Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ssh to inside or outside IP of ASA over anyconnect vpn

 

 Hi Everyone,

I have ssl anyconnect vpn for my home lab.

When i connect via anyconnect over ssl i am unable to ssh to ASA inside and outside IP is this default behaviour?

i have config management access inside configured on the ASA.

 

VPN Pool IP 10.10.10.10

ssh 10.10.10.0 255.255.255.0 outside

 

Regards

Mahesh

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Try adding a line like:nat

Try adding a line like:

nat (outside,any) source static vpn_pool_ip vpn_pool_ip destination static inside inside no-proxy-arp

Hall of Fame Super Silver

Mahesh,Order of operation for

Mahesh,

Order of operation for NAT statements is important because once a matching statement is found, any further NAT processing stops.

I should have mentioned it needed to go at (or near) the top but not seeing all of your configuration, I didn't want to assume too much.

Glad it's working now. Don't forget to mark question as answered and rate!

13 REPLIES

If you want to ssh to ASA

If you want to ssh to ASA inside ip address, try changing ssh command to ssh 10.10.10.0 255.255.255.0 inside.

If you want to ssh to external ip address of the ASA, try adding ssh your_laptop_pub_ip subnet_mask outside. I don't know if there is split tunneling configured or not. If not it means all traffic goes through VPN tunnel which means you shouldn't be able to connect to outside interface of ASA while still connected via AC.

New Member

 Hi Rudy,I also have this

 

Hi Rudy,

I also have this command  --

ssh 10.10.10.0 255.255.255.0 inside

ssh 70.75.74.0 255.255.255.0 outside

 

Where 70.75 is laptop public IP.Also there is no split tunnel configured.

With this should i be able to connect to inside interface of ASA?

 

Regards

MAhesh

 

yes, you should be able to

yes, you should be able to connect to inside interface of the ASA. If it's not working, are you to ping the inside interface at least? (don't forget to enable icmp first)

And out of curiosity, are you able to connect/access the LAN behind the ASA?

New Member

 i can not ping the inside

 

i can not ping the inside interface of ASA also.

ICMP is enabled.

Yes i can ping and access the LAN behind the ASA.

Hall of Fame Super Silver

Mahesh,Assuming you are using

Mahesh,

Assuming you are using split tunneling you need to include the subnet that has the ASA inside interface in the tunnel list.

You also need to exclude the VPN address pool from NAT for that destination network in your nat(outside,inside) statement. (your VPN client appears as an outside source for the purposes of the NAT statements)

New Member

 Hi Marvin, I am not using

 

Hi Marvin,

 

I am not using split tunnel.Its tunnel all.

here is nat config

nat (inside,outside) source static inside inside destination static vpn_pool_ip vpn_pool_ip
nat (inside,outside) source dynamic inside interface

nat (inside,outside) source static inside inside destination static inside inside

Regards

Mahesh

Hall of Fame Super Silver

Try adding a line like:nat

Try adding a line like:

nat (outside,any) source static vpn_pool_ip vpn_pool_ip destination static inside inside no-proxy-arp

New Member

 Hi MArvin, When i added this

 

Hi MArvin,

 

When i added this nat it showed up at bottom of nat statements and i tested it did

not work.

But once i moved this to Top of nat statement Via ASDM then i can ping and ssh

to inside interface.

So what difference it makes when i put this nat on top?

 

Best regards

Mahesh

Hall of Fame Super Silver

Mahesh,Order of operation for

Mahesh,

Order of operation for NAT statements is important because once a matching statement is found, any further NAT processing stops.

I should have mentioned it needed to go at (or near) the top but not seeing all of your configuration, I didn't want to assume too much.

Glad it's working now. Don't forget to mark question as answered and rate!

New Member

 Many Thanks Sir

 

Many Thanks Sir!

Regards

MAhesh

New Member

If you need to access the

If you need to access the inside interface for management through the VPN, then you need:

"management-access inside" command, in order to ssh/telnet/http to this interface through the AC.

For the outside interface, you need to check the configuration of split-tunneling, so if the outside subnet is excluded from the tunnel, then you can connect to the ASA using the normal ssh command.

 

Thanks.

Ahmad.

 

New Member

 management access inside is

 

management access inside is already configured.

I am using full tunnel vpn config.

still unable to ssh or ping inside interface.

 

Regards

Mahesh

New Member

Please share the

Please share the configuration of the ASA.

2073
Views
5
Helpful
13
Replies