Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSH Access to ASA

I can't access our ASA 5505 via SSH from the outside. I've configured this through the ASDM to allow SSH (Device Management > Management Access > ASDM/HTTPS/Telnet/SSH). I added a rule that allows SSH on the outside interface from 0.0.0.0 0.0.0.0. When I try to ssh in with putty, it says "server unexpectedly closed network connection" When I watch the logs on the ASA, it shows a Built inbound TCP connection on port 22, but then immediately a Teardown TCP connection. It doesn't show it's being blocked by any rule. Is there something I'm missing on enabling SSH?

Thanks,

Scott

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: SSH Access to ASA

Hi,

Besides allowing the permitted hosts to SSH to the ASA, you need to define RSA keys for the secure connection.

In the CLI:

crypto key generate rsa

For these key to work, you should have a hostname/domain-name configured on the ASA as well (unless you configure a dedicated RSA keys).

So basically, configure a hostname, domain name and generate the RSA key pair:

hostname NAME_OF_ASA

domain-name NAME_OF_DOMAIN

crypto key generate rsa

Accept the default of 1024 and it should work.

Federico.

15 REPLIES

Re: SSH Access to ASA

Hi,

Besides allowing the permitted hosts to SSH to the ASA, you need to define RSA keys for the secure connection.

In the CLI:

crypto key generate rsa

For these key to work, you should have a hostname/domain-name configured on the ASA as well (unless you configure a dedicated RSA keys).

So basically, configure a hostname, domain name and generate the RSA key pair:

hostname NAME_OF_ASA

domain-name NAME_OF_DOMAIN

crypto key generate rsa

Accept the default of 1024 and it should work.

Federico.

New Member

Re: SSH Access to ASA

Thanks for your response.

I had to enter that command through the ASDM and got the results below. Do I need to replace the existing key?

Result of the command: "crypto key generate rsa"

WARNING: You have a RSA keypair already defined named .

Do you really want to replace them? [yes/no]:
% Please answer 'yes' or 'no'.
Do you really want to replace them? [yes/no]:
% Please answer 'yes' or 'no'.
Do you really want to replace them? [yes/no]:
% ERROR: Timed out waiting for a response.
ERROR: Failed to create new RSA keys named

Re: SSH Access to ASA

Are those RSA keys already in used for something else?  If not, you can do:  crypto key zeroize and regenerate the RSA keys.

You should be able to SSH fine.

We know the connection is getting to the ASA because you see the log.

Can you regenerate the RSA keys and attempt the connection?

If it does not work, please post the output of the ''sh run ssh'' command and the public IP address where the SSH client connection is coming from.

Federico.

New Member

Re: SSH Access to ASA

I ran "crypto key zeroize" and removed the key, then ran" crypto key generate rsa" to regenerate the key. I tried ssh'ing back in, but got the same error. I checked the logs and saw the same thing again.

Here is the output of sh run ssh

ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60

Thanks,

Scott

New Member

I'm sure you have this

I'm sure you have this figured out by now.  But you have to go to Configuration > Device management > Users/AAA > AAA Access and "Enable" SSH and assign to "LOCAL".  Doing a Debug ssh 127 will show you keys to the reason.  If you are getting a "no AAA" message then your device is trying to use external AAA.  Enable it to Local and you are good to go.

New Member

Correct. It's AAA

Correct. It's AAA authentication what is missing.

New Member

Re: SSH Access to ASA

I wonder if since I'm running these commands from the ASDM CLI, if they're running all the way. I thought when you run the crypto key generate rsa command it asks you some questions. I didn't get anything returned. Is there a way to pull up an actual cli session from the ASDM?

Re: SSH Access to ASA

Scott,

I think you're correct and the RSA needs to be done via the CLI.

Can you telnet/SSH to the ASA?

Cannot be done via ADSM.

Federico.

New Member

Re: SSH Access to ASA

I can't. It's at a remote location in another country so I don't even have physical access. Not sure how I'm going to do this, but thanks for your help.

Re: SSH Access to ASA

To be sure, we can run the debug for SSH:

debug ssh 127

The output of this command should tell us what the problem is.

Federico.

New Member

Re: SSH Access to ASA

Is there a way to run this in the ASDM CLI? I tried from but got the message "debug commands are not supported".

Re: SSH Access to ASA

As far as I've seen you'll need CLI access to enable SSH.

Debugs don't seem to work on ASDM either.

Apologies, I always use CLI only.

Federico.

New Member

Re: SSH Access to ASA

OK. I'll see what I can do. Thanks.

New Member

Re: SSH Access to ASA

you can regenerate the rsa keys from the asdm as well.

use the noconfirm keyword at the end of each command (in Multiline, I use following):

conf t

crypto key zero noconfirm

crypto key generate rsa no confirm

http://www.cisco.com/en/US/docs/security/asdm/6_1/release/notes/rn61.html#wp70204

hope this helps.

Ramzi

New Member

SSH Access to ASA

Be careful with "crypto key zero noconfirm" as it will remove ALL keys you have configured on ASA including 3rd party that might be used.

86427
Views
14
Helpful
15
Replies