Problem with sending SSH2 traffic over a site-to-site VPN using a Cisco PIX and a Cisco ASA

Posted on 2010-01-08
Medium Priority
Last Modified: 2012-05-08
I am trying to send SSH2 traffic over a site-to-site VPN connection, using a Cisco PIX on the tunnel-origination side, and a Cisco ASA on the remote side.  The Cisco PIX is running IOS version 6.3(5). The ASA is running IOS 7.2.
To give some background, the VPN is configured so that when someone on the PIX side attempts a connection, their traffic is forwarded to a TACACS server which prompts them for their company network username and password. Once the person successfully enters their credentials, the traffic is then sent back to the PIX and the tunnel is initiated. This works fine with a telnet connection attempt.
With an SSH connection attempt (we use SSH2), we do not receive the prompt to authenticate with our network username and password, but only receive the message 'Failed to connect.' We are attemtping the SSH connection using the SmarTerm terminal emulator (version 13.0.0).
When I do a 'debug SSH' on the PIX and then try the SSH connection, nothing is reported on the PIX, as if the traffic didn't even hit the PIX.
My network group tells me the core switch, which passes the traffic between the PIX and TACACS server, does not discriminate between telnet and SSH traffic.
Do I need to enable SSH on the PIX? If so, do you know how? I searched Cisco's documentation on their web site but saw nothing about enabling SSH on a PIX.
Any thoughts on this one are appreciated.
Question by:LordKlee

Expert Comment

ID: 26211621
You need to generate rsa keys and enable the ssh server for the specified interfaces, have a look at this walkthrough:


Author Comment

ID: 26211798
Thank you Gustav. If I understand that article, it goes over setting up an SSH connection to the PIX; I am trying to accomplish an SSH connection through the PIX and the remote ASA, to a host system on the remote side running an SSH service.

Expert Comment

ID: 26211887
Um, so let's say you have a subnet behind the ASA which is, subnet behind the pix of From a host behind the pix (in the subnet) you initiate a telnet connection to a host in the subnet? And then the _pix_ prompts you for your l/p which it authenticates to a tacacs server? How is this done? I don't know of any way for the pix to intercept the telnet and/or ssh traffic and present it's own login prompt to the user. Are you sure this is the way it's setup? Could you please shed some more light on the setup, how is the pix setup to provide the user login prompt on the telnet connection etc.
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26211890
The debug ssh is use for local ssh debugging, please view the log online,....

Expert Comment

ID: 26273243
it seems like you are ssh'ing between 2 hosts on either end of the tunnel. So AAA shouldnt be involved unless the host is going AAA.
You dont need debug SSH either since this is through the box and not to the box.

Look at the access-lists associated with the crypto map. or the NAT. maybe something there. maybe a config post will help

Author Comment

ID: 26284622
Here's what the config looks like on the PIX, located on the network where the SSH traffic originates from, for a given VPN tunnel, which we identify as ABC. You see in the access list that we are permitting ip traffic, which should include SSH.

access-list inside_authentication_TACACS+ remark ABC
access-list inside_authentication_TACACS+ permit tcp

access-list inside_accounting_TACACS+ remark ABC
access-list inside_accounting_TACACS+ permit tcp

access-list ABC permit ip host host

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host ******* timeout 5
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+
aaa authentication match inside_authentication_TACACS+ inside TACACS+
aaa authentication http console TACACS+
aaa authentication serial console LOCAL
aaa authentication ssh console TACACS+
aaa accounting match inside_accounting_TACACS+ inside TACACS+

crypto map to_client 20 ipsec-isakmp
crypto map to_client 20 match address ABC
crypto map to_client 20 set peer xx.xx.xx.xx
crypto map to_client 20 set transform-set ESP-3DES-MD5

isakmp key ******** address xx.xx.xx.xx netmask


Author Comment

ID: 26831875
Do any of the Cisco / network folks out there know if passing SSH2 traffic through an encrypted site-to-site VPN connection is supported?

Accepted Solution

LordKlee earned 0 total points
ID: 27614382
Got this figured out. The issue was that the TACACS server does not allow SSH traffic, only telnet. So, we authenticate using telnet, then initiate an SSH connection to the remote host. The tunnel gets initiated from the local PIX to the remote ASA, and as long as nothing on the remote side is blocking SSH, we get prompted for the login credentials and all is good.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month16 days, 6 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question