cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
410
Views
0
Helpful
3
Replies

ASA ssh access issue

drumrb0y
Level 1
Level 1

I'm trying to establish remote access to my ASA; I can ping it, but telnet and ssh both are refused immediately. I know that Telnet isn't allowed into an outside interface, but ssh still doesn't work (I've already generated an rsa key, also).

This device has an inside network, DMZ (unused) and two outside networks; see below for relevant config lines:

ASA# sh run

interface GigabitEthernet0/0

description FLR FIBER LINK

nameif flr

security-level 50

ip address 10.1.2.2 255.255.255.252

!

interface GigabitEthernet0/1

description SFCC LAN

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 0

no ip address

!

interface GigabitEthernet0/3

description TEMP 10MB INTERNET

nameif sfcc

security-level 50

ip address xxx.xxx.xxx.xxx 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.xx.xx 255.255.255.0

management-only

global (sfcc) 1 interface

nat (inside) 0 access-list

nat (inside) 1 10.1.1.0 255.255.255.0

route sfcc aaa.aaa.0.0 255.255.0.0 xxx.xxx.xxx.xxx (next hop)

route sfcc 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx (next hop)

http server enable

http 150.176.0.0 255.255.0.0 flr

http 10.1.1.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

http 150.176.0.0 255.255.0.0 sfcc

telnet 150.176.0.0 255.255.0.0 flr

telnet 192.168.0.0 255.255.254.0 inside

telnet 10.1.1.0 255.255.255.0 inside

telnet 150.176.0.0 255.255.0.0 sfcc

ssh 150.176.0.0 255.255.0.0 flr

ssh 10.1.1.0 255.255.255.0 inside

ssh 150.176.0.0 255.255.0.0 sfcc

management-access sfcc

ASA#

Thanks,

Marc

3 Replies 3

arburt
Level 1
Level 1

hey marc,

check your rsa key pair using

6.x show ca mypubkey rsa

7.x show crypto key mypubkey rsa

also check the versions running using show ssh

if you changed the domain name, zeroize then

then regenerate a new RSA key pair

post your OS version so we can check it for bugs.

regards,

arburt

Thanks for the reply;

I have yet to successfully connect with ssh, so I haven't even established a key pair yet; to be thorough, I deleted all keys off of my ssh client, then zeroized and regenerated keys on the ASA.

Sh ver: 7.2(1)

DR-ASA1# sh ssh

Timeout: 60 minutes

Versions allowed: 1 and 2 (my ssh client can run both)

150.176.0.0 255.255.0.0 flr

10.1.1.0 255.255.255.0 inside

150.176.0.0 255.255.0.0 sfcc (connecting to)

The error I get when trying to connect is that the host is unreachable, but I can ping the interface fine. The problem might not be the device, but I wanted a second opinion that it isn't.

Marc

Marc,

try to do an ssh debug, to check if the session is really hitting your pix.

also, check if the ssh client is behind a firewall and if ssh is not permitted

arburt

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: