Unable to SSH to 5505

Unanswered Question
Aug 26th, 2008
User Badges:

I have a 5505 setup that I have generated RSA keys for. And have the ssh 0.0.0.0 0.0.0.0 outside enabled. I have the no ACL on the outside interface. When I try to SSH to it I get the following error.


%ASA-2-106001: Inbound TCP connection denied from 20.24.20.240/1247 to 24.19.15.21/22 flags SYN on interface outside


Any suggestions?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Tue, 08/26/2008 - 18:39
User Badges:
  • Red, 2250 points or more

Perhaps there is a routing issue on the ASA? Can you try to ping the SSH source IP from the ASA? 20.24.20.240


Regards


Farrukh

1spcave Wed, 08/27/2008 - 05:26
User Badges:

I can ping the other side from the ASA. I am getting a deny in the ASA saying that I am hiting it. Any other suggestions?



Farrukh Haroon Wed, 08/27/2008 - 06:26
User Badges:
  • Red, 2250 points or more

Can you try using another SSH client?


also do a 'clear asp drop' and then a 'show asp drop' to see for any violations (related to TCP normalization).


The 24.19.15.21 is the IP of the ASA outside interface right? The ssh command is only meant to open 'to device' SSH sessions and not the ones passing through the device.


Regards


Farrukh

1spcave Wed, 08/27/2008 - 13:12
User Badges:

I have used PuTTY and Secure CRT version 6.xx. No TCP normalization issues and yes that is the IP on the outside.

Farrukh Haroon Wed, 08/27/2008 - 22:52
User Badges:
  • Red, 2250 points or more

Just to test that all is setup OK, allow 'ssh' from the inside also and try to SSH to the 'inside IP addres' of the firewall.


If it works, post the output of 'show run all ssh'.


Regards


Farrukh

1spcave Thu, 08/28/2008 - 04:49
User Badges:

I was able to ssh from the inside.


ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 15


No access-list applied -


ST-ROLD-ASA# sh run all access-group



jeyriku Thu, 08/28/2008 - 05:06
User Badges:

as a test, can you configure a rule allowing ssh connection on the outside interface of your asa in the firewall tab?


Regards,

jeyriku Thu, 08/28/2008 - 01:19
User Badges:

Hi,


Can you also make sure that your account is allowed to connect to the FW using ssh by having a look to the properties of your account in the User account Tab in the "Restricted Access" sub-menu?


Regards,

Actions

This Discussion