09-26-2007 04:26 PM - edited 03-11-2019 04:17 AM
I'm trying to establish remote access to my ASA; I can ping it, but telnet and ssh both are refused immediately. I know that Telnet isn't allowed into an outside interface, but ssh still doesn't work (I've already generated an rsa key, also).
This device has an inside network, DMZ (unused) and two outside networks; see below for relevant config lines:
ASA# sh run
interface GigabitEthernet0/0
description FLR FIBER LINK
nameif flr
security-level 50
ip address 10.1.2.2 255.255.255.252
!
interface GigabitEthernet0/1
description SFCC LAN
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 0
no ip address
!
interface GigabitEthernet0/3
description TEMP 10MB INTERNET
nameif sfcc
security-level 50
ip address xxx.xxx.xxx.xxx 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.xx.xx 255.255.255.0
management-only
global (sfcc) 1 interface
nat (inside) 0 access-list
nat (inside) 1 10.1.1.0 255.255.255.0
route sfcc aaa.aaa.0.0 255.255.0.0 xxx.xxx.xxx.xxx (next hop)
route sfcc 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx (next hop)
http server enable
http 150.176.0.0 255.255.0.0 flr
http 10.1.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http 150.176.0.0 255.255.0.0 sfcc
telnet 150.176.0.0 255.255.0.0 flr
telnet 192.168.0.0 255.255.254.0 inside
telnet 10.1.1.0 255.255.255.0 inside
telnet 150.176.0.0 255.255.0.0 sfcc
ssh 150.176.0.0 255.255.0.0 flr
ssh 10.1.1.0 255.255.255.0 inside
ssh 150.176.0.0 255.255.0.0 sfcc
management-access sfcc
ASA#
Thanks,
Marc
09-26-2007 10:35 PM
hey marc,
check your rsa key pair using
6.x show ca mypubkey rsa
7.x show crypto key mypubkey rsa
also check the versions running using show ssh
if you changed the domain name, zeroize then
then regenerate a new RSA key pair
post your OS version so we can check it for bugs.
regards,
arburt
09-27-2007 03:06 AM
Thanks for the reply;
I have yet to successfully connect with ssh, so I haven't even established a key pair yet; to be thorough, I deleted all keys off of my ssh client, then zeroized and regenerated keys on the ASA.
Sh ver: 7.2(1)
DR-ASA1# sh ssh
Timeout: 60 minutes
Versions allowed: 1 and 2 (my ssh client can run both)
150.176.0.0 255.255.0.0 flr
10.1.1.0 255.255.255.0 inside
150.176.0.0 255.255.0.0 sfcc (connecting to)
The error I get when trying to connect is that the host is unreachable, but I can ping the interface fine. The problem might not be the device, but I wanted a second opinion that it isn't.
Marc
09-27-2007 08:49 PM
Marc,
try to do an ssh debug, to check if the session is really hitting your pix.
also, check if the ssh client is behind a firewall and if ssh is not permitted
arburt
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: