Missing something in config not able to access ssh/ping from other vlan or network

Discussion in 'other firewalls' started by wafa, May 8, 2015.

  1. wafa

    wafa Registered Member

    May 8, 2015
    I am confused, how come this is not working.. only thing i want to access the asa management from

    I have remote asa.there is a mpls link between both sites. I am behind and asa is behind and mpls route is connected (VLAN2 see below configuration, any suggestion what i am doing wrong? I have added additional config to allow ping and ssh from my site
    ssh VLAN12 inside
    ssh MPLS
    http server enable http VLAN12 inside
    http MPLS
    icmp permit any inside
    icmp permit any MPLS

    inspect icmp

    inspect icmp error

    name x.x.x.x InternetGateway description Internet Gateway
    name x.x.x.x IS description Fidelity Information Systems MPLS IP Range
    name MPLS description MPLS IP Range
    name MPLSGateway description MPLS Gateway
    name VLAN12 description Internal user LAN
    name VLAN80 description MPLS third party network
    interface Ethernet0/0
    interface Ethernet0/1
    switchport access vlan 3
    ! interface Ethernet0/2
    switchport access vlan 2
    interface Ethernet0/3
    ! interface Ethernet0/4
    ! interface Ethernet0/5
    ! interface Ethernet0/6
    ! interface Ethernet0/7
    interface Vlan1
    description Internal LAN
    nameif inside
    security-level 100
    ip address
    interface Vlan2
    description Internet Access
    nameif outside
    security-level 0
    ip address x.x.x.x x.x.x.x
    interface Vlan3
    description LaSer Group MPLS
    no forward interface Vlan2
    nameif MPLS
    security-level 0
    ip address
    ftp mode passive
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns server-group DefaultDNS
    domain-name X.X.X.X
    object-group network gMPLS
    description MPLS Destinations
    network-object MPLS
    network-object IS
    access-list inside_nat_outbound_1 remark Traffic to internet hidden behind X.X.X.X
    access-list inside_nat_outbound_1 extended permit ip VLAN12 any
    access-list inside_nat_outbound remark Traffic to MPLS hidden behind
    access-list inside_nat_outbound extended permit ip VLAN12 object-group gMPLS
    pager lines 24 logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu MPLS 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 X.X.X.X netmask
    global (MPLS) 2 netmask
    nat (inside) 2 access-list inside_nat_outbound
    nat (inside) 1 access-list inside_nat_outbound_1
    route outside InternetGateway 1
    route outside InternetGateway 255
    route MPLS MPLS 1
    route MPLS IS 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:

    • 00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL
    http server enable
    http VLAN12 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh VLAN12 inside
    ssh MPLS
    ssh timeout 5
    console timeout 0

    dhcpd auto_config outside
    ! dhcpd address inside
    dhcpd dns interface inside
    dhcpd domain xxxx interface inside
    dhcpd enable inside

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept

    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous

    : end