SSH outside question

Answered Question
May 26th, 2009
User Badges:

This must be a simple problem that I'm just not seeing. I may be just tired, but I can't for the life of me SSH from outside into this ASA. I can RDP into the Windows Server and use Putty to SSH from the inside, but can't do so from home.


Here is part of the config:


elnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 20

ssh version 2

access-group outside_access_in in interface outside

(there is nothing via acl blocking SSH traffic)

aaa authentication ssh console LOCAL


What am I missing?



Correct Answer by John Blakley about 8 years 1 month ago

Scott,


Try this:


management-access outside


HTH,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
scott.bridges Tue, 05/26/2009 - 20:41
User Badges:


ciscoasa(config)# crypto key generate rsa

WARNING: You have a RSA keypair already defined named .


Do you really want to replace them? [yes/no]: no

ERROR: Failed to create new RSA keys named

ciscoasa(config)#



Already have an RSA key. This would need to exist for me to be able to SSH locally (inside), right?





scott.bridges Tue, 05/26/2009 - 21:03
User Badges:

Same thing. SSH from the outside and it's instant connection refused.


debug1: Reading configuration data /etc/ssh_config

debug1: Connecting to 6.x.138 [6.x.138] port 22.

debug1: connect to address 6.x.138 port 22: Connection refused

ssh: connect to host 6.x.138 port 22: Connection refused



mondakota Wed, 05/27/2009 - 06:32
User Badges:

Please Keep me up. I have the same problem.

ASA 5505. ASA v.8.0(4). ASDM v.6.1(5)57


John Blakley Wed, 05/27/2009 - 09:41
User Badges:
  • Purple, 4500 points or more

Scott,


I noticed that you said that there wasn't anything blocking ssh in the outside acl, but are you allowing it through from anywhere?


permit tcp any any eq 22


Also, what client are you using? You have version 2 specified, and if you're using putty, you may want to specify it as well.


HTH,

John

scott.bridges Thu, 05/28/2009 - 10:35
User Badges:

Hi John,


With the "ssh 0.0.0.0 0.0.0.0 outside" command, shouldn't that enable SSH connections from the outside? IE, outgoing is not affected? My understanding is that "permit tcp any any eq 22" and applying it to an interface is for hosts/clients on the LAN, *not* the 'outside' interface itself.


Make sense?


And I use a Mac with 10.5.7, so that's the Terminal I'm using, unix SSH.



I'm attaching the running-config in case there is anything I'm missing. I'm not too experienced in firewall IOS, so any help/tips is greatly appreciated. But here is the config to help troubleshoot this annoying SSH problem:




Thanks,


-Scott



Attachment: 
Correct Answer
John Blakley Thu, 05/28/2009 - 11:15
User Badges:
  • Purple, 4500 points or more

Scott,


Try this:


management-access outside


HTH,

John

scott.bridges Thu, 05/28/2009 - 11:29
User Badges:

I'm in.


That's crazy. I have never had to issue that command before. Why do you think that needed to happen?




John Blakley Thu, 05/28/2009 - 11:44
User Badges:
  • Purple, 4500 points or more

Scott,


The ASA has a management interface that allows you to manage the device on a higher security interface. You have to change the management interface to the outside in order to SSH into it.


You also may have been able to add your ssh command like:


ssh 0 0 management


I've never tried the latter, but your ASA has a designated management interface (can be any interface), and I assume that it will just allow ssh connections into whatever your management interface is specified as.


Seeing your config helped :)


Thanks for the rating!

John

datacureinc Wed, 01/13/2010 - 05:55
User Badges:

I guess I'll bring this post back to life,.. I recently upgraded to 8.2(1) and ssh is no longer working from the outside interface,. same config,. all acl's are there,. generated a new crypto key, rebooted the device, .all of which I knew wouldn't fix it,.. I can still get in from the inside...  I entered the command "management-interface outside" with no luck (maybe i need to reboot? but can't unless i have a maintenance window).. I have an ASA 5510

solpandor Wed, 01/13/2010 - 08:47
User Badges:

hi

try this command -

ssh  ip address and netmask of the IP you are coming in from   - for security purposes i believe you cant specify 0.0.0.0 on the outside inteface


you dont need an ACL rule for it ( i have an ASA5510)  and the only config i have is ssh ip add netmask



HTH


post you entire config if you can -

datacureinc Wed, 01/13/2010 - 09:56
User Badges:

Sorry,. I should have been more specific,.. I do not have an acl (i know it's not needed for traffic

terminating at the firewall) and yes I do have the "ssh " command to allow for access.,.. The same exact configuration was working fine in version 7,. I recently upgraded to 8.2(1),.. I have a TAC open with Cisco so I'll share what they tell me to do

datacureinc Wed, 01/13/2010 - 12:06
User Badges:

Ok so Reminder:.. This configuration worked with v7.2 just fine,.. I could still ssh in from the 78.25 host on the inside,,. there is a lan to lan tunnel and a couple routers between this ASA and the 192.168.10 network.. the 78 network is directly attached to the internal interface on this ASA

hostname# show run | inc ssh 192.168.


aaa authentication ssh console LOCAL


ssh 192.168.10.25 255.255.255.255 outside

ssh 192.168.78.25 255.255.255.255 inside

ssh timeout 10

ssh version 2


for some reason Cisco decided to switch things up in version 8.2

Here is what I did to get it to work

hostname# conf t

hostname(config)# management-access inside

Please remove the management access before configure a new one

hostname(config)# no management-access outside

hostname(config)# management-access inside

hostname(config)# end

Still did not work,..

hostname# show run | inc ssh 192.168.

aaa authentication ssh console LOCAL

ssh 192.168.10.25 255.255.255.255 outside

ssh 192.168.78.25 255.255.255.255 inside

ssh timeout 10

ssh version 2

Still did not work until I changed 10.25 to look like it's coming from the inside even though it is not,..

hostname# conf t

hostname(config)# ssh 192.168.10.25 255.255.255.255 inside

To me this doesn’t make sense because the 192.168.10 network is only reachable via the outside interface,..

At least it is working now,.

Hope this helps you guys out,..

Since I had a tunnel terminating on my outside interface at 10.0.0.1 I had to ssh to the internal interface at 192.168.78.1 from 10.25


I asked the TAC engineer why it changed and he said

"Yes this network and this ip 192.168.10.25 is on outside, but we are connecting to the firewall on the inside interface and that’s why we have to add these commands."

Actions

This Discussion