Problem with sending SSH2 traffic over a site-to-site VPN using a Cisco PIX and a Cisco ASA

Posted on 2010-01-08
Last Modified: 2012-05-08
I am trying to send SSH2 traffic over a site-to-site VPN connection, using a Cisco PIX on the tunnel-origination side, and a Cisco ASA on the remote side.  The Cisco PIX is running IOS version 6.3(5). The ASA is running IOS 7.2.
To give some background, the VPN is configured so that when someone on the PIX side attempts a connection, their traffic is forwarded to a TACACS server which prompts them for their company network username and password. Once the person successfully enters their credentials, the traffic is then sent back to the PIX and the tunnel is initiated. This works fine with a telnet connection attempt.
With an SSH connection attempt (we use SSH2), we do not receive the prompt to authenticate with our network username and password, but only receive the message 'Failed to connect.' We are attemtping the SSH connection using the SmarTerm terminal emulator (version 13.0.0).
When I do a 'debug SSH' on the PIX and then try the SSH connection, nothing is reported on the PIX, as if the traffic didn't even hit the PIX.
My network group tells me the core switch, which passes the traffic between the PIX and TACACS server, does not discriminate between telnet and SSH traffic.
Do I need to enable SSH on the PIX? If so, do you know how? I searched Cisco's documentation on their web site but saw nothing about enabling SSH on a PIX.
Any thoughts on this one are appreciated.
Question by:LordKlee

    Expert Comment

    You need to generate rsa keys and enable the ssh server for the specified interfaces, have a look at this walkthrough:

    Author Comment

    Thank you Gustav. If I understand that article, it goes over setting up an SSH connection to the PIX; I am trying to accomplish an SSH connection through the PIX and the remote ASA, to a host system on the remote side running an SSH service.

    Expert Comment

    Um, so let's say you have a subnet behind the ASA which is, subnet behind the pix of From a host behind the pix (in the subnet) you initiate a telnet connection to a host in the subnet? And then the _pix_ prompts you for your l/p which it authenticates to a tacacs server? How is this done? I don't know of any way for the pix to intercept the telnet and/or ssh traffic and present it's own login prompt to the user. Are you sure this is the way it's setup? Could you please shed some more light on the setup, how is the pix setup to provide the user login prompt on the telnet connection etc.
    LVL 34

    Expert Comment

    by:Istvan Kalmar
    The debug ssh is use for local ssh debugging, please view the log online,....
    LVL 4

    Expert Comment

    it seems like you are ssh'ing between 2 hosts on either end of the tunnel. So AAA shouldnt be involved unless the host is going AAA.
    You dont need debug SSH either since this is through the box and not to the box.

    Look at the access-lists associated with the crypto map. or the NAT. maybe something there. maybe a config post will help

    Author Comment

    Here's what the config looks like on the PIX, located on the network where the SSH traffic originates from, for a given VPN tunnel, which we identify as ABC. You see in the access list that we are permitting ip traffic, which should include SSH.

    access-list inside_authentication_TACACS+ remark ABC
    access-list inside_authentication_TACACS+ permit tcp

    access-list inside_accounting_TACACS+ remark ABC
    access-list inside_accounting_TACACS+ permit tcp

    access-list ABC permit ip host host

    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server TACACS+ (inside) host ******* timeout 5
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication telnet console TACACS+
    aaa authentication match inside_authentication_TACACS+ inside TACACS+
    aaa authentication http console TACACS+
    aaa authentication serial console LOCAL
    aaa authentication ssh console TACACS+
    aaa accounting match inside_accounting_TACACS+ inside TACACS+

    crypto map to_client 20 ipsec-isakmp
    crypto map to_client 20 match address ABC
    crypto map to_client 20 set peer xx.xx.xx.xx
    crypto map to_client 20 set transform-set ESP-3DES-MD5

    isakmp key ******** address xx.xx.xx.xx netmask


    Author Comment

    Do any of the Cisco / network folks out there know if passing SSH2 traffic through an encrypted site-to-site VPN connection is supported?

    Accepted Solution

    Got this figured out. The issue was that the TACACS server does not allow SSH traffic, only telnet. So, we authenticate using telnet, then initiate an SSH connection to the remote host. The tunnel gets initiated from the local PIX to the remote ASA, and as long as nothing on the remote side is blocking SSH, we get prompted for the login credentials and all is good.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now