IPSec tunnel not permitting SSH traffic

Charles Edstrom
Charles Edstrom used Ask the Experts™
on
We have an IP sec tunnel setup between two locations, Once side is Cisco and the other a Fortigate. The ACL is setup to allow all traffic between the two locations. Most traffic does work but we found we are unable to pass SSH traffic through. We can see the SSH traffic leaving the Fortigate.  We have no problem connecting with SSH through the NAT statements on teh Cisco, so we know its the tunnel that is causing this. What am I missing?

crypto map chi-map 10 ipsec-isakmp
 description Tunnel to Chicago office
 set peer 99.99.99.99
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 43200
 set transform-set chi-ipsec
 set pfs group20
 match address 100
 reverse-route


access-list 100 permit ip 192.168.254.0 0.0.0.255 192.168.22.0 0.0.0.255
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Christopher Jay WolffWiggle My Legs, Owner

Commented:
You know so much more than I about this.  I can mostly read about it and search to maybe save some time for you, if I get lucky.

One place I finally found explained the same problem getting SSH to work over tunnel between two different Cisco units.  To paraphrase, the default setting is that you cannot manage ASA2 on an interface that is different than the one to which ASA1 is connected.  So traffic from ASA2 goes through tunnel and ends up at ASA1 on the outside interface.  At the same time, ASA1 is trying to manage ASA2 on the inside interface.

If I understand it correctly, to allow SSH on the inside interface, the fix is using the command:

management-access

the way Cisco puts it is here below.
NAT and VPN Management Access

When using VPN, you can allow management access to an interface other than the one from which you entered the ASA (see the management-access command). For example, if you enter the ASA from the outside interface, the management-access feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface.

from here.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html



Did I get lucky?
Charles EdstromNetwork Engineer

Author

Commented:
Neither device is an ASA.
Raymond ZwartsNetwork Engineer

Commented:
If I read correctly you are trying to connect from behind the fortigate VPN box to a network behind a Cisco router running IPSec (with a crypto map and a simple match 100).

Or are you trying to SSH to the Cisco IPSec router from behind the fortigate ?

And also I do not see any NAT config. Is that a workaround?
Charles EdstromNetwork Engineer

Author

Commented:
I'm trying to SSH to a switch behind the Cisco router over teh IPSec tunnel.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial