ASA ssh access issue

Unanswered Question
Sep 26th, 2007

I'm trying to establish remote access to my ASA; I can ping it, but telnet and ssh both are refused immediately. I know that Telnet isn't allowed into an outside interface, but ssh still doesn't work (I've already generated an rsa key, also).

This device has an inside network, DMZ (unused) and two outside networks; see below for relevant config lines:

ASA# sh run

interface GigabitEthernet0/0

description FLR FIBER LINK

nameif flr

security-level 50

ip address


interface GigabitEthernet0/1

description SFCC LAN

nameif inside

security-level 100

ip address


interface GigabitEthernet0/2

nameif DMZ

security-level 0

no ip address


interface GigabitEthernet0/3

description TEMP 10MB INTERNET

nameif sfcc

security-level 50

ip address


interface Management0/0

nameif management

security-level 100

ip address 192.168.xx.xx


global (sfcc) 1 interface

nat (inside) 0 access-list

nat (inside) 1

route sfcc (next hop)

route sfcc (next hop)

http server enable

http flr

http inside

http management

http sfcc

telnet flr

telnet inside

telnet inside

telnet sfcc

ssh flr

ssh inside

ssh sfcc

management-access sfcc




I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
arburt Wed, 09/26/2007 - 22:35

hey marc,

check your rsa key pair using

6.x show ca mypubkey rsa

7.x show crypto key mypubkey rsa

also check the versions running using show ssh

if you changed the domain name, zeroize then

then regenerate a new RSA key pair

post your OS version so we can check it for bugs.



drumrb0y Thu, 09/27/2007 - 03:06

Thanks for the reply;

I have yet to successfully connect with ssh, so I haven't even established a key pair yet; to be thorough, I deleted all keys off of my ssh client, then zeroized and regenerated keys on the ASA.

Sh ver: 7.2(1)

DR-ASA1# sh ssh

Timeout: 60 minutes

Versions allowed: 1 and 2 (my ssh client can run both) flr inside sfcc (connecting to)

The error I get when trying to connect is that the host is unreachable, but I can ping the interface fine. The problem might not be the device, but I wanted a second opinion that it isn't.


arburt Thu, 09/27/2007 - 20:49


try to do an ssh debug, to check if the session is really hitting your pix.

also, check if the ssh client is behind a firewall and if ssh is not permitted



This Discussion