Have you tried run a debug or packet capture I confirm that the packet is reaching the outside interface. Since it working from inside hence I am ruling out the aaa authentication and username requirements.
On Saturday, July 7, 2012, Jason Madsen wrote: > Hi everyone, > > If I understood Parvez' email, the VPN is not a LAN-2-LAN between ASAs. > It looks as though the VPN is between ASA1 and the RTR. > > Based on that topology, I think his original SSH statements look ok. > However, let me know if I missed something. > > Parvez, > > SSH traffic to the ASA itself doesnt require any "permits" on the outside > ACL. Just a corresponding "ssh" statement, which u have. > > Double-check ASA1 and ensure your routing and VPN setup is correctly > directing 10.60.x.x destined traffic through the VPN, and that your > 10.70.x.x sourced traffic is not being NAT'd (on ASA1 or on your RTR)...if > it arrives at ASA2 other than 10.70.x.x, it won't match your "ssh" > statement. > > Likewise verify the reverse path and ensure that 10.60.x.x is included in > your interesting VPN traffic on your RTR, and that routing to it is up, and > that you're exempting it from NAT for VPN traffic. > > Jason > > Sent from my iPhone > > > On Jul 7, 2012, at 12:36 AM, Piotr Tokarzewski < > [email protected] <javascript:_e({}, 'cvml', > '[email protected]');>> wrote: > > Hi, > > You must set management interface: > management-access inside > > and then use this interface instead of outside: > > SSh 10.70.X.X Inside > > SSh 10.60.X.X Inside > > Regards > Piotr > > 2012/7/7 Parvez Ahmad <[email protected] <javascript:_e({}, > 'cvml', '[email protected]');>> > >> Hello, >> >> Topology >> >> >> LAN1(10.70.X.X)-------ASA1(Public)--------------Internet-------------(Public)Router1-----(Outside)ASA2(Inside)----LAN2(10.60.X.X) >> >> >> >> There is site to site IPSec tunnel between ASA1 and Router1; I want to >> access ASA2 over the VPN form LAN1. >> >> >> I put below commands on ASA2 by taking remote. >> >> >> SSh 10.70.X.X outside >> >> SSh 10.60.X.X Inside >> >> >> And apply an ACL to permit source IP (10.70.x.x)and destination IP (any) >> port tcp 22 on outside interface. >> >> >> But it is still not working. However it is working form LAN2. >> >> >> Please suggest, how I can access ASA2 over the IPSec VPN from LAN1. >> >> >> >> Thanks, >> >> Parvez >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > -- FNK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
