cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20884
Views
39
Helpful
22
Replies

can't ssh to Cisco ASA 5505

mikejgalovich
Level 1
Level 1

Hi, I can't seem to ssh to my 5505, even though I think I have it setup properly. Below is part of the config, can someone tell me what is wrong?

domain-name windriverdev.com

access-list 101 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.

255.0

access-list vpnclient extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 25

5.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.25

5.255.0

access-list acl_in extended permit tcp any host 69.3.19.242 eq 3389

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool clients 10.10.10.100-10.10.10.150

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.90 3389 netmask 255.255.255

.255

route outside 0.0.0.0 0.0.0.0 69.3.19.241 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

http server ena

http 192.168.1.0 255.255.255.0 insideng, statistics or sta

no snmp-server location

dh

no snmp-server contactHCP Relay Agent state,

snmp-server community asa

snmp-server enable traps snmp authentication linkup linkdown coldstart

disk0: Display information ab

snmp-server enable traps syslog

crypto ipsec transform-set national esp-3des esp-md5-hmac

dns-hosts Show DNS ho

crypto ipsec transform-set myset esp-des esp-md5-hmac

failover

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

cisc

hostname Sho

crypto dynamic-map national 20 set transform-set myset

crypto isakmp identity addressof Interface Descriptor Blocks

crypto isakmp enable outside

crypto isakmp p

cisco

encryption 3des

hash sha

group 2erface

lifetime 86400erface status i

crypto isakmp nat-traversal 20

telnet 192.168.1.0 255.255.255.0 insideventory information for all slots

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outsidensi

Platform ASA55

ssh timeout 5p

console timeout 0ss, IDS statistic

!e

class-map inspection_defaultt.ecs (3316 bytes/sec)change

match default-inspection-traffic

22 Replies 22

Richard Burts
Hall of Fame
Hall of Fame

Mike

I see that you have configured to permit ssh on the outside interface using this:

ssh 0.0.0.0 0.0.0.0 outsidensi

but your post is not specific whether you are attempting SSH from an outside address to the outside interface or whether you are attempting SSH from an inside address to the inside interface. Perhaps you should also enable SSH on the inside interface.

Perhaps it would also help to configure authentication for SSH. It might look something like this:

user password

aaa authentication ssh console LOCAL

(note that LOCAL needs to be upper case).

HTH

Rick

HTH

Rick

I'm trying to setup ssh for outside users

Thanks

Mike

I know a Cisco guy who I want to give access to, but I can't because ssh won't work. I want him to review the setup and enable FTP too

Toshi

Thanks.

Mike

The link that Toshi sent is a good one and it reminds me that you also need to generate RSA keys to enable SSH. You do not mention whether you have done this step or not. The command would be:

crypto key generate rsa modulus modulus_size

HTH

Rick

HTH

Rick

Hello Guys, I am new with ASA.

I recently put a basic configuration on my new asa 5006x but i am struggling to connect throught the SSH.

Note: this is not in live environment, I use this for practise in my own lab at home. please see below configuration in my ASA.

 

 

cisco-asa# sh run ssh

ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 outside
ssh 192.168.1.0 255.255.255.0 inside_5
ssh timeout 5
ssh key-exchange group dh-group1-sha1

--------------------------------------
cisco-asa# sh run http

http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
----------------------------------------------
cisco-asa# sh running-config username

username admin password $sha512$5000$JCWVhLOQBYzBKgTsUCApng==$DtTcA6Jy2CJ+BgVpfmzUug== pbkdf2
---------------------------------------------------------------------

cisco-asa# sh run enable

enable password $sha512$5000$18/N8nuTPhdGDODNWnzegA==$COuHVU00CHqnwQL3Xt+ExQ== pbkdf2

----------------------------------------------------------------------------------------
hostname cisco-asa
domain-name cisco.com

-------------------------
cisco-asa# sh flash:
--#--  --length--  -----date/time------  path
   96  8400        Jan 13 2019 17:19:24  startup-config
   97  33          Jan 16 2019 04:52:32  .boot_string
   11  4096        Dec 12 2017 18:29:02  log
   13  1875        Jan 16 2019 04:18:00  log/asa-appagent.log
   21  4096        Dec 12 2017 18:29:54  crypto_archive
   22  4096        Dec 12 2017 18:29:56  coredumpinfo
   23  59          Dec 12 2017 18:29:56  coredumpinfo/coredump.cfg
   98  109776224   Jan 13 2019 14:23:44  asa991-lfbff-k8.SPA
   99  29197944    Jan 14 2019 14:56:52  asdm-791.bin

7365472256 bytes total (4003168256 bytes free)

---------------------------------------------------------

I am able to lunch ASDM with no problem and my pc can ping the Ip address.

please help me out.

thank you.

 

Regards,

Star

 

hi,

did you generate your SSH/RSA keys?

also configure SSH for 'local' user access.

crypto key generate rsa modulus 2048

aaa authentication ssh console LOCAL

 

see helpful link to configure the ASA5506-X:

http://wannabecybersecurity.blogspot.com/2018/10/cisco-asa-5506w-x-basic-configuration.html

Can you tell us what IP address is the source address in your attempt to SSH to the ASA? Also what IP address are you using as the destination for the SSH and what interface on the ASA is that address?

 

HTH

 

Rick

HTH

Rick

Hello Rick,
Thank you for the reply.
The source ip address (192.168.1.6) which is my pc.
ASA ip address 192.168.1.1, this is the ip address that I am trying to SSH it.
My pc is connected to physical interface gigabit1/5 on the ASA, please see below.
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
--------------------
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
-------------------------------------


I hope the above will gives more information regarding my question.
Thank you.

Star

 

Thank you for the information. Here is what you have configured to enable access using SSH

ssh 192.168.1.0 255.255.255.0 outside
ssh 192.168.1.0 255.255.255.0 inside_5

And here is the interface name for where you are connected

nameif inside_4

You need to either move your PC to the interface named inside_5 or you need to add a statement allowing access from inside_4

 

HTH

 

Rick

 

 

HTH

Rick

Hello Rick,
Thank you so much for your help.
I changed the interface to nameif inside_5 to match the ssh ip address 192.168.1.0 inside_5 as requested, it is working now and I am able to SSH the ASA. Great tips.
Regards,
Star

Hello Rick,

 
Thank you so much for your help.
 
I changed the interface to nameif inside_5 to match the ssh ip address 192.168.1.0 inside_5 as requested, it is working now and I am able to SSH the ASA. Great tips.
 
Regards,
 
Star

Star

 

Thank you for the update telling us that you have solved your problem. I am glad that my suggestion pointed you in the right direction. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

 

HTH

 

Rick

HTH

Rick

Hello rick,
Yes, your correct this is the best community I ever seen, I will be continuing use it.
I have registered for years but I hardly used the community but from now on I will.
Thank you.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco