Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Issues SSHing into ASA

I am setting up a new ASA.  Actually it's an old 5510, but this is a new temporary install until the one we ordered comes in.  Everything is working except for SSH.  I have SSH open on the inside and outside interfaces and I get a prompt when I try to SSH to it from either the inside or outside.  But after I put in my username and password it tells me that my credentials are invalid.  I am using a local username/password, not AAA and it accepts that username and password for the console.  Console and telnet (password only) both work so I can get in to make changes.  When I debug SSH, the error states that my username and password are incorrect.  But this happens even when I create a new, simple username/password to test.  I've even gone so far as to copy/paste the username and password into the login window just to be safe (making sure I don't copy spaces, etc).  Below is a copy of the SSH Debug output followed by a sanitized copy of the config.  I have AAA configured for remote VPN users, but not for access to the ASA.  Also, this problem existed before I created the AAA settings for the VPN users. 

Also, I have zeroized and regenerated the RSA keys a couple of times to no avail. 

SSH Debugs:

Device ssh opened successfully.

SSH0: SSH client: IP = '10.10.1.103'  interface # = 2

SSH: host key initialised

SSH0: starting SSH control process

SSH0: Exchanging versions - SSH-1.99-Cisco-1.25

SSH0: send SSH message: outdata is NULL

server version string:SSH-1.99-Cisco-1.25SSH0: receive SSH message: 83 (83)

SSH0: client version is - SSH-2.0-SecureCRT_4.1.9 (build 278) SecureCRT

client version string:SSH-2.0-SecureCRT_4.1.9 (build 278) SecureCRTSSH0: begin server key generation

SSH0: complete server key generation, elapsed time = 620 ms

SSH2 0: SSH2_MSG_KEXINIT sent

SSH2 0: SSH2_MSG_KEXINIT received

SSH2: kex: client->server aes128-cbc hmac-md5 none

SSH2: kex: server->client aes128-cbc hmac-md5 none

SSH2 0: expecting SSH2_MSG_KEXDH_INIT

SSH2 0: SSH2_MSG_KEXDH_INIT received

SSH2 0: signature length 143

SSH2: kex_derive_keys complete

SSH2 0: newkeys: mode 1

SSH2 0: SSH2_MSG_NEWKEYS sent

SSH2 0: waiting for SSH2_MSG_NEWKEYS

SSH2 0: newkeys: mode 0

SSH2 0: SSH2_MSG_NEWKEYS receivedSSH(MYUSERNAME): user authen method is 'no AAA', aaa server group ID = 0

SSH(ctitech): user authen method is 'no AAA', aaa server group ID = 0

SSH2 0: authentication failed for MYUSERNAME

Sanitized ASA Config:

ASA Version 8.2(2)

!

hostname ASA

enable password XXXXXXX encrypted

passwd XXXXXXXXX encrypted

names

dns-guard

!

interface Ethernet0/0

nameif OUTSIDE

security-level 0

ip address x.x.x.x 255.255.255.128

!

interface Ethernet0/1

nameif INSIDE

security-level 100

ip address 10.10.1.2 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!            

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa822-k8.bin

ftp mode passive

access-list outside_access_in extended permit tcp any host X.X.X.X eq smtp

access-list outside_access_in extended permit tcp any host X.X.X.X eq www

access-list outside_access_in extended permit tcp any host X.X.X.X eq https

access-list outside_access_in extended permit tcp any host X.X.X.X eq telnet

access-list outside_access_in extended permit tcp any host X.X.X.X eq ssh

access-list outside_access_in extended permit tcp any host X.X.X.X eq 8080

access-list REMOTE1 extended permit ip 10.10.1.0 255.255.255.0 192.168.9.0 255.255.255.224

access-list VPN_NAT extended permit ip 10.10.1.0 255.255.255.0 192.168.9.0 255.255.255.224

access-list VPN_NAT extended permit ip 10.10.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list VPN_NAT extended permit ip 10.10.1.0 255.255.255.0 10.10.3.96 255.255.255.224

access-list REMOTE2 extended permit ip 10.10.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list REMOTEUSERS_splitTunnelAcl standard permit 10.10.1.0 255.255.255.0

pager lines 24

logging buffer-size 1000000

mtu OUTSIDE 1500

mtu INSIDE 1500

ip local pool VPNPOOL 10.10.3.100-10.10.3.125 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

global (OUTSIDE) 1 interface

nat (INSIDE) 0 access-list VPN_NAT

nat (INSIDE) 1 10.10.1.0 255.255.255.0

nat (INSIDE) 1 0.0.0.0 0.0.0.0

static (INSIDE,OUTSIDE) tcp interface www 10.10.1.12 www netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp interface https 10.10.1.12 https netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp interface smtp 10.10.1.12 smtp netmask 255.255.255.255

access-group outside_access_in in interface OUTSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 70.164.68.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUSSERVER protocol radius

aaa-server RADIUSSERVER (INSIDE) host 10.10.1.11

key *****

http server enable 8080

http 0.0.0.0 0.0.0.0 INSIDE

http 0.0.0.0 0.0.0.0 OUTSIDE

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map MYCRYPTOMAP 1 match address REMOTE1

crypto map MYCRYPTOMAP 1 set pfs

crypto map MYCRYPTOMAP 1 set peer X.X.X.X

crypto map MYCRYPTOMAP 1 set transform-set ESP-3DES-SHA

crypto map MYCRYPTOMAP 2 match address REMOTE2

crypto map MYCRYPTOMAP 2 set pfs

crypto map MYCRYPTOMAP 2 set peer X.X.X.X

crypto map MYCRYPTOMAP 2 set transform-set ESP-3DES-MD5

crypto map MYCRYPTOMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map MYCRYPTOMAP interface OUTSIDE

crypto isakmp enable OUTSIDE

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5    

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 OUTSIDE

telnet 0.0.0.0 0.0.0.0 INSIDE

telnet timeout 30

ssh 0.0.0.0 0.0.0.0 OUTSIDE

ssh 0.0.0.0 0.0.0.0 INSIDE

ssh timeout 30

console timeout 0

management-access INSIDE

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy REMOTEUSERS internal

group-policy REMOTEUSERS attributes

dns-server value 10.10.1.11 10.10.1.11

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value REMOTEUSERS_splitTunnelAcl

default-domain value DOMAIN.local

username REMOTEvpn password tN7SYPzaQQsEJFb4 encrypted privilege 0

username REMOTEvpn attributes

vpn-group-policy REMOTEUSERS

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X ipsec-attributes

pre-shared-key *****

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X ipsec-attributes

pre-shared-key *****

tunnel-group REMOTEUSERS type remote-access

tunnel-group REMOTEUSERS general-attributes

address-pool VPNPOOL

authentication-server-group RADIUSSERVER

default-group-policy REMOTEUSERS

tunnel-group REMOTEUSERS ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ea7d20f6ef65b60d5e296c51405d7d01

: end

2 REPLIES

Issues SSHing into ASA

Hello Kyle.

Please add the following command:

username xxxx password xxxx privilege #

aaa authentication ssh console LOCAL

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
Hall of Fame Super Silver

Re: Issues SSHing into ASA

Try adding:

aaa authentication ssh console LOCAL


514
Views
0
Helpful
2
Replies