Charles Edstrom
asked on
IPSec tunnel not permitting SSH traffic
We have an IP sec tunnel setup between two locations, Once side is Cisco and the other a Fortigate. The ACL is setup to allow all traffic between the two locations. Most traffic does work but we found we are unable to pass SSH traffic through. We can see the SSH traffic leaving the Fortigate. We have no problem connecting with SSH through the NAT statements on teh Cisco, so we know its the tunnel that is causing this. What am I missing?
crypto map chi-map 10 ipsec-isakmp
description Tunnel to Chicago office
set peer 99.99.99.99
set security-association lifetime kilobytes disable
set security-association lifetime seconds 43200
set transform-set chi-ipsec
set pfs group20
match address 100
reverse-route
access-list 100 permit ip 192.168.254.0 0.0.0.255 192.168.22.0 0.0.0.255
crypto map chi-map 10 ipsec-isakmp
description Tunnel to Chicago office
set peer 99.99.99.99
set security-association lifetime kilobytes disable
set security-association lifetime seconds 43200
set transform-set chi-ipsec
set pfs group20
match address 100
reverse-route
access-list 100 permit ip 192.168.254.0 0.0.0.255 192.168.22.0 0.0.0.255
ASKER
Neither device is an ASA.
If I read correctly you are trying to connect from behind the fortigate VPN box to a network behind a Cisco router running IPSec (with a crypto map and a simple match 100).
Or are you trying to SSH to the Cisco IPSec router from behind the fortigate ?
And also I do not see any NAT config. Is that a workaround?
Or are you trying to SSH to the Cisco IPSec router from behind the fortigate ?
And also I do not see any NAT config. Is that a workaround?
ASKER
I'm trying to SSH to a switch behind the Cisco router over teh IPSec tunnel.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
One place I finally found explained the same problem getting SSH to work over tunnel between two different Cisco units. To paraphrase, the default setting is that you cannot manage ASA2 on an interface that is different than the one to which ASA1 is connected. So traffic from ASA2 goes through tunnel and ends up at ASA1 on the outside interface. At the same time, ASA1 is trying to manage ASA2 on the inside interface.
If I understand it correctly, to allow SSH on the inside interface, the fix is using the command:
management-access
the way Cisco puts it is here below.
from here.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html
Did I get lucky?