP goes to?
properly enable your http and ssh inside access on both firewalls.

Thx,
Eric

8203
Views
8
Helpful
17
Replies
CreatePlease to create content