LordKlee
asked on
Problem with sending SSH2 traffic over a site-to-site VPN using a Cisco PIX and a Cisco ASA
I am trying to send SSH2 traffic over a site-to-site VPN connection, using a Cisco PIX on the tunnel-origination side, and a Cisco ASA on the remote side. The Cisco PIX is running IOS version 6.3(5). The ASA is running IOS 7.2.
To give some background, the VPN is configured so that when someone on the PIX side attempts a connection, their traffic is forwarded to a TACACS server which prompts them for their company network username and password. Once the person successfully enters their credentials, the traffic is then sent back to the PIX and the tunnel is initiated. This works fine with a telnet connection attempt.
With an SSH connection attempt (we use SSH2), we do not receive the prompt to authenticate with our network username and password, but only receive the message 'Failed to connect.' We are attemtping the SSH connection using the SmarTerm terminal emulator (version 13.0.0).
When I do a 'debug SSH' on the PIX and then try the SSH connection, nothing is reported on the PIX, as if the traffic didn't even hit the PIX.
My network group tells me the core switch, which passes the traffic between the PIX and TACACS server, does not discriminate between telnet and SSH traffic.
Do I need to enable SSH on the PIX? If so, do you know how? I searched Cisco's documentation on their web site but saw nothing about enabling SSH on a PIX.
Any thoughts on this one are appreciated.
To give some background, the VPN is configured so that when someone on the PIX side attempts a connection, their traffic is forwarded to a TACACS server which prompts them for their company network username and password. Once the person successfully enters their credentials, the traffic is then sent back to the PIX and the tunnel is initiated. This works fine with a telnet connection attempt.
With an SSH connection attempt (we use SSH2), we do not receive the prompt to authenticate with our network username and password, but only receive the message 'Failed to connect.' We are attemtping the SSH connection using the SmarTerm terminal emulator (version 13.0.0).
When I do a 'debug SSH' on the PIX and then try the SSH connection, nothing is reported on the PIX, as if the traffic didn't even hit the PIX.
My network group tells me the core switch, which passes the traffic between the PIX and TACACS server, does not discriminate between telnet and SSH traffic.
Do I need to enable SSH on the PIX? If so, do you know how? I searched Cisco's documentation on their web site but saw nothing about enabling SSH on a PIX.
Any thoughts on this one are appreciated.
ASKER
Thank you Gustav. If I understand that article, it goes over setting up an SSH connection to the PIX; I am trying to accomplish an SSH connection through the PIX and the remote ASA, to a host system on the remote side running an SSH service.
Um, so let's say you have a subnet behind the ASA which is 192.168.0.0/24, subnet behind the pix of 192.168.1.0/24. From a host behind the pix (in the 192.168.1.0/24 subnet) you initiate a telnet connection to a host in the 192.168.0.0/24 subnet? And then the _pix_ prompts you for your l/p which it authenticates to a tacacs server? How is this done? I don't know of any way for the pix to intercept the telnet and/or ssh traffic and present it's own login prompt to the user. Are you sure this is the way it's setup? Could you please shed some more light on the setup, how is the pix setup to provide the user login prompt on the telnet connection etc.
The debug ssh is use for local ssh debugging, please view the log online,....
it seems like you are ssh'ing between 2 hosts on either end of the tunnel. So AAA shouldnt be involved unless the host is going AAA.
You dont need debug SSH either since this is through the box and not to the box.
Look at the access-lists associated with the crypto map. or the NAT. maybe something there. maybe a config post will help
You dont need debug SSH either since this is through the box and not to the box.
Look at the access-lists associated with the crypto map. or the NAT. maybe something there. maybe a config post will help
ASKER
Here's what the config looks like on the PIX, located on the network where the SSH traffic originates from, for a given VPN tunnel, which we identify as ABC. You see in the access list that we are permitting ip traffic, which should include SSH.
access-list inside_authentication_TACA
access-list inside_authentication_TACA
access-list inside_accounting_TACACS+ remark ABC
access-list inside_accounting_TACACS+ permit tcp 10.0.0.0 255.0.0.0 172.25.106.0 255.255.255.0
access-list ABC permit ip host 172.30.1.1 host 172.25.106.12
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host 10.0.16.16 ******* timeout 5
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+
aaa authentication match inside_authentication_TACA
aaa authentication http console TACACS+
aaa authentication serial console LOCAL
aaa authentication ssh console TACACS+
aaa accounting match inside_accounting_TACACS+ inside TACACS+
crypto map to_client 20 ipsec-isakmp
crypto map to_client 20 match address ABC
crypto map to_client 20 set peer xx.xx.xx.xx
crypto map to_client 20 set transform-set ESP-3DES-MD5
isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255
access-list inside_authentication_TACA
access-list inside_authentication_TACA
access-list inside_accounting_TACACS+ remark ABC
access-list inside_accounting_TACACS+ permit tcp 10.0.0.0 255.0.0.0 172.25.106.0 255.255.255.0
access-list ABC permit ip host 172.30.1.1 host 172.25.106.12
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host 10.0.16.16 ******* timeout 5
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+
aaa authentication match inside_authentication_TACA
aaa authentication http console TACACS+
aaa authentication serial console LOCAL
aaa authentication ssh console TACACS+
aaa accounting match inside_accounting_TACACS+ inside TACACS+
crypto map to_client 20 ipsec-isakmp
crypto map to_client 20 match address ABC
crypto map to_client 20 set peer xx.xx.xx.xx
crypto map to_client 20 set transform-set ESP-3DES-MD5
isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255
ASKER
Do any of the Cisco / network folks out there know if passing SSH2 traffic through an encrypted site-to-site VPN connection is supported?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#configs