SSH through AnyConnect VPN

bryansmithmcpc · ‎02-11-2014

ASA 5505, software version 9.1(2)

Clients are using AnyConnect Secure Mobility Client v3.1.03103.

Clients have no issues connecting to VPN, but they use a terminal emulator program to access some online systems and it will not connect over VPN.

The terminal emulator uses SSH to establish connectivity.

On the local network, the SSH connection happens without any issue.

Over VPN through AnyConnect, I cannot see the traffic via WireShark and I get network timeouts/disconnect from the terminal emulator.

Under the ACL Manager, I have one for the outside_access_in that permits SSH from the RemoteHost to any, so I am not sure where to go with this.

If anyone has any ideas on what to check it would be greatly appreciated.

Marvin Rhoads · ‎02-11-2014

You should not normally need the outside_access_in ACL with a remote access VPN as the default is to bypass access-lists for VPN connections.

Is your conenction profile routing the networks (where the servers live) properly to your client?

bryansmithmcpc · ‎02-12-2014

Marvin,

You are correct, "Bypass interface access lists for inbounds VPN sessions" is enabled.

Connection profile appears to be correct.

Javier Portuguez · ‎02-12-2014

As mentioned before the access-group is not required.

Now:

1- Check split-tunneling.

2- Check NAT rules.

3- Place packet-capture on the inside interface of the ASA (if the above is correct).

4- Check ASP drops.

5- Run a packet-tracer.

With this troubleshooting you should have a better idea of what the issue is.

HTH.