Solved: No ssh access to VPN peer outside IP

Vlad_Voronko · ‎2018-04-24

While testing a site-to-site VPN tunnel between CP80.10 and Cisco ASA, I noticed that right after I had configured the IPSec peer on CP80.10, I was no longer able to ssh to 10.0.14.101 (ASA outside IP) to manage the device. Then I looked into the logs on CP and found out that CP80.10 is trying to encrypt packets destined to ASA outside IP address 10.0.14.101. I wasn't able to find any info about this issue. Is there any way how I can disable or turn off this behavior? Screenshot of the logs in the attachment. Thanks.

G_W_Albrecht · ‎2018-04-24

I would suggest to consult sk25675 Customizing VPN Domain to exclude IP Address and allow clear text and sk108600 VPN Site-to-Site with 3rd party Scenario 3 !

View solution in original post

Marco_Valenti · ‎2018-04-24

quick way to solve it ? use excluded service and add ssh there , definition ip of the remote peer is part of the remote enc domain

Vlad_Voronko · ‎2018-04-24

Hi Marco,

I considered that option but I guess enabling it would prevent me from establishing an ssh session to the equipment residing behind the ASA (which only reachable over the VPN tunnel).