Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Issues with ssh/telnet via clientless vpn (java.io.IOException)

Good afternoon, everyone!

I just got a new Cisco ASA 5505 that we are going to use as a multi-purpose VPN concentrator for our organization.  I have worked with ASA 5510 and 5520s before, so my expertise level is pretty high, but this one has me stumped.

Basically, I can log into my ASA's clientless vpn interface, select the ssh/telnet plugin, put in an address, but when I try to connect to a host on the inside network, it fails giving the error message "Sorry.  Cound not connect to: <target ip> 23.  Reason: java.io.IOException: Connection Failed."

I verified that the target devices have telnet and/or ssh open (I get the same error using either telnet or ssh to a suitable target).  I have a laptop on the inside VLAN of the 5505 and it has a DHCP addrass from the ASA and the laptop can connect fine.

ASA version: 8.2.5

ASDM version: 6.4.5

So, what am I doing wrong?

Redacted configuration below:

<snip>

!

hostname asa5505

domain-name confuseduser.net

enable password #### encrypted

passwd #### encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.255.235 255.255.248.0

!

interface Vlan2

nameif outside

security-level 0

ip address 20.###.###.24 255.255.255.224

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup outside

dns server-group DefaultDNS

name-server 20.#.#.9

name-server 20.#.#.10

domain-name confused.net

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit tcp any any eq https

access-list outside_access_in remark ike key exchange

access-list outside_access_in extended permit udp any any eq isakmp

access-list outside_access_in remark ipsec nat-t

access-list outside_access_in extended permit udp any any eq 4500

access-list outside_access_in remark l2tp

access-list outside_access_in extended permit udp any any eq 1701

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool confusedcomvpnpool 172.16.255.238-172.16.255.245 mask 255.255.248.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 20.#.#.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server confusedcom protocol radius

aaa-server confusedcom (outside) host 20.#.#.6

key *****

authentication-port 1812

accounting-port 1813

aaa-server confusedcom (outside) host 20.#.#.7

key *****

authentication-port 1812

accounting-port 1813

http server enable

http 172.16.0.0 255.255.0.0 inside

http redirect outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 172.16.0.0 255.255.0.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 172.16.255.236-172.16.255.237 inside

dhcpd dns 20.#.#.9 20.#.#.10 interface inside

dhcpd lease 14400 interface inside

dhcpd domain confuseduser.net interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 20.#.#.11 source outside prefer

webvpn

enable outside

tunnel-group-list enable

group-policy confusedcomcustomer_policy internal

group-policy confusedcomcustomer_policy attributes

vpn-tunnel-protocol webvpn

group-policy confusedadmin_policy internal

group-policy confusedadmin_policy attributes

vpn-tunnel-protocol l2tp-ipsec svc webvpn

username someuser password ##### encrypted privilege 15

tunnel-group DefaultRAGroup webvpn-attributes

customization confusedcom

tunnel-group DefaultWEBVPNGroup webvpn-attributes

customization confusedcom

tunnel-group confusedCOMAdmins type remote-access

tunnel-group confusedCOMAdmins general-attributes

address-pool confusedcomvpnpool

authentication-server-group confusedcom LOCAL

default-group-policy confusedadmin_policy

tunnel-group confusedCOMAdmins webvpn-attributes

customization confusedcom

group-alias confusedCOMAdmins enable

tunnel-group confusedCOMAdmins ipsec-attributes

pre-shared-key *****

tunnel-group confusedCOMCustomer type remote-access

tunnel-group confusedCOMCustomer general-attributes

default-group-policy confusedcomcustomer_policy

tunnel-group confusedCOMCustomer webvpn-attributes

customization confusedcom

group-alias confusedCOMCustomer enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

<end snip>

484
Views
0
Helpful
0
Replies
CreatePlease to create content