Unable to SSH to 5505

Unanswered Question
Aug 26th, 2008

I have a 5505 setup that I have generated RSA keys for. And have the ssh 0.0.0.0 0.0.0.0 outside enabled. I have the no ACL on the outside interface. When I try to SSH to it I get the following error.

%ASA-2-106001: Inbound TCP connection denied from 20.24.20.240/1247 to 24.19.15.21/22 flags SYN on interface outside

Any suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Tue, 08/26/2008 - 18:39

Perhaps there is a routing issue on the ASA? Can you try to ping the SSH source IP from the ASA? 20.24.20.240

Regards

Farrukh

1spcave Wed, 08/27/2008 - 05:26

I can ping the other side from the ASA. I am getting a deny in the ASA saying that I am hiting it. Any other suggestions?

Farrukh Haroon Wed, 08/27/2008 - 06:26

Can you try using another SSH client?

also do a 'clear asp drop' and then a 'show asp drop' to see for any violations (related to TCP normalization).

The 24.19.15.21 is the IP of the ASA outside interface right? The ssh command is only meant to open 'to device' SSH sessions and not the ones passing through the device.

Regards

Farrukh

1spcave Wed, 08/27/2008 - 13:12

I have used PuTTY and Secure CRT version 6.xx. No TCP normalization issues and yes that is the IP on the outside.

Farrukh Haroon Wed, 08/27/2008 - 22:52

Just to test that all is setup OK, allow 'ssh' from the inside also and try to SSH to the 'inside IP addres' of the firewall.

If it works, post the output of 'show run all ssh'.

Regards

Farrukh

1spcave Thu, 08/28/2008 - 04:49

I was able to ssh from the inside.

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 15

No access-list applied -

ST-ROLD-ASA# sh run all access-group

jeyriku Thu, 08/28/2008 - 05:06

as a test, can you configure a rule allowing ssh connection on the outside interface of your asa in the firewall tab?

Regards,

jeyriku Thu, 08/28/2008 - 01:19

Hi,

Can you also make sure that your account is allowed to connect to the FW using ssh by having a look to the properties of your account in the User account Tab in the "Restricted Access" sub-menu?

Regards,

Actions

This Discussion