I have a weird problem with ssh configuration on ASA. We have VPN established between 2 ASA's. I configured ssh to the remote ASA's outside interface. I had troubles with ssh unless I regenerated the keys. Now, on local ASA I have configured NAT so that when ssh to the remote ASA to translate local IP addresses to local ASA's outside address. Since that I can not ssh to remote ASA. My ssh client says:
Connecting to host 10.254.17.10:22...
Connected.
Connection closed.
I had the same message before I regenerated the keys for the first time. No it doesnt help either. If I remove NAT, everything works fine.
Here my config of local ASA:
ASA Version 8.2(1)
!
hostname gyd-asa
enable password XeY1QWHKPK75Y48j encrypted
passwd XeY1QWHKPK75Y48j encrypted
names
dns-guard
!
interface GigabitEthernet0/0
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.254.17.9 255.255.255.248
!
interface GigabitEthernet0/2
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/3
description EIGRP 2008
nameif eigrp
security-level 100
ip address 10.40.50.65 255.255.255.252
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.251.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list 110 extended permit ip any any
access-list nat extended permit tcp any host 10.254.17.10 eq ssh
pager lines 24
logging asdm informational
mtu outside 1500
mtu eigrp 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (eigrp) 1 access-list nat
!
router eigrp 2008
no auto-summary
neighbor 10.254.17.10 interface outside
neighbor 10.40.50.66 interface eigrp
network 10.40.50.64 255.255.255.252
network 10.254.17.8 255.255.255.248
redistribute connected
redistribute static
!
route management 0.0.0.0 0.0.0.0 192.168.251.14 1
route outside 192.1.1.0 255.255.255.0 10.254.17.10 1
route outside 192.168.208.16 255.255.255.240 10.254.17.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS protocol tacacs+
aaa-server TACACS (management) host 192.168.1.8
key *
aaa-server TACACS (management) host 192.168.22.46
key *
aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa accounting ssh console TACACS
aaa accounting telnet console TACACS
http server enable
http 192.168.1.0 255.255.255.0 management
snmp-server host eigrp 192.168.1.13 poll community vlan
snmp-server host eigrp 192.168.1.27 poll community vlan
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable eigrp
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.1.0 255.255.255.192 eigrp
ssh timeout 20
console timeout 0
