Link to home
Start Free TrialLog in
Avatar of d4nnyo
d4nnyo

asked on

ASA 5512X - need help accessing ASDM/SSH from inside VPN

My VPN access is fine, but when I try to SSH/ASDM while on the VPN, nothing is getting contacted. What's missing from the (san-o-tized) config below?

Thank you!


*************************

: Saved
:
ASA Version 9.1(2)
!
hostname
enable password
names
ip local pool VPNPool 192.168.199.100-192.168.199.200 mask 255.255.255.0
!
interface GigabitEthernet0/0
 description
 nameif TWCF
 security-level 0
 ip address  
!
interface GigabitEthernet0/1
 nameif Cable
 security-level 0
 ip address
!
interface GigabitEthernet0/2
 description inside
 nameif inside
 security-level 100
 ip address 192.168.24.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone
clock summer-time recurring
object network obj-192.168.24.0
 subnet 192.168.24.0 255.255.255.0
object network obj-192.168.199.0
 subnet 192.168.199.0 255.255.255.0
access-list split-tunnel extended permit ip 192.168.24.0 255.255.255.0 192.168.199.0 255.255.255.0
access-list TWCF_access_in extended permit ip object obj-192.168.199.0 any
access-list inside_access_in extended permit ip object obj-192.168.199.0 any
access-list inside_access_in extended permit ip object obj-192.168.24.0 any
pager lines 24
logging asdm informational
mtu TWCF 1500
mtu Cable 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,TWCF) source static obj-192.168.24.0 obj-192.168.24.0 destination static obj-192.168.199.0 obj-192.168.199.0
!
nat (inside,TWCF) after-auto source dynamic any interface
nat (inside,Cable) after-auto source dynamic any interface
access-group TWCF_access_in in interface TWCF control-plane
access-group inside_access_in in interface inside control-plane
route TWCF 0.0.0.0 0.0.0.0 1 track 1
route Cable 0.0.0.0 0.0.0.0 254
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.24.0 255.255.255.0 inside
http 192.168.199.0 255.255.255.0 TWCF
http 192.168.199.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 TWCF
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sla monitor 123
 type echo protocol ipIcmpEcho  interface TWCF
 num-packets 3
 timeout 3000
 frequency 5
sla monitor schedule 123 life forever start-time now
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map TWCF_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map TWCF_map interface TWCF
crypto map Cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Cable_map interface Cable
crypto ca trustpool policy
crypto ikev1 enable TWCF
crypto ikev1 enable Cable
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 TWCF
ssh 192.168.24.0 255.255.255.0 inside
ssh 192.168.199.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd address 192.168.24.100-192.168.24.200 inside
dhcpd dns  interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
username password encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool (TWCF) VPNPool
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d6223b7e6b4d2b3fb4124c9b125bf571
: end
asdm image disk0:/asdm-713.bin
no asdm history enable
Avatar of NetExpert Network Solutions Pte Ltd
NetExpert Network Solutions Pte Ltd
Flag of Singapore image

can you add the below command and try

ASA(config)# management-access inside
Avatar of d4nnyo
d4nnyo

ASKER

That line is already in the config -- see this section:

track 1 rtr 123 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 TWCF
ssh 192.168.24.0 255.255.255.0 inside
ssh 192.168.199.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd address 192.168.24.100-192.168.24.200 inside
dhcpd dns  interface inside
dhcpd enable inside
ASKER CERTIFIED SOLUTION
Avatar of NetExpert Network Solutions Pte Ltd
NetExpert Network Solutions Pte Ltd
Flag of Singapore image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pete Long
^^^ This is what usually trips me up,  - thats what my money is on :)
Remote ASA Management via VPN
DO NOT ACCEPT THIS COMMENT!


Pete
Avatar of d4nnyo

ASKER

Hi Pete,

What do you mean by "DO NOT ACCEPT THIS COMMENT?"
Avatar of d4nnyo

ASKER

Pete -- I see, understood. Assuming the resolution works, I'll apply points to the commenter above your remark.
The poster above me supplied the correct resolution :)