Help w/ ssh on 5510

a.e.wiggin · ‎01-22-2008

I'm trying to do some basics right now by just getting ssh going between the different interfaces and I can't seem to get any of them talking, meaning, one host on one network to another. And once I get them talking on the inside, I wanted to be able to access the networks from the outside w/ ssh only, web and other services will go to the DMZ.

I've attached my config and hoping anyone see anything wrong w/ my config?

(this file is an *.rtf, but seems the 'f' got taken off, but still opens as an *.rtf)

cisco24x7 · ‎01-22-2008

static (management,development) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (management,cluster) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (management,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (development,cluster) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (cluster,development) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (development, dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (cluster,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

CCIE Security

a.e.wiggin · ‎01-23-2008

I've added the statics, but I'm still unable to ssh from one to another, say, my development net to the cluster.

I'm getting ....

'ssh: connect to host 192.168.2.10 port 22: No route to host"

Any ideas?

a.e.wiggin · ‎01-23-2008

I have a few problems with the following that I can't figure out:

1) how to ssh between hosts of the inside networks?

2) how to access only one host on the inside of each network from the outside via ssh?

Any help would be much appreciated.

---

5510(config)# write t

: Saved

:

ASA Version 7.0(7)

!

hostname 5510

enable password <> encrypted

names

name 192.168.4.0 dmz_NET

name 192.168.3.0 development_NET

name 192.168.2.0 cluster_NET

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 199.199.xxx.59 255.255.255.0

!

interface Ethernet0/1

nameif dmz

security-level 20

ip address 192.168.4.1 255.255.255.0

!

interface Ethernet0/2

nameif cluster

security-level 60

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/3

nameif development

security-level 60

ip address 192.168.3.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

same-security-traffic permit inter-interface

object-group network ALL_NETS

network-object development_NET 255.255.255.0

network-object dmz_NET 255.255.255.0

network-object cluster_NET 255.255.255.0

object-group protocol my_protocols

protocol-object 22

protocol-object icmp

access-list inside_access_outside extended permit tcp any eq ssh any eq ssh

access-list outside_access_inside extended permit tcp any eq ssh any eq ssh

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu dmz 1500

mtu cluster 1500

mtu outside 1500

mtu development 1500

no failover

icmp permit development_NET 255.255.255.0 development

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (dmz) 1 dmz_NET 255.255.255.0

nat (cluster) 1 cluster_NET 255.255.255.0

nat (development) 1 development_NET 255.255.255.0

static (management,development) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (management,cluster) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (management,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (development,cluster) development_NET development_NET netmask 255.255.2

static (cluster,development) cluster_NET cluster_NET netmask 255.255.255.0

static (development,dmz) development_NET development_NET netmask 255.255.255.0

static (cluster,dmz) cluster_NET cluster_NET netmask 255.255.255.0

access-group inside_access_outside in interface dmz

access-group inside_access_outside in interface cluster

access-group outside_access_inside out interface outside

access-group inside_access_outside in interface development

route outside 0.0.0.0 0.0.0.0 199.199.xxx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:<>

: end

[OK]

acomiskey · ‎01-23-2008

Get rid of the source ports in your acl's.

access-list inside_access_outside extended permit tcp any eq ssh any eq ssh

access-list outside_access_inside extended permit tcp any eq ssh any eq ssh

should be...

access-list inside_access_outside extended permit tcp any any eq ssh

access-list outside_access_inside extended permit tcp any any eq ssh

a.e.wiggin · ‎01-23-2008

I changed exactly only those lines, re-added the access-groups I had ... but I still can't ssh through to anywhere's.

I keep getting the error "ssh: connect to host 192.168.2.12 port 22: No route to host" when I try from host 192.168.3.5