05-26-2009 07:09 PM - edited 03-11-2019 08:36 AM
This must be a simple problem that I'm just not seeing. I may be just tired, but I can't for the life of me SSH from outside into this ASA. I can RDP into the Windows Server and use Putty to SSH from the inside, but can't do so from home.
Here is part of the config:
elnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
ssh version 2
access-group outside_access_in in interface outside
(there is nothing via acl blocking SSH traffic)
aaa authentication ssh console LOCAL
What am I missing?
Solved! Go to Solution.
05-28-2009 11:15 AM
Scott,
Try this:
management-access outside
HTH,
John
05-26-2009 08:12 PM
asa(config)# crypto key generate rsa
05-26-2009 08:41 PM
ciscoasa(config)# crypto key generate rsa
WARNING: You have a RSA keypair already defined named
Do you really want to replace them? [yes/no]: no
ERROR: Failed to create new RSA keys named
ciscoasa(config)#
Already have an RSA key. This would need to exist for me to be able to SSH locally (inside), right?
05-26-2009 08:48 PM
I just tested the command on a new ASA 5505 right out of the box and I received the same notification about replacing the default key. So run the command again and press yes to replace the default key and test the ssh connection from the outside
05-26-2009 09:03 PM
Same thing. SSH from the outside and it's instant connection refused.
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to 6.x.138 [6.x.138] port 22.
debug1: connect to address 6.x.138 port 22: Connection refused
ssh: connect to host 6.x.138 port 22: Connection refused
05-27-2009 06:32 AM
Please Keep me up. I have the same problem.
ASA 5505. ASA v.8.0(4). ASDM v.6.1(5)57
05-27-2009 09:41 AM
Scott,
I noticed that you said that there wasn't anything blocking ssh in the outside acl, but are you allowing it through from anywhere?
permit tcp any any eq 22
Also, what client are you using? You have version 2 specified, and if you're using putty, you may want to specify it as well.
HTH,
John
05-28-2009 10:35 AM
Hi John,
With the "ssh 0.0.0.0 0.0.0.0 outside" command, shouldn't that enable SSH connections from the outside? IE, outgoing is not affected? My understanding is that "permit tcp any any eq 22" and applying it to an interface is for hosts/clients on the LAN, *not* the 'outside' interface itself.
Make sense?
And I use a Mac with 10.5.7, so that's the Terminal I'm using, unix SSH.
I'm attaching the running-config in case there is anything I'm missing. I'm not too experienced in firewall IOS, so any help/tips is greatly appreciated. But here is the config to help troubleshoot this annoying SSH problem:
Thanks,
-Scott
05-28-2009 11:15 AM
Scott,
Try this:
management-access outside
HTH,
John
05-28-2009 11:29 AM
I'm in.
That's crazy. I have never had to issue that command before. Why do you think that needed to happen?
05-28-2009 11:44 AM
Scott,
The ASA has a management interface that allows you to manage the device on a higher security interface. You have to change the management interface to the outside in order to SSH into it.
You also may have been able to add your ssh command like:
ssh 0 0 management
I've never tried the latter, but your ASA has a designated management interface (can be any interface), and I assume that it will just allow ssh connections into whatever your management interface is specified as.
Seeing your config helped :)
Thanks for the rating!
John
01-13-2010 05:55 AM
I guess I'll bring this post back to life,.. I recently upgraded to 8.2(1) and ssh is no longer working from the outside interface,. same config,. all acl's are there,. generated a new crypto key, rebooted the device, .all of which I knew wouldn't fix it,.. I can still get in from the inside... I entered the command "management-interface outside" with no luck (maybe i need to reboot? but can't unless i have a maintenance window).. I have an ASA 5510
01-13-2010 08:47 AM
hi
try this command -
ssh ip address and netmask of the IP you are coming in from - for security purposes i believe you cant specify 0.0.0.0 on the outside inteface
you dont need an ACL rule for it ( i have an ASA5510) and the only config i have is ssh ip add netmask
HTH
post you entire config if you can -
01-13-2010 09:56 AM
Sorry,. I should have been more specific,.. I do not have an acl (i know it's not needed for traffic
terminating at the firewall) and yes I do have the "ssh
01-13-2010 12:06 PM
Ok so Reminder:.. This configuration worked with v7.2 just fine,.. I could still ssh in from the 78.25 host on the inside,,. there is a lan to lan tunnel and a couple routers between this ASA and the 192.168.10 network.. the 78 network is directly attached to the internal interface on this ASA
hostname# show run | inc ssh 192.168.
aaa authentication ssh console LOCAL
ssh 192.168.10.25 255.255.255.255 outside
ssh 192.168.78.25 255.255.255.255 inside
ssh timeout 10
ssh version 2
for some reason Cisco decided to switch things up in version 8.2
Here is what I did to get it to work
hostname# conf t
hostname(config)# management-access inside
Please remove the management access before configure a new one
hostname(config)# no management-access outside
hostname(config)# management-access inside
hostname(config)# end
Still did not work,..
hostname# show run | inc ssh 192.168.
aaa authentication ssh console LOCALssh 192.168.10.25 255.255.255.255 outside
ssh 192.168.78.25 255.255.255.255 inside
ssh timeout 10
ssh version 2
Still did not work until I changed 10.25 to look like it's coming from the inside even though it is not,..
hostname# conf t
hostname(config)# ssh 192.168.10.25 255.255.255.255 inside
To me this doesn’t make sense because the 192.168.10 network is only reachable via the outside interface,..
At least it is working now,.
Hope this helps you guys out,..
Since I had a tunnel terminating on my outside interface at 10.0.0.1 I had to ssh to the internal interface at 192.168.78.1 from 10.25
I asked the TAC engineer why it changed and he said
"Yes this network and this ip 192.168.10.25 is on outside, but we are connecting to the firewall on the inside interface and that’s why we have to add these commands."
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: