Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Unable to ssh VPN ASA while using Full Tunnel RA VPN

HI everyone,

While using full tunnel RA VPN i am unable to ssh the ASA.

Log gives error

Jan 18 2014 23:23:25: %ASA-6-110002: Failed to locate egress interface for TCP from outside:10.0.0.51/55694 to 10.0.0.1/22

Where IP 10.0.0.1 is IP of ASA inside interface.

Also i try to ssh ASA outside interface IP while connected to RA VPN that also does not work.

Also i am assigned IP 10.0.0.51 by ASA IP pool.

I can not ping the Gateway IP of 10.0.0.1?

Is there way i can fix all this?

Regards

Mahesh

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Green

Unable to ssh VPN ASA while using Full Tunnel RA VPN

Have you configured the command managment-access ?  (where interface is the interface you want to use as management interface when connected to the VPN)

ex.

management-access inside

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
VIP Green

Unable to ssh VPN ASA while using Full Tunnel RA VPN

When you connect to the ASA on a RA VPN the management-access command allows you to manage the ASA via a different interface than the one your VPN connects to.  Since you are connecting to the outside interface which most likely has a security level of 0, SSH is not permitted on any interface with a security level of 0.  And therefore you need to have this command to be able to access the device over VPN.

To be able to connect to an IP you need to have reachability to that IP, which is what the management-access command does for the interface that you specify.  One of the features provided by this command is the ability to ping the defined managment interface.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
4 REPLIES
VIP Green

Unable to ssh VPN ASA while using Full Tunnel RA VPN

Have you configured the command managment-access ?  (where interface is the interface you want to use as management interface when connected to the VPN)

ex.

management-access inside

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Unable to ssh VPN ASA while using Full Tunnel RA VPN

Hi Marius,

That command did the magic.

Now from VPN Client PC i can ping the inside interface IP.

I can ssh to ASA.

I can also have asdm access to ASA.

Can you please explain me how ping also to inside IP works now?

C:\Users\manveer>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : cbt.com
   Link-local IPv6 Address . . . . . : fe80::d429:2885:1230:7d4a%24
   IPv4 Address. . . . . . . . . . . : 10.0.0.51
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.1

   IPv4 Address. . . . . . . . . . . : 192.168.98.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.98.1

C:\Users\manveer>ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:
Reply from 10.0.0.1: bytes=32 time=4ms TTL=255
Reply from 10.0.0.1: bytes=32 time=2ms TTL=255
Reply from 10.0.0.1: bytes=32 time=2ms TTL=255
Reply from 10.0.0.1: bytes=32 time=2ms TTL=255

Ping statistics for 10.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 4ms, Average = 2ms

C:\Users\manveer>

Regards

Mahesh

VIP Green

Unable to ssh VPN ASA while using Full Tunnel RA VPN

When you connect to the ASA on a RA VPN the management-access command allows you to manage the ASA via a different interface than the one your VPN connects to.  Since you are connecting to the outside interface which most likely has a security level of 0, SSH is not permitted on any interface with a security level of 0.  And therefore you need to have this command to be able to access the device over VPN.

To be able to connect to an IP you need to have reachability to that IP, which is what the management-access command does for the interface that you specify.  One of the features provided by this command is the ability to ping the defined managment interface.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Unable to ssh VPN ASA while using Full Tunnel RA VPN

Hi MArius,

Thanks for sharing the valuable info here.

Best Regards

Mahesh

381
Views
0
Helpful
4
Replies