SSH to ASA through VPN

alleghieri · ‎03-16-2012

Here is a variation on a theme I've seen on the boards here. I have an ASA 5580 configured for client ipsec vpns. I can connect via the vpn, ping the interface being used for management, and complete the TCP handshake for telnet or SSH. After that, the connection times out. I know I'm missing something small, but can't find it. Any help would be greatly appreciated.

Here are the relevant parts of the config:

!

interface TenGigabitEthernet0/8

nameif INSIDE

security-level 100

ip address 10.50.254.249 255.255.255.248 standby 10.50.254.250

!

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address x.x.x.x x.x.x.x

!

interface GigabitEthernet0/1

nameif ToMGMT

security-level 10

ip address 10.50.253.18 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name local

object-group network Inside_NETWORK_ALL

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.248.0.0

object-group network Outside_REMOTE_VPN

network-object 10.50.224.0 255.255.254.0

object-group network MGMT_NET

network-object 10.50.253.0 255.255.255.0

access-list PERMIT_ANY extended permit ip any any

access-list RemoteVPN_SPLIT standard permit 10.50.253.0 255.255.255.0

access-list RemoteVPN_SPLIT standard permit 10.50.0.0 255.255.0.0

access-list RemoteVPN_SPLIT standard permit 10.50.224.0 255.255.254.0

access-list NO-NAT-VPN extended permit ip any 10.50.224.0 255.255.254.0

access-list MGMT-2-VPN extended permit ip 10.50.253.0 255.255.255.0 10.50.224.0 255.255.254.0

mtu INSIDE 1500

mtu OUTSIDE 1500

mtu ToMGMT 1500

ip local pool RemoteVPN_POOL 10.50.224.0-10.50.225.0 mask 255.255.254.0

monitor-interface DMZ

no monitor-interface OUTSIDE

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (INSIDE,any) source static Inside_NETWORK_ALL Inside_NETWORK_ALL destination static Inside_NETWORK_ALL Inside_NETWORK_ALL

nat (INSIDE,OUTSIDE) source dynamic Inside_NETWORK_ALL interface

access-group OUTSIDE_IN in interface OUTSIDE

!

route OUTSIDE 0.0.0.0 0.0.0.0 200.200.100.10 1

route INSIDE 10.50.0.0 255.255.224.0 10.50.254.254 1

route INSIDE 10.50.253.0 255.255.255.0 10.50.254.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS_COLO protocol radius

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set 3dessha-Transport esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set 3dessha-Transport mode transport

crypto ipsec ikev1 transform-set dessha esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set 3dessha esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto dynamic-map RemoteVPN_DM 5 set ikev1 transform-set 3dessha

crypto dynamic-map PUB_IPSEC_CLIENT 1 set ikev1 transform-set ESP-3DES-MD5

crypto map CRYPTO_MAP 1 ipsec-isakmp dynamic RemoteVPN_DM

crypto map CRYPTO_MAP 2 ipsec-isakmp dynamic PUB_IPSEC_CLIENT

crypto map CRYPTO_MAP interface OUTSIDE

crypto isakmp identity key-id ***********

crypto ikev1 enable OUTSIDE

crypto ikev1 policy 65534

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

ssh 10.0.0.0 255.0.0.0 INSIDE

ssh 10.50.253.0 255.255.255.0 ToMGMT

ssh 10.50.224.0 255.255.254.0 ToMGMT

ssh 10.0.0.0 255.0.0.0 ToMGMT

ssh timeout 5

ssh version 2

console timeout 0

management-access ToMGMT

!

tls-proxy maximum-session 1000

!

ssl trust-point localtrust OUTSIDE

webvpn

enable OUTSIDE

anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value 10.50.223.10

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteVPN_SPLIT

address-pools value RemoteVPN_POOL

group-policy RemoteVPN internal

group-policy RemoteVPN attributes

dns-server value 10.200.0.6

password-storage enable

split-tunnel-network-list value RemoteVPN_SPLIT

group-policy IPSEC-POLICY internal

group-policy IPSEC-POLICY attributes

vpn-simultaneous-logins 20

vpn-tunnel-protocol ikev1

ip-comp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteVPN_SPLIT

user-authentication enable

tunnel-group RemoteVPN type remote-access

tunnel-group RemoteVPN general-attributes

address-pool RemoteVPN_POOL

default-group-policy RemoteVPN

tunnel-group RemoteVPN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

tunnel-group IPSECGROUP type remote-access

tunnel-group IPSECGROUP general-attributes

address-pool RemoteVPN_POOL

default-group-policy IPSEC-POLICY

authorization-required

tunnel-group IPSECGROUP ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!