SSH to outside interface

Answered Question
Jul 2nd, 2009

How to configure ssh on the outside interface of asa? I have defined an access list for outside interface, applied it, but it didnt work for some reason


Here is the access list


interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 10.254.17.9 255.255.255.248

!

interface GigabitEthernet0/2

no nameif

security-level 100

no ip address

!

interface GigabitEthernet0/3

description EIGRP 2008

nameif eigrp

security-level 100

ip address 10.40.50.65 255.255.255.252

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.251.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

access-list 110 extended permit ip any any

access-list nat extended permit ip any any

access-list allow_ping extended permit icmp any any echo-reply

access-list allow_ping extended permit icmp any any source-quench

access-list allow_ping extended permit icmp any any unreachable

access-list allow_ping extended permit icmp any any time-exceeded

access-list allow_ping extended permit udp any any eq isakmp

access-list allow_ping extended permit esp any any

access-list allow_ping extended permit ah any any

access-list allow_ping extended permit gre any any

access-list allow_ping extended permit tcp any any eq ssh

access-list nonat extended permit ip any any

access-list icmp_inside extended permit icmp any any

access-list icmp_inside extended permit ip any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu eigrp 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

access-group allow_ping in interface outside

Correct Answer by kevinglong about 7 years 7 months ago

Can't say I have seen this before but SSH is easy to do on the ASA.


I recommend taking the access list off of the interface first to see if that could be it.


You only posted a partial section of the config but make sure you have the SSH command with the address of the subnet you are connecting from. Your config is no longer visible as I type this but try "SSH 0.0.0.0 0.0.0.0 outside". This allows all subnets to access the outside interface. This command works like an access list to limit connectivity to trusted subnets. i.e. "SSH 10.0.0.0 255.0.0.0 outside" only allows hosts on the 10.x.x.x network to connect via SSH.


Turn on "debug ssh" to see what the errors are too.


And, you can always delete your keys (crypto key zeroize rsa) and rebuild them back (crypto key generate rsa gen mod 1024). This will make your ssh client, I'm using PuTTY, think this is a new device and prompt for the OK to connect.


Good luck.

Kevin


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
fgasimzade Thu, 07/02/2009 - 23:39

I have done all this already, but I get this message from my ssh client, when trying to connect to ASA


Connecting to host 10.254.17.9:22...

Connected.

Connection closed.


Correct Answer
kevinglong Sun, 07/05/2009 - 07:52

Can't say I have seen this before but SSH is easy to do on the ASA.


I recommend taking the access list off of the interface first to see if that could be it.


You only posted a partial section of the config but make sure you have the SSH command with the address of the subnet you are connecting from. Your config is no longer visible as I type this but try "SSH 0.0.0.0 0.0.0.0 outside". This allows all subnets to access the outside interface. This command works like an access list to limit connectivity to trusted subnets. i.e. "SSH 10.0.0.0 255.0.0.0 outside" only allows hosts on the 10.x.x.x network to connect via SSH.


Turn on "debug ssh" to see what the errors are too.


And, you can always delete your keys (crypto key zeroize rsa) and rebuild them back (crypto key generate rsa gen mod 1024). This will make your ssh client, I'm using PuTTY, think this is a new device and prompt for the OK to connect.


Good luck.

Kevin


fgasimzade Sun, 07/05/2009 - 22:47

I removed crypto keys and generated again, it helped, thank you

Actions

This Discussion