IPSec tunnel not permitting SSH traffic

We have an IP sec tunnel setup between two locations, Once side is Cisco and the other a Fortigate. The ACL is setup to allow all traffic between the two locations. Most traffic does work but we found we are unable to pass SSH traffic through. We can see the SSH traffic leaving the Fortigate.  We have no problem connecting with SSH through the NAT statements on teh Cisco, so we know its the tunnel that is causing this. What am I missing?

crypto map chi-map 10 ipsec-isakmp
 description Tunnel to Chicago office
 set peer 99.99.99.99
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 43200
 set transform-set chi-ipsec
 set pfs group20
 match address 100
 reverse-route


access-list 100 permit ip 192.168.254.0 0.0.0.255 192.168.22.0 0.0.0.255
Charles EdstromNetwork EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Christopher Jay WolffWiggle My Legs, OwnerCommented:
You know so much more than I about this.  I can mostly read about it and search to maybe save some time for you, if I get lucky.

One place I finally found explained the same problem getting SSH to work over tunnel between two different Cisco units.  To paraphrase, the default setting is that you cannot manage ASA2 on an interface that is different than the one to which ASA1 is connected.  So traffic from ASA2 goes through tunnel and ends up at ASA1 on the outside interface.  At the same time, ASA1 is trying to manage ASA2 on the inside interface.

If I understand it correctly, to allow SSH on the inside interface, the fix is using the command:

management-access

the way Cisco puts it is here below.
NAT and VPN Management Access

When using VPN, you can allow management access to an interface other than the one from which you entered the ASA (see the management-access command). For example, if you enter the ASA from the outside interface, the management-access feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface.

from here.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html



Did I get lucky?
Charles EdstromNetwork EngineerAuthor Commented:
Neither device is an ASA.
Raymond ZwartsNetwork EngineerCommented:
If I read correctly you are trying to connect from behind the fortigate VPN box to a network behind a Cisco router running IPSec (with a crypto map and a simple match 100).

Or are you trying to SSH to the Cisco IPSec router from behind the fortigate ?

And also I do not see any NAT config. Is that a workaround?
Charles EdstromNetwork EngineerAuthor Commented:
I'm trying to SSH to a switch behind the Cisco router over teh IPSec tunnel.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.