Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSH inside network on other end of L2L VPN not working

I cant get SSH access working for the inside interface on the other end of the L2L tunnel. I also cant SSH into any of my Switches. I cant ping either interface but I can ping the phones on the other end. I am not even close to sure what I am missing for this to work..

RandomHostName# sho run
: Saved
:
ASA Version 9.1(2)8
!
hostname RandomHostname
domain-name random.domain.name
enable password blahblahblahblah12345 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd blahblahblahblah12345 encrypted
names
!
interface Ethernet0/0
 switchport access vlan 999
!
interface Ethernet0/1
 switchport access vlan 582
!
interface Ethernet0/2
 switchport access vlan 311
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 switchport access vlan 321
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan582
 nameif OUTSIDE
 security-level 0
 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface Vlan999
 description LAN Failover Interface
!
interface Vlan321
 nameif INSIDE-Phones
 security-level 100
 ip address 10.129.0.1 255.255.255.0 standby 10.129.0.2
!
boot system disk0:/asa912-8-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name test.com
object network InsidePhones
 subnet 10.129.0.0 255.255.255.0
access-list tunnel_all extended permit ip 10.129.0.0 255.255.255.0 any4
pager lines 24
logging enable
logging buffer-size 8182
logging buffered debugging
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE-Phones 1500
failover
failover lan unit primary
failover lan interface failover-int Vlan999
failover interface ip failover-int 10.129.20.1 255.255.255.0 standby 10.129.20.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server admin protocol radius
aaa-server admin (OUTSIDE) host 192.168.50.1
 key *****
 authentication-port 1812
 accounting-port 1813
aaa-server admin (OUTSIDE) host 192.168.50.2
 key *****
 authentication-port 1812
 accounting-port 1813
aaa-server vpn protocol radius
aaa-server vpn (OUTSIDE) host 192.168.50.1
 key *****
aaa-server vpn (OUTSIDE) host 192.168.50.2
 key *****
aaa-server RADIUS protocol radius
aaa-server RADIUS (OUTSIDE) host 192.168.50.1
 key *****
 authentication-port 1812
 accounting-port 1813
aaa-server RADIUS (OUTSIDE) host 192.168.50.2
 key *****
 authentication-port 1812
 accounting-port 1813
user-identity default-domain LOCAL
aaa authentication http console RADIUS LOCAL
aaa authentication serial console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa accounting enable console RADIUS
aaa accounting ssh console RADIUS
aaa authorization exec authentication-server
http server enable
http 10.129.30.0 255.255.255.0 OUTSIDE
http 10.129.10.0 255.255.255.0 OUTSIDE
http 192.168.50.1 255.255.255.0 OUTSIDE
http 10.129.10.0 255.255.255.0 INSIDE-Phones
http 10.129.1.0 255.255.255.0 INSIDE-Phones
http redirect OUTSIDE 80
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address tunnel_all
crypto map outside_map 1 set peer 192.168.50.1
crypto map outside_map 1 set ikev2 ipsec-proposal ESP-AES-256-SHA
crypto map outside_map interface OUTSIDE
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev2 policy 10
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable OUTSIDE
telnet timeout 5
ssh 10.129.10.0 255.255.255.0 OUTSIDE
ssh 192.168.50.1 255.255.255.0 OUTSIDE
ssh 10.129.1.0 255.255.255.0 OUTSIDE
ssh 10.129.1.0 255.255.255.0 INSIDE-Phones
ssh 192.168.50.1 255.255.255.0 INSIDE-Phones
ssh 10.129.10.0 255.255.255.0 INSIDE-Phones
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 192.168.50.1 192.168.50.2
dhcpd domain contoso.net
dhcpd option 150 ip 10.129.100.12 10.129.70.50
dhcpd option 3 ip 10.129.1.1
!
dhcpd address 10.129.1.10-10.129.1.254 INSIDE-Phones
dhcpd enable INSIDE-Phones
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.50.1
ntp server 192.168.50.1 prefer
username LukeSkywalker password pBoKSJVICSq encrypted privilege 15
tunnel-group 192.168.50.1 type ipsec-l2l
tunnel-group 192.168.50.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:23239ba79ec5f2de8c11d850e7087c57
: end

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

Run the following commandtest

Run the following command

test aaa authentication RADIUS host 192.168.50.1

username: xxxxx

password: xxxxx

do you see any hits on the radius server?

Also run some debugs while trying to authenticate.

debug radius

debug aaa authen

I suggest changing the radius configuration so it points to the inside interface. This way authentication requests are sent with a source IP of the inside interface instead of the outside interface.

it will help to see a network diagram so we have an idea of how your network is set up.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
3 REPLIES
New Member

I figured out the SSH by

I figured out the SSH by doing management access but my radius stuff still isnt working.

VIP Green

Run the following commandtest

Run the following command

test aaa authentication RADIUS host 192.168.50.1

username: xxxxx

password: xxxxx

do you see any hits on the radius server?

Also run some debugs while trying to authenticate.

debug radius

debug aaa authen

I suggest changing the radius configuration so it points to the inside interface. This way authentication requests are sent with a source IP of the inside interface instead of the outside interface.

it will help to see a network diagram so we have an idea of how your network is set up.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Changing the Radius to the

Changing the Radius to the inside interface fixed my authentication issues. 

32
Views
0
Helpful
3
Replies
CreatePlease login to create content