How to Putty to External Interface

Unanswered Question
Jul 6th, 2009
User Badges:

Hello

We have setup a ASA 5505 at a remote remote that VPNs into our core ASA5520.


The 5505 is connect by a static IP to standard broadband.


Everyting works well extent that we can't Putty onto the external interface.


Attached is our config - does anyone know why this might not be working?


Thanks



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 07/06/2009 - 01:16
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andrew


What actually happens when you try - do you see anything ?


Also you have these lines in your config -


ssh Proxy-IP 255.255.255.240 outside


ssh Proxy-IP 255.255.255.255 outside


ssh Proxy-IP 255.255.255.255 outside


but you haven't defined PROXY-IP in your config - is that for security reasons ?


Jon

asmith1972 Mon, 07/06/2009 - 01:26
User Badges:

Hi Jon


I just put Proxy-IP onto in for security reason. In the real config it has our IP info in there.


When we try and Putty we just get a connection timeout on Putty. On our main ASA we get these messages:


Built {inbound|outbound} TCP connection_id for

interface:real-address/real-port (mapped-address/mapped-port) to

interface:real-address/real-port (mapped-address/mapped-port)


Teardown TCP connection id for

interface:real-address/real-port to interface:real-address/real-port duration

hh:mm:ss bytes bytes [reason]


I don't seam to see any message on the remote ASA

Jon Marshall Mon, 07/06/2009 - 01:44
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andrew


Sorry, it's a bit early and i'm still trying to catch up on coffee :-)


What is this line doing exactly -


crypto map outside_map interface outsissh Proxy-IP 255.255.255.240 outside


Also, i'm assuming you have created your crypto keys and saved them ?


Jon

asmith1972 Mon, 07/06/2009 - 02:46
User Badges:

I'm not sure what this line does, it was auto created when we did the site to site vpn wizard.


crypto map outside_map interface outside


I thought that the lines ssh Proxy-IP 255.255.255.240 outside and all the ssh lines gaves us putty access.


I tried to remove the crypto map outside_map interface outside line and we just lost vpn access. So I guess its important

Jon Marshall Mon, 07/06/2009 - 03:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andrew


crypto map outside_map interface outside


yes that line is important - it applies the crypto map to the outside interface. Without it your VPN's won't work as you found out :-)


My confusion was that the line in your config seemed to be "rypto map outside_map interface outsissh Proxy-IP 255.255.255.240 outside" - guess it was just the way it appeared in the text file.


ssh Proxy-IP 255.255.255.255 outside


should indeed allow ssh to the outside interface. So things to check


1) you have created crypto keys and saved them

2) You are not blocking ssh anywhere in the path from your remote site


Jon



asmith1972 Mon, 07/06/2009 - 05:18
User Badges:

Thanks Jon


We have saved he crpto keys and I don't think we are blocking ssh. We casn certainly ssh out to other IPs in from our main ASA. Is there anyway to check if its is being blocked?

John Blakley Mon, 07/06/2009 - 09:03
User Badges:
  • Purple, 4500 points or more

When you say you've saved the keys, did you generate your keys on the ASA? Try this:


crypto key generate rsa general mod 1024


Try to ssh into it again. I ran into this problem last week.


HTH,

John

asmith1972 Tue, 07/07/2009 - 06:27
User Badges:

Thansk John


We've tried this command and still no joy


Any other ideas any one?

Actions

This Discussion