SSH through an ASA

Answered Question
Aug 1st, 2008
User Badges:

folks


i'm new to the asa and i have a newly configured asa 5540 and i'm trying to ssh through it to an external router


routes etc are all ok


when i try an ssh i can see the outbound session built but the inbound reply is denied


i suspect this is because ssh is not included in the inspect rule for the inside interface


is this a possibility and if so how do i get round this


thanks to anyone taking the time to reply


ps - i have another post on the way re configuring dns through the same asa so i'm grateful to anyone taking the time to look at any of these posts


Correct Answer by Farrukh Haroon about 8 years 7 months ago

Are you sure the ASA is denying this traffic or the router? What are you seeing in the log (which makes you suspect that the ASA is denying this traffic?).


The setup is like this as per my understanding?


ASA-Outside (Ssh client) >> Router (SSH Server)


Also if the router is more than one hop away, make sure the router knows how to reach the ASA's outside itnerface.


Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
mulhollandm Sun, 08/03/2008 - 13:19
User Badges:

jorge


thanks for the reply


i was able to use your link to set up ssh to the box so many thanks bit my problem is ssh through the box to a router on its outside interface


i think i need to enable ssh in the default inspection rule but i don't know how


thanks again for your reply

JORGE RODRIGUEZ Sun, 08/03/2008 - 16:55
User Badges:
  • Green, 3000 points or more

Michael, can you post config, strip out public Ip info, there is no need for ssh inspection. Post config to take a look.


I suppose you are trying to ssh into asa from outside internet towards asa outside IP address, or are you trying to ssh to outside interface from inside LAN? can you clarify.



Correct Answer
Farrukh Haroon Sun, 08/03/2008 - 18:30
User Badges:
  • Red, 2250 points or more

Are you sure the ASA is denying this traffic or the router? What are you seeing in the log (which makes you suspect that the ASA is denying this traffic?).


The setup is like this as per my understanding?


ASA-Outside (Ssh client) >> Router (SSH Server)


Also if the router is more than one hop away, make sure the router knows how to reach the ASA's outside itnerface.


Regards


Farrukh

mulhollandm Mon, 08/04/2008 - 12:20
User Badges:

farrukh


many thanks for your efforts, they are greatly appreciated


the problem seems to be with the upstream router i'm trying to logon to - it seems to have lost a route back to my pc


i'm very grateful for your reply

mulhollandm Mon, 08/04/2008 - 12:18
User Badges:

jorge


many thanks for your replies to my problem - they are greatly appreciated


i think the problem is with the upstream router i think it has lost a route back to my pc - i say this because i see lots of syn timeouts when trying to complete the handshake


again, many thanks for for your time

Actions

This Discussion