Not able to telnet or ssh to outside interface of ASA and Cisco Router

Dear All
Please help me with following question, I have set up testing lab, but still not work.
it is Hub and spoke site to site vpn case, connection between hub and spoke is metro-E, so we are using private ip for outside interface at each site.
Hub -- Juniper SRX
Spoke One - Cisco ASA with version 9.1(5)
spoke two - Cisco router with version 12.3
site to site vpn has been successful established. Customer would like to telnet/ssh to spoke's outside ip from Hub(using Hub's outside interface as source for telnet/ssh), or vise versa. Reason for setting up like this is they wants to be able to make configuration change even when site to site vpn is down. Sound like a easy job to do, I tried for a long time, search this forum and google too, but still not work.
Now I can successfully telnet/ssh to Hub SRX's outside interface from spoke (ASA has no telnet/ssh client, tested using Cisco router).
Anyone has ever done it before, please help to share your exp. Does Cisco ASA or router even support it?
When I tested it, of cause site to site vpn still up and running.
Thanks
YK

Hello YK,
On this case on the ASA, you should have the following:
CConfiguring Management Access Over a VPN Tunnel
If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
To specify an interface as a mangement-only interface, enter the following command:
hostname(config)# management access management_interface
where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.
You can define only one management-access interface
Also make sure you have the pertinent configuration for SSH, telnet, ASDM and SNMP(if required), for a quick test you can enable on your lab Test:
  SSH
- ssh 0 0 outside
- aaa authentication ssh console LOCAL
- Make sure you have a default RSA key, or create a new one either ways, with this command:
    *crypto key generate rsa modulus 2048
Telnet
- telnet 0 0 outside
- aaa authentication telnet console LOCAL
Afterwards, if this works you can define the subnets that should be permitted.
On the router:
!--- Step 1: Configure the hostname if you have not previously done so.
hostname Router
!--- aaa new-model causes the local username and password on the router
!--- to be used in the absence of other AAA statements.
aaa new-model
username cisco password 0 cisco
!--- Step 2: Configure the router's DNS domain.
ip domain-name yourdomain.com
!--- Step 3: Generate an SSH key to be used with SSH.
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 3
!--- Step 4: By default the vtys' transport is Telnet. In this case, 
!--- Telnet and SSH is supported with transport input all
line vty 0 4
transport input All
*!--- Instead of aaa new-model, the login local command may be used.
no aaa new-model
line vty 0 4
  login local
Let me know how it works out!
Please don't forget to Rate and mark as correct the helpful Post!
David Castro,
Regards,

Similar Messages

  • Not Able to Telnet or SSH Cisco ASA

    Hi,
    I am not able to do the following to Cisco ASA with one IP address 172.19.1.11, below is the configuration in ASA. Earlier it was working, all of a sudden it stopped working.
    Please help.
    1. Not Able to SSH
    2. Solarwinds not able to take information from ASA.
    http 172.19.1.11 255.255.255.255 inside
    snmp-server host inside 172.19.1.11 community srnemapd
    telnet 172.19.1.11 255.255.255.255 inside
    ssh 172.19.1.11 255.255.255.255 inside
    ntp server 172.19.1.11 source inside prefer

    Hi there,
    Just add a new IP address for ssh to ASA, this will kick start the demon.
    This new IP does not have to be a real one.
    Hope this helps.
    Thanks
    Rizwan Rafeek

  • SSH on Outside interface on ASA 5510

    Hi All,
    I need the ssh access on my ASA outside interface and have added
    ssh ipremoved 255.255.255.255 outside
    access-list acl_outside extended permit tcp host ipremoved any eq 22
    but this is the log i get from ASA
    Oct 06 2012 16:10:04: %ASA-3-710003: TCP access denied by ACL from ipremoved/39884 to outside:ipremoved/22
    Cisco Adaptive Security Appliance Software Version 8.2(5)
    Device Manager Version 6.4(5)
    can someone please help me
    many thanks
    cheers..

    many thanks for the quick reply
    my connection is something like below
           Site A                                                                                   Site B
    PC--10.6.40.148 ---- ASA public IP -------------cloud --------------------public IP ASA
    Site to Site IPsec VPN
    Am able to ssh to the ASA on the private ip management interface, now i need to ssh to the site B public IP to manage
    I have allowed the acl on site A ASA for the PC to go i can see the hit count on it
    The  reason being i need to manage the Site B ASA on public because on Site A am changing the internet provider and so if i have the acces to site B  ASA i can change the peer IP to new IP and reestablish the VPN
    many thanks for the help
    cheers

  • I am not able to telnet my content rule VIP address

    I am not able to telnet my content rule VIP address and port number. But I am able to direct to telnet to service servers, which are added into the content rule set. Can anyone tell me why. I have update the latest WEBOS 5.00 Build 69. The content switch model is 11050. thank you very much .

    Is possible one armed and in line in the same content switch ?
    Currently I have some content rule are using one armed solution, there is only one rule I need to make the server see the original IP. I guess my question is , can I have this rule use in -line solution only, so I will not have to impact other rules set.
    The other question since this content rule's service sever have only one interface only, Can I have this in-line solution go in the content switch and come out content switch in the same server farm switch ? Thank you for all the help.

  • Services are running in Server 2008. But still not able to telnet on localhost

    Hello Everybody,
    Desired services are running on server but still telnet on localhost not happening.
    From remote server I am able to telnet on same services.
    I am facing issue while doing telnet to remote server alos.
    Is there anything which could stopping telnet operation.
    From same server I am not able to telnet to other server for SQL services, whereas both servers in same LAN with adjacent IP address. 

    Hi Steven,
    Thanks for response.
    I have checked same. Services are listening on desired port.
    From events log we observed that server moving out of domain controller which root cause not identified yet.
    Will it be possible if sever moving out of domain and getting NETLOGON issue. Which could block communication to other server or localhost telnet.
    Regards,
    Mahesh D. 

  • How to fix this error "this iPad is not able to complete the activation process. Please press Home and start over. If the issue persists, please visit your nearest Apple Store or Authorized service provider for more information or replacement"?

    How to fix this error "this iPad is not able to complete the activation process. Please press Home and start over. If the issue persists, please visit your nearest Apple Store or Authorized service provider for more information or replacement"? When I plugged in my iPad this popped up!

    Hi csreddy, 
    If you are receiving a message to contact an Apple Retail Store or Authorized Service Provider for help updating from iOS 3, click on the link below to initiate that support:
    Update the iOS software on your iPhone, iPad, and iPod touch - Apple Support
    http://support.apple.com/en-us/HT204204
    Update your device using iTunes
    If you can’t update wirelessly, or if you want to update with iTunes, follow these steps:
    Install the latest version of iTunes on your computer.
    Plug in your device to your computer.
    In iTunes, select your device.
    In the Summary pane, click Check for Update. 
    Click Download and Update.
    If you don't have enough free space to update using iTunes, you'll need to delete content manually from your device.
    Find out what to do if you get other error messages while updating your device.
    Last Modified: Jan 12, 2015
    Apple - Find Locations
    https://locate.apple.com
    Contact Apple for support and service - Apple Support
    http://support.apple.com/en-us/HT201232
    Regards,
    - Judy

  • I not able to open any links in the emails I receive and get an "Error: No associated application could be found" when I click on it. HELP!! What's going on? This happened after I downloaded Chrome and then

    I not able to open any links in the emails I receive and get an "Error: No associated application could be found" when I click on a link. HELP!! What's going on? This happened after I downloaded Chrome and then decided to delete it. 

    I have Lion and I just came across this link and it took care of the problem.
    Jose Antonio Solis
    Re: Lion: Delete google chrome completely include user profile?
    Try deleting:
    ~Library/Application Support/Google
    and
    ~Library/Caches/Google/Chrome

  • Users are not able to use Outlook 2010 to view free/busy information and cannot set Out Of Office automatic reply

    Hi All,
    Please help me.
    I have an issue where users are not able to use Outlook 2010 to view free/busy information and cannot set Out Of Office automatic reply. But they are can set Out Of Office automatic reply from OWA. My exchange server is Ms Exchange 2010.
    The test E-mail AutoConfiguration failed with this error:
    Autodiscover to https://mydomain.com/autodiscover/autodiscover.xml starting
    GetLastError=12175; httpStatus=0.
    Autodiscover to https://mydomain.com/autodiscover/autodiscover.xml Failed (0x800C8203)
    Autodiscover to https://autodiscover.mydomain.com/autodiscover/autodiscover.xml starting
    GetLastError=12007; httpStatus=0.
    Autodiscover to https://autodiscover.mydomain.com/autodiscover/autodiscover.xml Failed (0x800C8203)
    Local autodiscover for mydomain.com starting
    Local autodiscover for mydomain.com Failed (0x8004010F)
    Redirect check to http://autodiscover.mydomain.com/autodiscover/autodiscover.xml starting
    Srv Record lookup for http://autodiscover.mydomain.com/autodiscover/autodiscover.xml Failed (0x80072EE7)
    Srv Record lookup for mydomain.com starting
    Srv Record lookup for mydomain.com Failed (0x8004010F)
    Any idea?
    Thanks,
    Pieter

    OK.
    Please follow this step.
    1. As you said you are in coexistence step , so for now all endpoint already point to Exchange 2010 right?
    2. Check legacy owa redirect that you already configure
    3. In Exchange 2010 , Make sure that you already configure "Autodiscoverinternaluri" by this command set-clientaccessserver -identity "servername" -autodiscoverinternaluri
    https://autodiscover.domain.com/autodiscover/autodiscover.xml. and don't forget to create autodiscover record in DNS
    4. in Exchange 2010 , Make sure that you already configure "EWS" path by this command set-webservicesvertualdirectory -identity "XXX\Default web site name" -internalurl
    https://yourinternalurl/EWS/Exchange.asmx -externalurl https://yourexternalurl/EWS/Exchange.asmx
    5. don't forget to replicate freebusy from Exchange 2003 to Excahnge 2010 via public folder.
    You error look like client cannot get autodiscover process please check it again.

  • HT3775 I am using OS X Mountain Lion and I have this .avi file but not able to read. What is missing in my setup and what other file do I need to download to enable me to read?  I can read mp4 files though.

    I am using OS X Mountain Lion and I have this .avi file but not able to read. What is missing in my setup and what other file do I need to download to enable me to read?  I can read mp4 files though.

    Here is a link: https://itunes.apple.com/en/app/mplayerx/id421131143?mt=12
    I agree that VLC is also a good choice but MPlayerX is more user friendly.

  • TS4513 I KEEP GETTING THIS ERROR. PLEASE HELPMainStage 3 was not able to complete the download. Check your internet connection and try downloading again.

    I KEEP GETTING THIS ERROR. PLEASE HELPMainStage 3 was not able to complete the download. Check your internet connection and try downloading again.

    Hi
    From others (on the Logic Forums), it seems that there may have been issues with Apple's servers.
    Try again...
    if that does not work, delete Mainstage, and then try again to download teh whole thing.
    Alternatively, the direct link to the basic content is here:
    https://discussions.apple.com/thread/6015391?tstart=0
    CCT

  • 10/4-2014 - "GarageBand was not able to complete the download. Check your internet connection and try downloading again." Ver. 10.0.2.

    I have downloaded GarageBand and when I first clicked to open it started dowloading a content package. But then in the middle of this it told me that my perfectly fast working internet connection was not availeble. See attached screenshot.
    Does anybody know how to solve this?
    I have tried deleting and downloading againg but same message appears.
    Best,

    GarageBand was not able to complete the download. Check your internet connection and try downloading again.
    Todavía no puedo instalarlo, lo he descargado y eliminado por mas de 5 veces.
    Por favor alguna solución a esta situación?

  • I am not able to transfer application from mackbook to my iPhone 5 and when i click to install it comes will install

    i am not able to transfer application from mackbook to my iPhone 5 and when i click to install it comes will install

    http://www.wirelesstransferapp.com/sync-photos-from-mac-to-iphone-with-or-withou t-itunes.html#.UboKrBYTtF try this link..good luck

  • HT5858 When I swipe up from the bottom of the screen to use control center I am not able to use the music controls for music or podcasts and music controls do not work on the lock screen either is anybody else having this problem???????

    When I swipe up from the bottom of the screen to use control center I am not able to use the music controls for music or podcasts and music controls do not work on the lock screen either is anybody else having this problem???????

    Not really sur easy you would be having that problem.  Mine works.  You might try RESET DEVICE
    Hold down the Sleep/Wake button and the home button together until the apple logo appears (ignore the ON/OFF slider) then let both buttons go and wait for device to restart (no data will be lost). Then try again and see if it makes a difference

  • Can't SSH to inside interface on ASA

    Hi there
    I have generated the key and can ssh to outside interface. I have allowed access on inside interface. I can telnet but not ssh. I captured packets and can see incoming only. Any ideas?
    TIA
    Sent from Cisco Technical Support iPhone App

    Hi there,
    Here it is -
    asa01(config)# sh cap capin
    4 packets captured
       1: 21:59:03.583343 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
       2: 21:59:05.586990 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
       3: 21:59:09.588577 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
       4: 21:59:17.591659 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
    4 packets shown
    asa01(config)#
    asa01(config)# sh cap asp
    0 packet captured
    0 packet shown
    asa01(config)#
    Can you ping the Switch interface from the ASA?          - Yes
    Can you ping the ASA from the switch? - Yes

  • Cisco2851 Any connect was not able to establish a connection to the specified secure gateway and Win7

    Hello ,
    R2811 Route config ssl vpn
    anyconnect-win-2.5.3055-k9.pkg
    windows xp ie6-8 all connection ssl vpn gateway,but win7 not able to establish
    IE browser display
    This website security certificate has a problem.

    asa5500 platform +anyconnect-win-2.5.3055-k9.pkg
    win7 win2000 winxp all connection!
    is why?

Maybe you are looking for

  • How to start java.exe from a java program in windows ?

    Hi, I did like to know, if its possible to run java.exe from a java program on windows ? The java.exe should be visible from checking the processes that are currently running using the Task Manager on windows.

  • Add new functions?

    Is it possible to write and add your own function (not formula) to Numbers? I have the impression that this might be done, but I have not been able to find how to do it in Numbers Help or elsewhere.

  • ACS error issue

    Hi All My customer is having a strange issue with his ACS. the current error is as follows ShellProfile,12/03/2012,13:18:26:709,ERROR,3058101152,NIL-CONTEXT,DeviceAttrFactory::createAttrValue with marker = *,DeviceAttrFactory.cpp:29 Also when he trie

  • IS-U / CCS - Billing and Invoic - BPEM

    Hello, Please send  the details related to BPEM -   Monitoring Tool        BPEM  Monitoring the Log.        BPEM  Monitoring Erroneous Objects.        BPEM  Monitoring Other Erroneous Objects.   Managing Tool       BPEM  Case Creation.       BPEM  Ca

  • Problem with Zen Touch & Mediapla

    Hi there! I've recently bought the Zen Touch and I am still quite happy with it. From Windows Mediaplayer I've already put around 0GB of music on it. But since this morning I've got a serious problem. When I start Mediaplayer to play some music it wo