Link to home
Start Free TrialLog in
Avatar of Charles Edstrom
Charles EdstromFlag for United States of America

asked on

IPSec tunnel not permitting SSH traffic

We have an IP sec tunnel setup between two locations, Once side is Cisco and the other a Fortigate. The ACL is setup to allow all traffic between the two locations. Most traffic does work but we found we are unable to pass SSH traffic through. We can see the SSH traffic leaving the Fortigate.  We have no problem connecting with SSH through the NAT statements on teh Cisco, so we know its the tunnel that is causing this. What am I missing?

crypto map chi-map 10 ipsec-isakmp
 description Tunnel to Chicago office
 set peer 99.99.99.99
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 43200
 set transform-set chi-ipsec
 set pfs group20
 match address 100
 reverse-route


access-list 100 permit ip 192.168.254.0 0.0.0.255 192.168.22.0 0.0.0.255
Avatar of Christopher Jay Wolff
Christopher Jay Wolff
Flag of United States of America image
You know so much more than I about this.  I can mostly read about it and search to maybe save some time for you, if I get lucky.

One place I finally found explained the same problem getting SSH to work over tunnel between two different Cisco units.  To paraphrase, the default setting is that you cannot manage ASA2 on an interface that is different than the one to which ASA1 is connected.  So traffic from ASA2 goes through tunnel and ends up at ASA1 on the outside interface.  At the same time, ASA1 is trying to manage ASA2 on the inside interface.

If I understand it correctly, to allow SSH on the inside interface, the fix is using the command:

management-access

the way Cisco puts it is here below.
NAT and VPN Management Access

When using VPN, you can allow management access to an interface other than the one from which you entered the ASA (see the management-access command). For example, if you enter the ASA from the outside interface, the management-access feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface.

from here.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html



Did I get lucky?
Avatar of Charles Edstrom
Charles Edstrom
Flag of United States of America image

ASKER

Neither device is an ASA.
Avatar of Raymond Zwarts
Raymond Zwarts
Flag of Netherlands image
If I read correctly you are trying to connect from behind the fortigate VPN box to a network behind a Cisco router running IPSec (with a crypto map and a simple match 100).

Or are you trying to SSH to the Cisco IPSec router from behind the fortigate ?

And also I do not see any NAT config. Is that a workaround?
Avatar of Charles Edstrom
Charles Edstrom
Flag of United States of America image

ASKER

I'm trying to SSH to a switch behind the Cisco router over teh IPSec tunnel.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.