Solved: SSH through an ASA

mulhollandm · ‎08-01-2008

folks

i'm new to the asa and i have a newly configured asa 5540 and i'm trying to ssh through it to an external router

routes etc are all ok

when i try an ssh i can see the outbound session built but the inbound reply is denied

i suspect this is because ssh is not included in the inspect rule for the inside interface

is this a possibility and if so how do i get round this

thanks to anyone taking the time to reply

ps - i have another post on the way re configuring dns through the same asa so i'm grateful to anyone taking the time to look at any of these posts

Farrukh Haroon · ‎08-03-2008

Are you sure the ASA is denying this traffic or the router? What are you seeing in the log (which makes you suspect that the ASA is denying this traffic?).

The setup is like this as per my understanding?

ASA-Outside (Ssh client) >> Router (SSH Server)

Also if the router is more than one hop away, make sure the router knows how to reach the ASA's outside itnerface.

Regards

Farrukh

View solution in original post

JORGE RODRIGUEZ · ‎08-01-2008

Revice the configuration, go over this link, most common issue is not having aaa authentication ssh console LOCAL stament in your config, read the link and compare your configuration, if problems get back to us.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml

HTH

Jorge

Jorge Rodriguez

mulhollandm · ‎08-03-2008

jorge

thanks for the reply

i was able to use your link to set up ssh to the box so many thanks bit my problem is ssh through the box to a router on its outside interface

i think i need to enable ssh in the default inspection rule but i don't know how

thanks again for your reply

JORGE RODRIGUEZ · ‎08-03-2008

Michael, can you post config, strip out public Ip info, there is no need for ssh inspection. Post config to take a look.

I suppose you are trying to ssh into asa from outside internet towards asa outside IP address, or are you trying to ssh to outside interface from inside LAN? can you clarify.

Jorge Rodriguez

Farrukh Haroon · ‎08-03-2008

Are you sure the ASA is denying this traffic or the router? What are you seeing in the log (which makes you suspect that the ASA is denying this traffic?).

The setup is like this as per my understanding?

ASA-Outside (Ssh client) >> Router (SSH Server)

Also if the router is more than one hop away, make sure the router knows how to reach the ASA's outside itnerface.

Regards

Farrukh

mulhollandm · ‎08-04-2008

farrukh

many thanks for your efforts, they are greatly appreciated

the problem seems to be with the upstream router i'm trying to logon to - it seems to have lost a route back to my pc

i'm very grateful for your reply

mulhollandm · ‎08-04-2008

jorge

many thanks for your replies to my problem - they are greatly appreciated

i think the problem is with the upstream router i think it has lost a route back to my pc - i say this because i see lots of syn timeouts when trying to complete the handshake

again, many thanks for for your time