How to Putty to External Interface

Unanswered Question
Jul 6th, 2009


We have setup a ASA 5505 at a remote remote that VPNs into our core ASA5520.

The 5505 is connect by a static IP to standard broadband.

Everyting works well extent that we can't Putty onto the external interface.

Attached is our config - does anyone know why this might not be working?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 07/06/2009 - 01:16


What actually happens when you try - do you see anything ?

Also you have these lines in your config -

ssh Proxy-IP outside

ssh Proxy-IP outside

ssh Proxy-IP outside

but you haven't defined PROXY-IP in your config - is that for security reasons ?


asmith1972 Mon, 07/06/2009 - 01:26

Hi Jon

I just put Proxy-IP onto in for security reason. In the real config it has our IP info in there.

When we try and Putty we just get a connection timeout on Putty. On our main ASA we get these messages:

Built {inbound|outbound} TCP connection_id for

interface:real-address/real-port (mapped-address/mapped-port) to

interface:real-address/real-port (mapped-address/mapped-port)

Teardown TCP connection id for

interface:real-address/real-port to interface:real-address/real-port duration

hh:mm:ss bytes bytes [reason]

I don't seam to see any message on the remote ASA

Jon Marshall Mon, 07/06/2009 - 01:44


Sorry, it's a bit early and i'm still trying to catch up on coffee :-)

What is this line doing exactly -

crypto map outside_map interface outsissh Proxy-IP outside

Also, i'm assuming you have created your crypto keys and saved them ?


asmith1972 Mon, 07/06/2009 - 02:46

I'm not sure what this line does, it was auto created when we did the site to site vpn wizard.

crypto map outside_map interface outside

I thought that the lines ssh Proxy-IP outside and all the ssh lines gaves us putty access.

I tried to remove the crypto map outside_map interface outside line and we just lost vpn access. So I guess its important

Jon Marshall Mon, 07/06/2009 - 03:42


crypto map outside_map interface outside

yes that line is important - it applies the crypto map to the outside interface. Without it your VPN's won't work as you found out :-)

My confusion was that the line in your config seemed to be "rypto map outside_map interface outsissh Proxy-IP outside" - guess it was just the way it appeared in the text file.

ssh Proxy-IP outside

should indeed allow ssh to the outside interface. So things to check

1) you have created crypto keys and saved them

2) You are not blocking ssh anywhere in the path from your remote site


asmith1972 Mon, 07/06/2009 - 05:18

Thanks Jon

We have saved he crpto keys and I don't think we are blocking ssh. We casn certainly ssh out to other IPs in from our main ASA. Is there anyway to check if its is being blocked?

John Blakley Mon, 07/06/2009 - 09:03

When you say you've saved the keys, did you generate your keys on the ASA? Try this:

crypto key generate rsa general mod 1024

Try to ssh into it again. I ran into this problem last week.



asmith1972 Tue, 07/07/2009 - 06:27

Thansk John

We've tried this command and still no joy

Any other ideas any one?


This Discussion