Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to enable ssh on ASA 5525

                   May I know how to configure for remote accessing ASA 5525 via ssh

I have issued the following commands

ssh 10.60.0.0 255.255.0.0 outside

ssh 10.60.0.0 255.255.0.0 dmz

ssh 10.60.0.0 255.255.0.0 inside

ssh timeout 5

but I am not able to access ASA via ssh. Do I need to add any other command

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

Re: how to enable ssh on ASA 5525

you need a public/private keypair:

asa(config)# crypto key generate rsa general-keys modulus 2048

a username:

asa(config)# username testuser password testpass

and the system should know where your useraccounts are:

asa(config)# aaa authentication ssh console LOCAL

Edit: And only allowing SSHv2:

asa(config)# ssh version 2

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
VIP Purple

Re: how to enable ssh on ASA 5525

Yes: "ssh 0.0.0.0 0.0.0.0 outside"

Sent from Cisco Technical Support iPad App


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
21 REPLIES
VIP Purple

Re: how to enable ssh on ASA 5525

you need a public/private keypair:

asa(config)# crypto key generate rsa general-keys modulus 2048

a username:

asa(config)# username testuser password testpass

and the system should know where your useraccounts are:

asa(config)# aaa authentication ssh console LOCAL

Edit: And only allowing SSHv2:

asa(config)# ssh version 2

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

how to enable ssh on ASA 5525

Thank you.

I am able to ssh into the inside interface but not to the outside interface or dmz

Should I need to add any access list

VIP Purple

Re: how to enable ssh on ASA 5525

The two most important rules for the ASA:

1) Interface-ACLs are never involved when the communication is to the ASA (which is different to an IOS-router)

2) You can only reach the nearest interface when communicating to the ASA (again a difference to the router). The only exception is communication through a VPN where a configured Mgmt-interface can be reached.

--

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

how to enable ssh on ASA 5525

Will I be able to ssh into the ASA using it's Public IP address

VIP Purple

Re: how to enable ssh on ASA 5525

Yes: "ssh 0.0.0.0 0.0.0.0 outside"

Sent from Cisco Technical Support iPad App


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

how to enable ssh on ASA 5525

Thank you Karsten

New Member

how to enable ssh on ASA 5525

How to configure the ssh for outside interface in the cisco Router 2800

I have configured the following on the outside interface

ip access-list extended dsl-in

permit icmp any host 67.*.*.*

permit tcp any host 67.*.*.* eq 22

But I am not able to ssh from outside . Following is the overload for the outside interface

ip nat inside source route-map dsl-nat interface FastEthernet0/2/0 overload

!

ip access-list extended pat-out

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 192.168.0.0 0.0.255.255

permit ip 10.10.0.0 0.0.255.255 any

permit ip 10.20.0.0 0.0.255.255 any

!

l

route-map dsl-nat permit 10

match interface FastEthernet0/2/0

!

!

VIP Purple

Re: how to enable ssh on ASA 5525

The route-map is missing your acl "pat-out". And on the router you also need the piblic/private keypair. A SSH-config could look like that:

crypto key generate rsa general-keys modulus 2048 label SSH-KEYS

ip ssh version 2

ip ssh rsa keypair-name SSH-KEYS

ip ssh dh min size 2048

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

how to enable ssh on ASA 5525

ip ssh dh min size 2048

I added the first 3 commands

on 4th one , there is no option for dh after #ip ssh ?

authentication-retries  Specify number of authentication retries

  break-string            break-string

  logging                 Configure logging for SSH

  maxstartups             Maximum concurrent sessions allowed

  port                    Starting (or only) Port number to listen on

  rsa                     Configure RSA keypair name for SSH

  source-interface        Specify interface for source address in SSH

                          connections

  time-out                Specify SSH time-out interval

  version                 Specify protocol version to be supported

VIP Purple

Re: how to enable ssh on ASA 5525

That command is not mandatory. It just makes sure that stronger cryptograhy has to be used. But it's only available in very new IOS-versions. SSH will work without that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

how to enable ssh on ASA 5525

I am still not able to ssh from outside using the public ip. It is a cisco 2800 router

when, I issue the command, it sows the following

(config)#$generate rsa general-keys modulus 2048 label SSH-KEYS

% You already have RSA keys defined named SSH-KEYS.

% They will be replaced.

% The key modulus size is 2048 bits

% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

VIP Purple

how to enable ssh on ASA 5525

Well, then you already have the keys ...

What is your actual config? Any Log-messages while you try to connect?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

how to enable ssh on ASA 5525

we have recently installed ASA 5525 firewall.

Router1 ------MPLS------Router2-------ASA

                     |

                 Router3

Is the ASA blocking ssh for Router 1 and Router 3 ? I am able to ssh with private ips but not with public ips 

New Member

how to enable ssh on ASA 5525

The Routers have separate DSL connections

VIP Purple

how to enable ssh on ASA 5525

If the SSH goes through the ASA it has to be allowed. Where is your client when you try to SSH and into which router do you want to login?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

how to enable ssh on ASA 5525

Router1 (10.30.0.1 public IP 67.*.*.*)  Router 3 (172.16.0.1 public ip 212. *.*.*) 

From 172.16.*.* network , I am able to ssh into Router1 using private ip but not using public IP. Outside the company network also I am not able to ssh using public IP. But from the same network (10.30.0.0), I am able to ssh using public ip. Same for Router 3

New Member

how to enable ssh on ASA 5525

Router1 ------MPLS------Router2-------ASA

                    |

               Router3

Router1 (10.30.0.1 public IP 67.*.*.*) Router 3 (172.16.0.1 public ip 212. *.*.*)

From 172.16.*.* network , I am able to ssh into Router1 using private ip but not using public IP. Outside the company network also I am not able to ssh using public IP. But from the same network (10.30.0.0), I am able to ssh using public ip. Same for Router 3

VIP Purple

how to enable ssh on ASA 5525

So what doesn't work is the following:

PC in 172.16.x.x connects via R3-DSL to R1-DSL? But the PC can reach other ressources in the internet?

What's the NAT, ACL and SSH-config from R1?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

how to enable ssh on ASA 5525

ip nat inside source route-map dsl-nat interface FastEthernet0/2/0 overload
!

!

ip access-list extended dsl-in
permit icmp any host 67.*.*.*
permit tcp any eq 22 host 67.*.*.*
permit tcp any host 67.*.*.* eq 22

!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
snmp-server community s3cur3 RO snmp
no cdp run
!
!
!
route-map dsl-nat permit 10
match interface FastEthernet0/2/0
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
privilege level 15
login authentication local_auth
transport input telnet ssh
line vty 5 15
login authentication local_auth
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

ip inspect udp idle-time 1800

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect tcp finwait-time 60

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip inspect SDM_LOW out

ip inspect SDM_LOW out

Should I allow inspect for ssh?

VIP Purple

Re: how to enable ssh on ASA 5525

ip access-list extended dsl-in

  permit tcp any eq 22 host 67.*.*.*

That one is not needed if you apply your inspection-rule outgoing on your external interface.

Should I allow inspect for ssh?

No, as SSH is single-channel, you don't need that to make SSH work.

Your NAT-rule is to broad. Change it that way (I assume your internal networks are all in the RFC1918-range; you can also change the object-group to something that only matches your networks):

object-group network RFC1918

  10.0.0.0 255.0.0.0

  172.16.0.0 255.240.0.0

  192.168.0.0 255.255.0.0

ip access-list extended NAT

  deny   ip object-group RFC1918 object-group RFC1918

  permit ip object-group RFC1918 any

route-map dsl-nat permit 10

  match ip address NAT

  match interface FastEthernet0/2/0

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

You should remove the extra

You should remove the extra SSH entries. Your subnet 10.60.0.0/16 could not be available from all three interfaces. Consult your routing table and only keep the entry where this route exists.

Here is a list of steps for enabling SSH on Cisco ASA:

 

http://www.networksolutions.guru/blog/switching/how-to-enable-ssh-on-cisco-devices-asa-router-switch-asr/

 

HTH

 

105210
Views
20
Helpful
21
Replies
CreatePlease login to create content