01-01-2016 10:32 PM - edited 03-12-2019 12:05 AM
Hi
I'm trying to SSH into a vty line on my router that is sitting on the OUTSIDE interface of an ASA. I have tried from the actual router and a PC inside the ASA to and i'm getting the same "Open" message and go to enter the password but when i enter the password and hit enter it does nothing and just times out.
Will post the relevant config for router and ASA below:
hostname Router3
!
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
aaa new-model
!
aaa authentication login loginlist group radius
!
aaa authorization exec authorlist group radius
!
!
username bob privilege 15 secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
ip ssh version 2
ip domain-name ROUTER3
!
interface FastEthernet0/0
ip address 172.16.30.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 10.30.0.0 255.255.255.0 172.16.30.2
ip route 0.0.0.0 0.0.0.0 172.16.30.2
!
ip flow-export version 9
!
!
!
!
radius-server host 10.30.0.10 auth-port 1645 key Secret
radius-server key Secret
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login authentication loginlist
transport input ssh
line vty 5
transport input ssh
line vty 6 15
transport input ssh
!
!
!
end
_______________________________________________________________________________________________________________
Firewall ASA
hostname ASA2
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 30
!
interface Ethernet0/2
switchport access vlan 30
!
interface Vlan1
no nameif
security-level 100
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.30.2 255.255.255.0
!
interface Vlan30
nameif inside
security-level 100
ip address 10.30.0.1 255.255.255.0
!
webvpn
enable outside
enable inside
!
route outside 0.0.0.0 0.0.0.0 172.16.30.1 1
!
access-list VPN_1 extended permit icmp 10.30.0.0 255.255.255.0 10.20.0.0 255.255.255.0
access-list test extended permit icmp 10.20.0.0 255.255.255.0 10.30.0.0 255.255.255.0
access-list test extended permit icmp host 172.16.30.1 host 10.30.0.10
access-list aaa extended permit udp any 10.30.0.0 255.255.255.0 eq 1645
!
!
access-group aaa in interface outside
!
!
!
group-policy webvpn internal
group-policy webvpn attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value test1
username bob password 4IncP7vTjpaba2aF encrypted
username bob attributes
vpn-group-policy webvpn
!
class-map inspect
match default-inspection-traffic
class-map test
!
policy-map global
class inspect
inspect icmp
class test
!
service-policy global global
!
telnet timeout 5
ssh timeout 5
!
___________________________________________________________________________
Also, the details in packet tracer on the radius server are:
client name = R1 client ip= 172.16.30.1 service type=radius key=Secret port=1645
!
username= tim password= pass
01-04-2016 12:49 PM
Hello;
What happens if you remove authorization? Are you able to get in?
Mike.
01-04-2016 04:17 PM
Hi
No it still doesnt let me, i have changed the access lists arounf a bit to see if anything works. I am now able to ping from the outside router to the AAA server but cannot SSH into the router from an inside PC and get the radius authentication to work also.
Here are the new updates:
object network asa_inside_address
subnet 10.30.0.1 255.255.255.255
object network inside_network
subnet 10.30.0.0 255.255.255.0
access-list website_outside extended permit icmp any object asa_inside_address
access-list website_outside extended permit udp any 10.30.0.0 255.255.255.0 eq 1645
access-list website_outside extended permit icmp any object inside_network
!
!
access-group website_outside in interface outside
!
!
!
I must be missing something cant see what?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide