Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

asa 5510 telnet/ssh problem through vpn

I have an ASA 5510 running ver 7.0.7. I have an L2L tunnel connecting to it. I am trying to manage the ASA via ssh or telnet to the inside interface from the L2L remote end and not able to.

I have the command management-access inside configured as well as allowing telnet and ssh to the inside from any where:

telnet 0 0 inside

ssh 0 0 inside

I am still not able to get to it via ssh or telnet. Http and icmp work fine.

When looking at the encrypts and decrepts for the ipsec sa:

#pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26

#pkts decaps: 64, #pkts decrypt: 64, #pkts verify: 64

indicating my telnet or ssh packets are decrypted but not encrypted. The show asp table vpn-context details shows corresponding data:

CBS-ASA-5510# sh asp table vpn-context d

VPN Ctx = 0067441000 [0x04051168]

Peer IP = 2.0.2.105

State = UP

Flags = DECR+ESP

SA = 0x15855031

SPI = 0x875427A6

Group = 0

Pkts = 64

Bad Pkts = 0

Bad SPI = 0

Spoof = 0

Bad Crypto = 0

Rekey Pkt = 1

Rekey Call = 1

VPN Ctx = 0064172784 [0x03D332F0]

Peer IP = 2.0.2.105

State = UP

Flags = ENCR+ESP

SA = 0x1586F4A9

SPI = 0x7989DFA2

Group = 0

Pkts = 26

Bad Pkts = 0

Bad SPI = 0

Spoof = 0

Bad Crypto = 0

Rekey Pkt = 1

Rekey Call = 1

However in the asp crypto classifier, I do not see my packets:

out id=0x34f4f80, priority=70, domain=encrypt, deny=false

hits=26, user_data=0x3d332f0, cs_id=0x38a1908, reverse, flags=0x0, protocol=0

src ip=192.168.77.0, mask=255.255.255.0, port=0

dst ip=2.0.2.105, mask=255.255.255.255, port=0

in id=0x3d36ac0, priority=69, domain=ipsec-tunnel-flow, deny=false

hits=26, user_data=0x4051168, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=2.0.2.105, mask=255.255.255.255, port=0

dst ip=192.168.77.0, mask=255.255.255.0, port=0

Is this an existing bug or am I missing something?

2 REPLIES
Silver

Re: asa 5510 telnet/ssh problem through vpn

If your packets are being received (decrypted) but not returned, are they exiting the ASA by not getting included in any NAT (0) statement you have configured? If they are not included in a NAT (0) the return packets will bypass encryption.

However if ICMP and HTTP works to the managment address, (I'm not sure that is what you meant) then I would expect telnet and ssh to work as well, so long as those protocols are enabled.

Community Member

Re: asa 5510 telnet/ssh problem through vpn

Thanks for the input. The issue has been resolved as it was related to a bug:

CSCsj53102

Externally found moderate defect: Verified (V)

SSH/Telnet access through VPN tunnel to management interface not working

1047
Views
0
Helpful
2
Replies
CreatePlease to create content