Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

can't connect to ASA5520

This is an easy one, but if you're stuck you're stuck!

I am unable to connect to my ASA5520, I get the following message:

[SSH] FAIL: No connection could be made because the target machine actively refused it.

I have a backdoor to access it and not sure how to clear whatever is there that is not allowing me in.

I have ssh <network> <segment> interface

Please help.

9 REPLIES
Hall of Fame Super Gold

Re: can't connect to ASA5520

Roni

My first question would whether you have configured the RSA keys that are required for SSH to work?

My second question would be whether you have properly configured SSH access? Can you post the output from the ASA of show run | incude ssh

My third question would be whether you can look on the logs of the ASA and find any messages about the attempt to connect. These might help in identifying the problem.

HTH

Rick

Community Member

Re: can't connect to ASA5520

I have the following:

crypto key generate rsa modulus 1024

ssh a.b.c.d 255.255.255.255

The routes to the firewall is also ok.

But for some reason the firewall will not accept SSH

Hall of Fame Super Gold

Re: can't connect to ASA5520

Roni

It looks like you have answered my first question and that RSA keys have been generated.

You have answered only part of my second question. You have shown the ssh a.b.c.d which enable SSH for that address but have not indicated on which interface you have enabled it. And you have not told us to which interface you are attempting to SSH.

And you have not answered my third question, which is perhaps most likely to show us the problem. Can you attempt SSH and then quickly look in the logs of the ASA and see what it has to say about the attempt to SSH?

HTH

Rick

Community Member

Re: can't connect to ASA5520

Sorry...

I just opened up ssh completely:

ssh 0.0.0.0 0.0.0.0 Inside

I am attempting to ssh to the INSIDE interface and I am coming from the INSIDE interface

I opened everything for all incoming traffic to the INSIDE interface

access-list inside_access_in extended permit ip any any

access-group inside_access_in in interface Inside

logs: in fact I did see something on the log, here it is:

Jan 12 2009 12:43:08: %ASA-1-106021: Deny TCP reverse path check from 10.0.107.8

to 192.168.230.2 on interface Inside

(107.8 is my address)

I just removed ip verify reverse-path interface Inside and I am still unable to access it with SSH but this time it is not timing out right away.

Hall of Fame Super Gold

Re: can't connect to ASA5520

Roni

This is making progress :)

Obviously your PC has a valid routed path to the ASA. Does the ASA have a valid routed path back to your PC? (the reverse path check issue suggests that the ASA does not have a route to your address through the inside interface).

HTH

Rick

Community Member

Re: can't connect to ASA5520

Yes we are making progress. You are right, there was a route missing through the inside interface, I can now ping the firewall from the work station (after I've added the route), but I am still unable to ssh to it.

Would any debug show me what's happeing?

Community Member

Re: can't connect to ASA5520

Here's a capture:

10.0.107.8 is my workstation

192.168.230.2 is the INSIDE of the fw

6 packets captured

1: 13:18:06.783559 10.0.107.8.3107 > 192.168.230.2.22: S 3573581954:3573581954(0) win 64512

2: 13:18:06.783605 192.168.230.2.22 > 10.0.107.8.3107: S 4117345141:4117345141(0) ack 3573581955 win 8192

3: 13:18:09.763113 10.0.107.8.3107 > 192.168.230.2.22: S 3573581954:3573581954(0) win 64512

4: 13:18:09.763159 192.168.230.2.22 > 10.0.107.8.3107: S 4117345141:4117345141(0) ack 3573581955 win 8192

5: 13:18:15.698404 10.0.107.8.3107 > 192.168.230.2.22: S 3573581954:3573581954(0) win 64512

6: 13:18:15.698450 192.168.230.2.22 > 10.0.107.8.3107: S 4133945093:4133945093(0) ack 3573581955 win 8192

what debug do you recommend to run?

Hall of Fame Super Gold

Re: can't connect to ASA5520

Roni

I would start with debug ssh and see what it tells you.

HTH

Rick

Hall of Fame Super Gold

Re: can't connect to ASA5520

Roni

Another thought occurs to me about possible issues with SSH access. Have you configured authentication for SSH? Authentication could be done using an external authentication server or could be done with local authentication (which also requires configuration of a local user ID and password).

HTH

Rick

899
Views
0
Helpful
9
Replies
CreatePlease to create content