This is an easy one, but if you're stuck you're stuck!
I am unable to connect to my ASA5520, I get the following message:
[SSH] FAIL: No connection could be made because the target machine actively refused it.
I have a backdoor to access it and not sure how to clear whatever is there that is not allowing me in.
I have ssh <network> <segment> interface
My first question would whether you have configured the RSA keys that are required for SSH to work?
My second question would be whether you have properly configured SSH access? Can you post the output from the ASA of show run | incude ssh
My third question would be whether you can look on the logs of the ASA and find any messages about the attempt to connect. These might help in identifying the problem.
I have the following:
crypto key generate rsa modulus 1024
ssh a.b.c.d 255.255.255.255
The routes to the firewall is also ok.
But for some reason the firewall will not accept SSH
It looks like you have answered my first question and that RSA keys have been generated.
You have answered only part of my second question. You have shown the ssh a.b.c.d which enable SSH for that address but have not indicated on which interface you have enabled it. And you have not told us to which interface you are attempting to SSH.
And you have not answered my third question, which is perhaps most likely to show us the problem. Can you attempt SSH and then quickly look in the logs of the ASA and see what it has to say about the attempt to SSH?
I just opened up ssh completely:
ssh 0.0.0.0 0.0.0.0 Inside
I am attempting to ssh to the INSIDE interface and I am coming from the INSIDE interface
I opened everything for all incoming traffic to the INSIDE interface
access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface Inside
logs: in fact I did see something on the log, here it is:
Jan 12 2009 12:43:08: %ASA-1-106021: Deny TCP reverse path check from 10.0.107.8
to 192.168.230.2 on interface Inside
(107.8 is my address)
I just removed ip verify reverse-path interface Inside and I am still unable to access it with SSH but this time it is not timing out right away.
This is making progress :)
Obviously your PC has a valid routed path to the ASA. Does the ASA have a valid routed path back to your PC? (the reverse path check issue suggests that the ASA does not have a route to your address through the inside interface).
Yes we are making progress. You are right, there was a route missing through the inside interface, I can now ping the firewall from the work station (after I've added the route), but I am still unable to ssh to it.
Would any debug show me what's happeing?
Here's a capture:
10.0.107.8 is my workstation
192.168.230.2 is the INSIDE of the fw
6 packets captured
1: 13:18:06.783559 10.0.107.8.3107 > 192.168.230.2.22: S 3573581954:3573581954(0) win 64512
2: 13:18:06.783605 192.168.230.2.22 > 10.0.107.8.3107: S 4117345141:4117345141(0) ack 3573581955 win 8192
3: 13:18:09.763113 10.0.107.8.3107 > 192.168.230.2.22: S 3573581954:3573581954(0) win 64512
4: 13:18:09.763159 192.168.230.2.22 > 10.0.107.8.3107: S 4117345141:4117345141(0) ack 3573581955 win 8192
5: 13:18:15.698404 10.0.107.8.3107 > 192.168.230.2.22: S 3573581954:3573581954(0) win 64512
6: 13:18:15.698450 192.168.230.2.22 > 10.0.107.8.3107: S 4133945093:4133945093(0) ack 3573581955 win 8192
what debug do you recommend to run?
Another thought occurs to me about possible issues with SSH access. Have you configured authentication for SSH? Authentication could be done using an external authentication server or could be done with local authentication (which also requires configuration of a local user ID and password).