SSH on ASA

Unanswered Question
Jul 6th, 2009

I have a weird problem with ssh configuration on ASA. We have VPN established between 2 ASA's. I configured ssh to the remote ASA's outside interface. I had troubles with ssh unless I regenerated the keys. Now, on local ASA I have configured NAT so that when ssh to the remote ASA to translate local IP addresses to local ASA's outside address. Since that I can not ssh to remote ASA. My ssh client says:

Connecting to host 10.254.17.10:22...

Connected.

Connection closed.

I had the same message before I regenerated the keys for the first time. No it doesnt help either. If I remove NAT, everything works fine.

Here my config of local ASA:

ASA Version 8.2(1)

!

hostname gyd-asa

enable password XeY1QWHKPK75Y48j encrypted

passwd XeY1QWHKPK75Y48j encrypted

names

dns-guard

!

interface GigabitEthernet0/0

no nameif

security-level 100

no ip address

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 10.254.17.9 255.255.255.248

!

interface GigabitEthernet0/2

no nameif

security-level 100

no ip address

!

interface GigabitEthernet0/3

description EIGRP 2008

nameif eigrp

security-level 100

ip address 10.40.50.65 255.255.255.252

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.251.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

access-list 110 extended permit ip any any

access-list nat extended permit tcp any host 10.254.17.10 eq ssh

pager lines 24

logging asdm informational

mtu outside 1500

mtu eigrp 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (eigrp) 1 access-list nat

!

router eigrp 2008

no auto-summary

neighbor 10.254.17.10 interface outside

neighbor 10.40.50.66 interface eigrp

network 10.40.50.64 255.255.255.252

network 10.254.17.8 255.255.255.248

redistribute connected

redistribute static

!

route management 0.0.0.0 0.0.0.0 192.168.251.14 1

route outside 192.1.1.0 255.255.255.0 10.254.17.10 1

route outside 192.168.208.16 255.255.255.240 10.254.17.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS protocol tacacs+

aaa-server TACACS (management) host 192.168.1.8

key *

aaa-server TACACS (management) host 192.168.22.46

key *

aaa authentication ssh console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

aaa authentication enable console TACACS LOCAL

aaa accounting ssh console TACACS

aaa accounting telnet console TACACS

http server enable

http 192.168.1.0 255.255.255.0 management

snmp-server host eigrp 192.168.1.13 poll community vlan

snmp-server host eigrp 192.168.1.27 poll community vlan

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map mymap 10 match address 110

crypto map mymap 10 set peer 10.254.17.10

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp enable eigrp

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

no crypto isakmp nat-traversal

telnet timeout 5

ssh 192.168.1.0 255.255.255.192 eigrp

ssh timeout 20

console timeout 0

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fgasimzade Mon, 07/06/2009 - 01:29

Also, on remote ASA I have no debug ssh messages even though debug level is set to 255.

Moreover, when I apply NAT with ssh session already established to remote ASA, connection does not terminate.

Actions

This Discussion