Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member


I have a weird problem with ssh configuration on ASA. We have VPN established between 2 ASA's. I configured ssh to the remote ASA's outside interface. I had troubles with ssh unless I regenerated the keys. Now, on local ASA I have configured NAT so that when ssh to the remote ASA to translate local IP addresses to local ASA's outside address. Since that I can not ssh to remote ASA. My ssh client says:

Connecting to host


Connection closed.

I had the same message before I regenerated the keys for the first time. No it doesnt help either. If I remove NAT, everything works fine.

Here my config of local ASA:

ASA Version 8.2(1)


hostname gyd-asa

enable password XeY1QWHKPK75Y48j encrypted

passwd XeY1QWHKPK75Y48j encrypted




interface GigabitEthernet0/0

no nameif

security-level 100

no ip address


interface GigabitEthernet0/1

nameif outside

security-level 0

ip address


interface GigabitEthernet0/2

no nameif

security-level 100

no ip address


interface GigabitEthernet0/3

description EIGRP 2008

nameif eigrp

security-level 100

ip address


interface Management0/0

nameif management

security-level 100

ip address



boot system disk0:/asa821-k8.bin

ftp mode passive

access-list 110 extended permit ip any any

access-list nat extended permit tcp any host eq ssh

pager lines 24

logging asdm informational

mtu outside 1500

mtu eigrp 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (eigrp) 1 access-list nat


router eigrp 2008

no auto-summary

neighbor interface outside

neighbor interface eigrp



redistribute connected

redistribute static


route management 1

route outside 1

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS protocol tacacs+

aaa-server TACACS (management) host

key *

aaa-server TACACS (management) host

key *

aaa authentication ssh console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

aaa authentication enable console TACACS LOCAL

aaa accounting ssh console TACACS

aaa accounting telnet console TACACS

http server enable

http management

snmp-server host eigrp poll community vlan

snmp-server host eigrp poll community vlan

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map mymap 10 match address 110

crypto map mymap 10 set peer

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp enable eigrp

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

no crypto isakmp nat-traversal

telnet timeout 5

ssh eigrp

ssh timeout 20

console timeout 0

New Member

Re: SSH on ASA

Also, on remote ASA I have no debug ssh messages even though debug level is set to 255.

Moreover, when I apply NAT with ssh session already established to remote ASA, connection does not terminate.