Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

problem with ssh access on asa

Hello All,

I have a problem with my ssh access.

I have two interfaces, 172.17.5.250 = Outside, security Level 0

                                10.11.3.2 = Inside, security Level 1

I can access by ssh using Outside

I can not access by ssh using Inside. I receive this message in my prompt:

ssh user@10.11.3.2

Selected cipher type <unknown> not supported by server.

I tried with ssh -1 and ssh -2. Not works.

I have ssh allowed for this source network. SSH version 1&2.

I tried:

ASA(config)#crypto key zeroize rsa

Issue this command in order to generate the new key:

ASA(config)# crypto key generate rsa modulus 1024

But no success

Cisco 8.2(12)2

Thanks

Everyone's tags (3)
20 REPLIES
Red

problem with ssh access on asa

Hi Diego,

can you share the output of :

show run all ssl

You should add this in your configuration:

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Refer to this dic for it:

https://supportforums.cisco.com/docs/DOC-15016

Hope this helps

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Red

problem with ssh access on asa

M sorry but can youa lso post your ssh configuration?

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Red

problem with ssh access on asa

One more thing that you can check is, if you have a 3DES license enabled, you can check it with "show version", ssh by default uses 3des.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Community Member

Re: problem with ssh access on asa

Varun,

I didnt see your post. I get the license and installed it, so.. I did:

1 - Get the License and Install

2 - ssl encryption aes128-sha1 3des-sha1 rc4-md5 des-sha1

But I still receive this error:

Selected cipher type not supported by server.

Community Member

problem with ssh access on asa

Hi Varun,

Look:

FW# sh run all ssl

ssl server-version any

ssl client-version any

ssl encryption des-sha1

FW# sh run all ssh

ssh 172.16.0.0 255.240.0.0 outside

ssh 192.168.41.0 255.255.255.0 outside

ssh 10.11.0.0 255.255.0.0 inside

ssh 172.16.0.0 255.240.0.0 inside

ssh 192.168.11.0 255.255.255.0 inside

ssh timeout 5

My big doubt is because when I try to connect on interface Outside, it works...

Well, I didnt do that command you sent to me yet.. Should I do?

Red

problem with ssh access on asa

It is the cipher code that the client and the server exchange between them, are you using the saying client when you connect from outside? You can very well add the comand, but also check for the 3des license. If you do not have it, you can generate it from her for free:

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Community Member

problem with ssh access on asa

Varun,

I found my problem..

VPN 3DES AES isn´t enabled in my Firewall...

need a licence for ir?

Red

problem with ssh access on asa

Yup I just pinged you the link above, its for free

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Community Member

Re: problem with ssh access on asa

Varun,

I didnt see your post. I get the license and installed it, so.. I did:

1 - Get the License and Install

2 - ssl encryption aes128-sha1 3des-sha1 rc4-md5 des-sha1

But I still receive this error:

Selected cipher type not supported by server.

Re: problem with ssh access on asa

Hello Diego,

Are you using the same SSH client on both interfaces?

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re: problem with ssh access on asa

Hello Julio,

Look.

Client = 172.20.65.205, connect on Outside, = OK (Windows with putty)

Client 172.19.4.40, connect on Inside, = NOK (linux with openssh-clients-4.3p2-82.el5)

Client 172.19.1.40, connect on Outise, = NOK (linux with openssh-clients-4.3p2-82.el5

Re: problem with ssh access on asa

Hello Diego,

what happens if you use Putty on the internal machine or any other software besides nok?

I would say it will work.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re: problem with ssh access on asa

hum... idk..

but, I can connect on SSH in another firewall without problem...

it is weird, isnt it?

Re: problem with ssh access on asa

Hello Diego,

I know you already did it but can you do it once :

ASA(config)#crypto key zeroize rsa
crypto key generate rsa modulus 1024

And let me know how it goes

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re: problem with ssh access on asa

Hi Jullio...

Follow..

FW(config)# crypto key zeroize rsa
WARNING: All RSA keys will be removed.
WARNING: All device digital certificates issued using these keys will also be removed.

Do you really want to remove these keys? [yes/no]: yes

and now? generate new?

Community Member

Re: problem with ssh access on asa

I generated... but, no way

Re: problem with ssh access on asa

Hello Diego,

Do you still get the same log from the client?

What logs are being showed by the ASA?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re: problem with ssh access on asa

So..

FWINTERNO# debug ssh
debug ssh  enabled at level 1


FW# Device ssh opened successfully.
SSH1: SSH client: IP = '172.19.4.121'  interface # = 2
SSH: host key initialised
SSH1: starting SSH control process
SSH1: Exchanging versions - SSH-1.5-Cisco-1.25

SSH1: send SSH message: outdata is NULL

server version string:SSH-1.5-Cisco-1.25SSH1: receive SSH message: 83 (83)
SSH1: client version is - SSH-1.5-OpenSSH_4.3

client version string:SSH-1.5-OpenSSH_4.3SSH1: begin server key generation
SSH1: complete server key generation, elapsed time = 910 ms
SSH1: declare what cipher(s) we support:
00  0x00  0x00  0x04  0xSSH1: send SSH message: SSH_SMSG_PUBLIC_KEY (2)
SSH1: SSH_SMSG_PUBLIC_KEY message sent
SSH1: receive SSH message: [no message ID: variable *data is NULL]
SSH1: Session disconnected by SSH server - error 0x00 "Internal error"
SSH0: receive SSH message: SSH_CMSG_WINDOW_SIZE (11)

Community Member

Re: problem with ssh access on asa

And now?

Any idea???

Re: problem with ssh access on asa

Hello Diego,

Hmm provide the following:

Show version

Show run ssl

sh crypto key mypubkey rsa

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
8373
Views
0
Helpful
20
Replies
CreatePlease to create content