Cisco Support Community
Community Member

Not able to telnet or ssh to outside interface of ASA and Cisco Router

Dear All


Please help me with following question, I have set up testing lab, but still not work.


it is Hub and spoke site to site vpn case, connection between hub and spoke is metro-E, so we are using private ip for outside interface at each site.


Hub -- Juniper SRX

Spoke One - Cisco ASA with version 9.1(5)

spoke two - Cisco router with version 12.3


site to site vpn has been successful established. Customer would like to telnet/ssh to spoke's outside ip from Hub(using Hub's outside interface as source for telnet/ssh), or vise versa. Reason for setting up like this is they wants to be able to make configuration change even when site to site vpn is down. Sound like a easy job to do, I tried for a long time, search this forum and google too, but still not work.


Now I can successfully telnet/ssh to Hub SRX's outside interface from spoke (ASA has no telnet/ssh client, tested using Cisco router).

Anyone has ever done it before, please help to share your exp. Does Cisco ASA or router even support it?

When I tested it, of cause site to site vpn still up and running.









Hello YK,

Hello YK,


On this case on the ASA, you should have the following:


CConfiguring Management Access Over a VPN Tunnel

If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.

To specify an interface as a mangement-only interface, enter the following command:


hostname(config)# management access management_interface


where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.

You can define only one management-access interface


Also make sure you have the pertinent configuration for SSH, telnet, ASDM and SNMP(if required), for a quick test you can enable on your lab Test:


- ssh 0 0 outside

- aaa authentication ssh console LOCAL

- Make sure you have a default RSA key, or create a new one either ways, with this command:

    *crypto key generate rsa modulus 2048


- telnet 0 0 outside

aaa authentication telnet console LOCAL


Afterwards, if this works you can define the subnets that should be permitted.


On the router:


!--- Step 1: Configure the hostname if you have not previously done so.

hostname Router

!--- aaa new-model causes the local username and password on the router
!--- to be used in the absence of other AAA statements.

aaa new-model
username cisco password 0 cisco

!--- Step 2: Configure the router's DNS domain.

ip domain-name

!--- Step 3: Generate an SSH key to be used with SSH.

crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 3

!--- Step 4: By default the vtys' transport is Telnet. In this case, 
!--- Telnet and SSH is supported with transport input all

line vty 0 4
transport input All

*!--- Instead of aaa new-model, the login local command may be used.

no aaa new-model
line vty 0 4
  login local



Let me know how it works out!


Please don't forget to Rate and mark as correct the helpful Post!


David Castro,





CreatePlease to create content