How to Putty to External Interface

asmith1972 · ‎07-06-2009

Hello

We have setup a ASA 5505 at a remote remote that VPNs into our core ASA5520.

The 5505 is connect by a static IP to standard broadband.

Everyting works well extent that we can't Putty onto the external interface.

Attached is our config - does anyone know why this might not be working?

Thanks

Jon Marshall · ‎07-06-2009

Andrew

What actually happens when you try - do you see anything ?

Also you have these lines in your config -

ssh Proxy-IP 255.255.255.240 outside

ssh Proxy-IP 255.255.255.255 outside

but you haven't defined PROXY-IP in your config - is that for security reasons ?

Jon

asmith1972 · ‎07-06-2009

Hi Jon

I just put Proxy-IP onto in for security reason. In the real config it has our IP info in there.

When we try and Putty we just get a connection timeout on Putty. On our main ASA we get these messages:

Built {inbound|outbound} TCP connection_id for

interface:real-address/real-port (mapped-address/mapped-port) to

interface:real-address/real-port (mapped-address/mapped-port)

Teardown TCP connection id for

interface:real-address/real-port to interface:real-address/real-port duration

hh:mm:ss bytes bytes [reason]

I don't seam to see any message on the remote ASA

Jon Marshall · ‎07-06-2009

Andrew

Sorry, it's a bit early and i'm still trying to catch up on coffee :-)

What is this line doing exactly -

crypto map outside_map interface outsissh Proxy-IP 255.255.255.240 outside

Also, i'm assuming you have created your crypto keys and saved them ?

Jon

asmith1972 · ‎07-06-2009

I'm not sure what this line does, it was auto created when we did the site to site vpn wizard.

crypto map outside_map interface outside

I thought that the lines ssh Proxy-IP 255.255.255.240 outside and all the ssh lines gaves us putty access.

I tried to remove the crypto map outside_map interface outside line and we just lost vpn access. So I guess its important

Jon Marshall · ‎07-06-2009

Andrew

crypto map outside_map interface outside

yes that line is important - it applies the crypto map to the outside interface. Without it your VPN's won't work as you found out :-)

My confusion was that the line in your config seemed to be "rypto map outside_map interface outsissh Proxy-IP 255.255.255.240 outside" - guess it was just the way it appeared in the text file.

ssh Proxy-IP 255.255.255.255 outside

should indeed allow ssh to the outside interface. So things to check

1) you have created crypto keys and saved them

2) You are not blocking ssh anywhere in the path from your remote site

Jon

asmith1972 · ‎07-06-2009

Thanks Jon

We have saved he crpto keys and I don't think we are blocking ssh. We casn certainly ssh out to other IPs in from our main ASA. Is there anyway to check if its is being blocked?

John Blakley · ‎07-06-2009

When you say you've saved the keys, did you generate your keys on the ASA? Try this:

crypto key generate rsa general mod 1024

Try to ssh into it again. I ran into this problem last week.

HTH,

John

HTH, John *** Please rate all useful posts ***

asmith1972 · ‎07-07-2009

Thansk John

We've tried this command and still no joy

Any other ideas any one?