08-16-2012 12:59 PM - edited 03-11-2019 04:43 PM
May I know how to configure for remote accessing ASA 5525 via ssh
I have issued the following commands
ssh 10.60.0.0 255.255.0.0 outside
ssh 10.60.0.0 255.255.0.0 dmz
ssh 10.60.0.0 255.255.0.0 inside
ssh timeout 5
but I am not able to access ASA via ssh. Do I need to add any other command
Solved! Go to Solution.
08-16-2012 02:26 PM
you need a public/private keypair:
asa(config)# crypto key generate rsa general-keys modulus 2048
a username:
asa(config)# username testuser password testpass
and the system should know where your useraccounts are:
asa(config)# aaa authentication ssh console LOCAL
Edit: And only allowing SSHv2:
asa(config)# ssh version 2
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-22-2012 01:14 PM
Yes: "ssh 0.0.0.0 0.0.0.0 outside"
Sent from Cisco Technical Support iPad App
08-16-2012 02:26 PM
you need a public/private keypair:
asa(config)# crypto key generate rsa general-keys modulus 2048
a username:
asa(config)# username testuser password testpass
and the system should know where your useraccounts are:
asa(config)# aaa authentication ssh console LOCAL
Edit: And only allowing SSHv2:
asa(config)# ssh version 2
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-21-2012 08:36 AM
Thank you.
I am able to ssh into the inside interface but not to the outside interface or dmz
Should I need to add any access list
08-21-2012 08:57 AM
The two most important rules for the ASA:
1) Interface-ACLs are never involved when the communication is to the ASA (which is different to an IOS-router)
2) You can only reach the nearest interface when communicating to the ASA (again a difference to the router). The only exception is communication through a VPN where a configured Mgmt-interface can be reached.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-22-2012 10:04 AM
Will I be able to ssh into the ASA using it's Public IP address
08-22-2012 01:14 PM
Yes: "ssh 0.0.0.0 0.0.0.0 outside"
Sent from Cisco Technical Support iPad App
08-23-2012 12:54 PM
Thank you Karsten
08-24-2012 11:25 AM
How to configure the ssh for outside interface in the cisco Router 2800
I have configured the following on the outside interface
ip access-list extended dsl-in
permit icmp any host 67.*.*.*
permit tcp any host 67.*.*.* eq 22
But I am not able to ssh from outside . Following is the overload for the outside interface
ip nat inside source route-map dsl-nat interface FastEthernet0/2/0 overload
!
ip access-list extended pat-out
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 10.10.0.0 0.0.255.255 any
permit ip 10.20.0.0 0.0.255.255 any
!
l
route-map dsl-nat permit 10
match interface FastEthernet0/2/0
!
!
08-24-2012 12:22 PM
The route-map is missing your acl "pat-out". And on the router you also need the piblic/private keypair. A SSH-config could look like that:
crypto key generate rsa general-keys modulus 2048 label SSH-KEYS
ip ssh version 2
ip ssh rsa keypair-name SSH-KEYS
ip ssh dh min size 2048
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
06-01-2020 08:50 AM
Enabling SSH to ANY on the outside interface would not be a good idea.
08-24-2012 01:19 PM
ip ssh dh min size 2048
I added the first 3 commands
on 4th one , there is no option for dh after #ip ssh ?
authentication-retries Specify number of authentication retries
break-string break-string
logging Configure logging for SSH
maxstartups Maximum concurrent sessions allowed
port Starting (or only) Port number to listen on
rsa Configure RSA keypair name for SSH
source-interface Specify interface for source address in SSH
connections
time-out Specify SSH time-out interval
version Specify protocol version to be supported
08-24-2012 01:40 PM
That command is not mandatory. It just makes sure that stronger cryptograhy has to be used. But it's only available in very new IOS-versions. SSH will work without that.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-27-2012 05:58 AM
I am still not able to ssh from outside using the public ip. It is a cisco 2800 router
when, I issue the command, it sows the following
(config)#$generate rsa general-keys modulus 2048 label SSH-KEYS
% You already have RSA keys defined named SSH-KEYS.
% They will be replaced.
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
08-27-2012 06:02 AM
Well, then you already have the keys ...
What is your actual config? Any Log-messages while you try to connect?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-27-2012 06:22 AM
we have recently installed ASA 5525 firewall.
Router1 ------MPLS------Router2-------ASA
|
Router3
Is the ASA blocking ssh for Router 1 and Router 3 ? I am able to ssh with private ips but not with public ips
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: