Problem with sending SSH2 traffic over a site-to-site VPN using a Cisco PIX and a Cisco ASA

I am trying to send SSH2 traffic over a site-to-site VPN connection, using a Cisco PIX on the tunnel-origination side, and a Cisco ASA on the remote side.  The Cisco PIX is running IOS version 6.3(5). The ASA is running IOS 7.2.
To give some background, the VPN is configured so that when someone on the PIX side attempts a connection, their traffic is forwarded to a TACACS server which prompts them for their company network username and password. Once the person successfully enters their credentials, the traffic is then sent back to the PIX and the tunnel is initiated. This works fine with a telnet connection attempt.
With an SSH connection attempt (we use SSH2), we do not receive the prompt to authenticate with our network username and password, but only receive the message 'Failed to connect.' We are attemtping the SSH connection using the SmarTerm terminal emulator (version 13.0.0).
When I do a 'debug SSH' on the PIX and then try the SSH connection, nothing is reported on the PIX, as if the traffic didn't even hit the PIX.
My network group tells me the core switch, which passes the traffic between the PIX and TACACS server, does not discriminate between telnet and SSH traffic.
Do I need to enable SSH on the PIX? If so, do you know how? I searched Cisco's documentation on their web site but saw nothing about enabling SSH on a PIX.
Any thoughts on this one are appreciated.
LordKleeAsked:
Who is Participating?
 
LordKleeAuthor Commented:
Got this figured out. The issue was that the TACACS server does not allow SSH traffic, only telnet. So, we authenticate using telnet, then initiate an SSH connection to the remote host. The tunnel gets initiated from the local PIX to the remote ASA, and as long as nothing on the remote side is blocking SSH, we get prompted for the login credentials and all is good.
0
 
Gustav_Commented:
You need to generate rsa keys and enable the ssh server for the specified interfaces, have a look at this walkthrough:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#configs
0
 
LordKleeAuthor Commented:
Thank you Gustav. If I understand that article, it goes over setting up an SSH connection to the PIX; I am trying to accomplish an SSH connection through the PIX and the remote ASA, to a host system on the remote side running an SSH service.
0
Live Q & A: Securing Your Wi-Fi for Summer Travel

Traveling this summer? Join us on June 18, 2018 for a live stream to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
Gustav_Commented:
Um, so let's say you have a subnet behind the ASA which is 192.168.0.0/24, subnet behind the pix of 192.168.1.0/24. From a host behind the pix (in the 192.168.1.0/24 subnet) you initiate a telnet connection to a host in the 192.168.0.0/24 subnet? And then the _pix_ prompts you for your l/p which it authenticates to a tacacs server? How is this done? I don't know of any way for the pix to intercept the telnet and/or ssh traffic and present it's own login prompt to the user. Are you sure this is the way it's setup? Could you please shed some more light on the setup, how is the pix setup to provide the user login prompt on the telnet connection etc.
0
 
Istvan KalmarHead of IT Security Division Commented:
The debug ssh is use for local ssh debugging, please view the log online,....
0
 
periferralCommented:
it seems like you are ssh'ing between 2 hosts on either end of the tunnel. So AAA shouldnt be involved unless the host is going AAA.
You dont need debug SSH either since this is through the box and not to the box.

Look at the access-lists associated with the crypto map. or the NAT. maybe something there. maybe a config post will help
0
 
LordKleeAuthor Commented:
Here's what the config looks like on the PIX, located on the network where the SSH traffic originates from, for a given VPN tunnel, which we identify as ABC. You see in the access list that we are permitting ip traffic, which should include SSH.

access-list inside_authentication_TACACS+ remark ABC
access-list inside_authentication_TACACS+ permit tcp 10.0.0.0 255.0.0.0 172.25.106.0 255.255.255.0

access-list inside_accounting_TACACS+ remark ABC
access-list inside_accounting_TACACS+ permit tcp 10.0.0.0 255.0.0.0 172.25.106.0 255.255.255.0

access-list ABC permit ip host 172.30.1.1 host 172.25.106.12

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host 10.0.16.16 ******* timeout 5
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+
aaa authentication match inside_authentication_TACACS+ inside TACACS+
aaa authentication http console TACACS+
aaa authentication serial console LOCAL
aaa authentication ssh console TACACS+
aaa accounting match inside_accounting_TACACS+ inside TACACS+

crypto map to_client 20 ipsec-isakmp
crypto map to_client 20 match address ABC
crypto map to_client 20 set peer xx.xx.xx.xx
crypto map to_client 20 set transform-set ESP-3DES-MD5

isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255

0
 
LordKleeAuthor Commented:
Do any of the Cisco / network folks out there know if passing SSH2 traffic through an encrypted site-to-site VPN connection is supported?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.