can't ssh to Cisco ASA 5505

Unanswered Question
Jun 28th, 2009

Hi, I can't seem to ssh to my 5505, even though I think I have it setup properly. Below is part of the config, can someone tell me what is wrong?


access-list 101 extended permit ip 255.255.


access-list vpnclient extended permit ip 25

access-list nonat extended permit ip 255.25


access-list acl_in extended permit tcp any host eq 3389

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool clients

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1

nat (inside) 0 access-list nonat

nat (inside) 1

static (inside,outside) tcp interface 3389 3389 netmask 255.255.255


route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

http server ena

http insideng, statistics or sta

no snmp-server location


no snmp-server contactHCP Relay Agent state,

snmp-server community asa

snmp-server enable traps snmp authentication linkup linkdown coldstart

disk0: Display information ab

snmp-server enable traps syslog

crypto ipsec transform-set national esp-3des esp-md5-hmac

dns-hosts Show DNS ho

crypto ipsec transform-set myset esp-des esp-md5-hmac


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


hostname Sho

crypto dynamic-map national 20 set transform-set myset

crypto isakmp identity addressof Interface Descriptor Blocks

crypto isakmp enable outside

crypto isakmp p


encryption 3des

hash sha

group 2erface

lifetime 86400erface status i

crypto isakmp nat-traversal 20

telnet insideventory information for all slots

telnet timeout 5

ssh outsidensi

Platform ASA55

ssh timeout 5p

console timeout 0ss, IDS statistic


class-map inspection_defaultt.ecs (3316 bytes/sec)change

match default-inspection-traffic

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (4 ratings)
Richard Burts Sun, 06/28/2009 - 10:20


I see that you have configured to permit ssh on the outside interface using this:

ssh outsidensi

but your post is not specific whether you are attempting SSH from an outside address to the outside interface or whether you are attempting SSH from an inside address to the inside interface. Perhaps you should also enable SSH on the inside interface.

Perhaps it would also help to configure authentication for SSH. It might look something like this:

user password

aaa authentication ssh console LOCAL

(note that LOCAL needs to be upper case).



mikejgalovich Sun, 06/28/2009 - 10:32

I know a Cisco guy who I want to give access to, but I can't because ssh won't work. I want him to review the setup and enable FTP too

Richard Burts Sun, 06/28/2009 - 10:45




The link that Toshi sent is a good one and it reminds me that you also need to generate RSA keys to enable SSH. You do not mention whether you have done this step or not. The command would be:

crypto key generate rsa modulus modulus_size




This Discussion