Unable to SSH to 5505

Unanswered Question
Aug 26th, 2008

I have a 5505 setup that I have generated RSA keys for. And have the ssh outside enabled. I have the no ACL on the outside interface. When I try to SSH to it I get the following error.

%ASA-2-106001: Inbound TCP connection denied from to flags SYN on interface outside

Any suggestions?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Tue, 08/26/2008 - 18:39

Perhaps there is a routing issue on the ASA? Can you try to ping the SSH source IP from the ASA?



1spcave Wed, 08/27/2008 - 05:26

I can ping the other side from the ASA. I am getting a deny in the ASA saying that I am hiting it. Any other suggestions?

Farrukh Haroon Wed, 08/27/2008 - 06:26

Can you try using another SSH client?

also do a 'clear asp drop' and then a 'show asp drop' to see for any violations (related to TCP normalization).

The is the IP of the ASA outside interface right? The ssh command is only meant to open 'to device' SSH sessions and not the ones passing through the device.



1spcave Wed, 08/27/2008 - 13:12

I have used PuTTY and Secure CRT version 6.xx. No TCP normalization issues and yes that is the IP on the outside.

Farrukh Haroon Wed, 08/27/2008 - 22:52

Just to test that all is setup OK, allow 'ssh' from the inside also and try to SSH to the 'inside IP addres' of the firewall.

If it works, post the output of 'show run all ssh'.



1spcave Thu, 08/28/2008 - 04:49

I was able to ssh from the inside.

ssh inside

ssh outside

ssh timeout 15

No access-list applied -

ST-ROLD-ASA# sh run all access-group

jeyriku Thu, 08/28/2008 - 05:06

as a test, can you configure a rule allowing ssh connection on the outside interface of your asa in the firewall tab?


jeyriku Thu, 08/28/2008 - 01:19


Can you also make sure that your account is allowed to connect to the FW using ssh by having a look to the properties of your account in the User account Tab in the "Restricted Access" sub-menu?



This Discussion