cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16360
Views
0
Helpful
14
Replies

SSH outside question

scott.bridges
Level 1
Level 1

This must be a simple problem that I'm just not seeing. I may be just tired, but I can't for the life of me SSH from outside into this ASA. I can RDP into the Windows Server and use Putty to SSH from the inside, but can't do so from home.

Here is part of the config:

elnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 20

ssh version 2

access-group outside_access_in in interface outside

(there is nothing via acl blocking SSH traffic)

aaa authentication ssh console LOCAL

What am I missing?

1 Accepted Solution

Accepted Solutions

Scott,

Try this:

management-access outside

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

14 Replies 14

lreger
Level 1
Level 1

asa(config)# crypto key generate rsa

ciscoasa(config)# crypto key generate rsa

WARNING: You have a RSA keypair already defined named .

Do you really want to replace them? [yes/no]: no

ERROR: Failed to create new RSA keys named

ciscoasa(config)#

Already have an RSA key. This would need to exist for me to be able to SSH locally (inside), right?

I just tested the command on a new ASA 5505 right out of the box and I received the same notification about replacing the default key. So run the command again and press yes to replace the default key and test the ssh connection from the outside

Same thing. SSH from the outside and it's instant connection refused.

debug1: Reading configuration data /etc/ssh_config

debug1: Connecting to 6.x.138 [6.x.138] port 22.

debug1: connect to address 6.x.138 port 22: Connection refused

ssh: connect to host 6.x.138 port 22: Connection refused

Please Keep me up. I have the same problem.

ASA 5505. ASA v.8.0(4). ASDM v.6.1(5)57

Scott,

I noticed that you said that there wasn't anything blocking ssh in the outside acl, but are you allowing it through from anywhere?

permit tcp any any eq 22

Also, what client are you using? You have version 2 specified, and if you're using putty, you may want to specify it as well.

HTH,

John

HTH, John *** Please rate all useful posts ***

Hi John,

With the "ssh 0.0.0.0 0.0.0.0 outside" command, shouldn't that enable SSH connections from the outside? IE, outgoing is not affected? My understanding is that "permit tcp any any eq 22" and applying it to an interface is for hosts/clients on the LAN, *not* the 'outside' interface itself.

Make sense?

And I use a Mac with 10.5.7, so that's the Terminal I'm using, unix SSH.

I'm attaching the running-config in case there is anything I'm missing. I'm not too experienced in firewall IOS, so any help/tips is greatly appreciated. But here is the config to help troubleshoot this annoying SSH problem:

Thanks,

-Scott

Scott,

Try this:

management-access outside

HTH,

John

HTH, John *** Please rate all useful posts ***

I'm in.

That's crazy. I have never had to issue that command before. Why do you think that needed to happen?

Scott,

The ASA has a management interface that allows you to manage the device on a higher security interface. You have to change the management interface to the outside in order to SSH into it.

You also may have been able to add your ssh command like:

ssh 0 0 management

I've never tried the latter, but your ASA has a designated management interface (can be any interface), and I assume that it will just allow ssh connections into whatever your management interface is specified as.

Seeing your config helped :)

Thanks for the rating!

John

HTH, John *** Please rate all useful posts ***

datacureinc
Level 1
Level 1

I guess I'll bring this post back to life,.. I recently upgraded to 8.2(1) and ssh is no longer working from the outside interface,. same config,. all acl's are there,. generated a new crypto key, rebooted the device, .all of which I knew wouldn't fix it,.. I can still get in from the inside...  I entered the command "management-interface outside" with no luck (maybe i need to reboot? but can't unless i have a maintenance window).. I have an ASA 5510

hi

try this command -

ssh  ip address and netmask of the IP you are coming in from   - for security purposes i believe you cant specify 0.0.0.0 on the outside inteface

you dont need an ACL rule for it ( i have an ASA5510)  and the only config i have is ssh ip add netmask

HTH

post you entire config if you can -

Sorry,. I should have been more specific,.. I do not have an acl (i know it's not needed for traffic

terminating at the firewall) and yes I do have the "ssh " command to allow for access.,.. The same exact configuration was working fine in version 7,. I recently upgraded to 8.2(1),.. I have a TAC open with Cisco so I'll share what they tell me to do

Ok so Reminder:.. This configuration worked with v7.2 just fine,.. I could still ssh in from the 78.25 host on the inside,,. there is a lan to lan tunnel and a couple routers between this ASA and the 192.168.10 network.. the 78 network is directly attached to the internal interface on this ASA

hostname# show run | inc ssh 192.168.

aaa authentication ssh console LOCAL

ssh 192.168.10.25 255.255.255.255 outside

ssh 192.168.78.25 255.255.255.255 inside

ssh timeout 10

ssh version 2

for some reason Cisco decided to switch things up in version 8.2

Here is what I did to get it to work

hostname# conf t

hostname(config)# management-access inside

Please remove the management access before configure a new one

hostname(config)# no management-access outside

hostname(config)# management-access inside

hostname(config)# end

Still did not work,..

hostname# show run | inc ssh 192.168.

aaa authentication ssh console LOCAL

ssh 192.168.10.25 255.255.255.255 outside

ssh 192.168.78.25 255.255.255.255 inside

ssh timeout 10

ssh version 2

Still did not work until I changed 10.25 to look like it's coming from the inside even though it is not,..

hostname# conf t

hostname(config)# ssh 192.168.10.25 255.255.255.255 inside

To me this doesn’t make sense because the 192.168.10 network is only reachable via the outside interface,..

At least it is working now,.

Hope this helps you guys out,..

Since I had a tunnel terminating on my outside interface at 10.0.0.1 I had to ssh to the internal interface at 192.168.78.1 from 10.25

I asked the TAC engineer why it changed and he said

"Yes this network and this ip 192.168.10.25 is on outside, but we are connecting to the firewall on the inside interface and that’s why we have to add these commands."

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: