06-28-2009 09:49 AM - edited 03-04-2019 05:15 AM
Hi, I can't seem to ssh to my 5505, even though I think I have it setup properly. Below is part of the config, can someone tell me what is wrong?
domain-name windriverdev.com
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.
255.0
access-list vpnclient extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 25
5.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.25
5.255.0
access-list acl_in extended permit tcp any host 69.3.19.242 eq 3389
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool clients 10.10.10.100-10.10.10.150
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.90 3389 netmask 255.255.255
.255
route outside 0.0.0.0 0.0.0.0 69.3.19.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
http server ena
http 192.168.1.0 255.255.255.0 insideng, statistics or sta
no snmp-server location
dh
no snmp-server contactHCP Relay Agent state,
snmp-server community asa
snmp-server enable traps snmp authentication linkup linkdown coldstart
disk0: Display information ab
snmp-server enable traps syslog
crypto ipsec transform-set national esp-3des esp-md5-hmac
dns-hosts Show DNS ho
crypto ipsec transform-set myset esp-des esp-md5-hmac
failover
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
cisc
hostname Sho
crypto dynamic-map national 20 set transform-set myset
crypto isakmp identity addressof Interface Descriptor Blocks
crypto isakmp enable outside
crypto isakmp p
cisco
encryption 3des
hash sha
group 2erface
lifetime 86400erface status i
crypto isakmp nat-traversal 20
telnet 192.168.1.0 255.255.255.0 insideventory information for all slots
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outsidensi
Platform ASA55
ssh timeout 5p
console timeout 0ss, IDS statistic
!e
class-map inspection_defaultt.ecs (3316 bytes/sec)change
match default-inspection-traffic
06-28-2009 10:20 AM
Mike
I see that you have configured to permit ssh on the outside interface using this:
ssh 0.0.0.0 0.0.0.0 outsidensi
but your post is not specific whether you are attempting SSH from an outside address to the outside interface or whether you are attempting SSH from an inside address to the inside interface. Perhaps you should also enable SSH on the inside interface.
Perhaps it would also help to configure authentication for SSH. It might look something like this:
user
aaa authentication ssh console LOCAL
(note that LOCAL needs to be upper case).
HTH
Rick
06-28-2009 10:27 AM
I'm trying to setup ssh for outside users
Thanks
Mike
06-28-2009 10:31 AM
Mike,
Rick is correct, 5P!
You may use this link to verify things:
HTH,
Toshi
06-28-2009 10:32 AM
I know a Cisco guy who I want to give access to, but I can't because ssh won't work. I want him to review the setup and enable FTP too
06-28-2009 10:45 AM
Toshi
Thanks.
Mike
The link that Toshi sent is a good one and it reminds me that you also need to generate RSA keys to enable SSH. You do not mention whether you have done this step or not. The command would be:
crypto key generate rsa modulus modulus_size
HTH
Rick
01-15-2019 03:11 PM - edited 01-15-2019 03:15 PM
Hello Guys, I am new with ASA.
I recently put a basic configuration on my new asa 5006x but i am struggling to connect throught the SSH.
Note: this is not in live environment, I use this for practise in my own lab at home. please see below configuration in my ASA.
cisco-asa# sh run ssh
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 outside
ssh 192.168.1.0 255.255.255.0 inside_5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
--------------------------------------
cisco-asa# sh run http
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
----------------------------------------------
cisco-asa# sh running-config username
username admin password $sha512$5000$JCWVhLOQBYzBKgTsUCApng==$DtTcA6Jy2CJ+BgVpfmzUug== pbkdf2
---------------------------------------------------------------------
cisco-asa# sh run enable
enable password $sha512$5000$18/N8nuTPhdGDODNWnzegA==$COuHVU00CHqnwQL3Xt+ExQ== pbkdf2
----------------------------------------------------------------------------------------
hostname cisco-asa
domain-name cisco.com
-------------------------
cisco-asa# sh flash:
--#-- --length-- -----date/time------ path
96 8400 Jan 13 2019 17:19:24 startup-config
97 33 Jan 16 2019 04:52:32 .boot_string
11 4096 Dec 12 2017 18:29:02 log
13 1875 Jan 16 2019 04:18:00 log/asa-appagent.log
21 4096 Dec 12 2017 18:29:54 crypto_archive
22 4096 Dec 12 2017 18:29:56 coredumpinfo
23 59 Dec 12 2017 18:29:56 coredumpinfo/coredump.cfg
98 109776224 Jan 13 2019 14:23:44 asa991-lfbff-k8.SPA
99 29197944 Jan 14 2019 14:56:52 asdm-791.bin
7365472256 bytes total (4003168256 bytes free)
---------------------------------------------------------
I am able to lunch ASDM with no problem and my pc can ping the Ip address.
please help me out.
thank you.
Regards,
Star
01-15-2019 11:05 PM
hi,
did you generate your SSH/RSA keys?
also configure SSH for 'local' user access.
crypto key generate rsa modulus 2048
aaa authentication ssh console LOCAL
see helpful link to configure the ASA5506-X:
http://wannabecybersecurity.blogspot.com/2018/10/cisco-asa-5506w-x-basic-configuration.html
01-16-2019 08:51 AM
Can you tell us what IP address is the source address in your attempt to SSH to the ASA? Also what IP address are you using as the destination for the SSH and what interface on the ASA is that address?
HTH
Rick
01-17-2019 01:49 AM - edited 01-17-2019 02:18 AM
Hello Rick,
Thank you for the reply.
The source ip address (192.168.1.6) which is my pc.
ASA ip address 192.168.1.1, this is the ip address that I am trying to SSH it.
My pc is connected to physical interface gigabit1/5 on the ASA, please see below.
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
--------------------
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
-------------------------------------
I hope the above will gives more information regarding my question.
Thank you.
01-17-2019 06:54 AM
Star
Thank you for the information. Here is what you have configured to enable access using SSH
ssh 192.168.1.0 255.255.255.0 outside
ssh 192.168.1.0 255.255.255.0 inside_5
And here is the interface name for where you are connected
nameif inside_4
You need to either move your PC to the interface named inside_5 or you need to add a statement allowing access from inside_4
HTH
Rick
01-17-2019 01:20 PM
01-17-2019 01:25 PM
Hello Rick,
01-17-2019 02:12 PM
Star
Thank you for the update telling us that you have solved your problem. I am glad that my suggestion pointed you in the right direction. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.
HTH
Rick
01-18-2019 01:08 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: