07-02-2009 09:41 PM - edited 03-10-2019 04:41 AM
How to configure ssh on the outside interface of asa? I have defined an access list for outside interface, applied it, but it didnt work for some reason
Here is the access list
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.254.17.9 255.255.255.248
!
interface GigabitEthernet0/2
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/3
description EIGRP 2008
nameif eigrp
security-level 100
ip address 10.40.50.65 255.255.255.252
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.251.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list 110 extended permit ip any any
access-list nat extended permit ip any any
access-list allow_ping extended permit icmp any any echo-reply
access-list allow_ping extended permit icmp any any source-quench
access-list allow_ping extended permit icmp any any unreachable
access-list allow_ping extended permit icmp any any time-exceeded
access-list allow_ping extended permit udp any any eq isakmp
access-list allow_ping extended permit esp any any
access-list allow_ping extended permit ah any any
access-list allow_ping extended permit gre any any
access-list allow_ping extended permit tcp any any eq ssh
access-list nonat extended permit ip any any
access-list icmp_inside extended permit icmp any any
access-list icmp_inside extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu eigrp 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group allow_ping in interface outside
Solved! Go to Solution.
07-05-2009 07:52 AM
Can't say I have seen this before but SSH is easy to do on the ASA.
I recommend taking the access list off of the interface first to see if that could be it.
You only posted a partial section of the config but make sure you have the SSH command with the address of the subnet you are connecting from. Your config is no longer visible as I type this but try "SSH 0.0.0.0 0.0.0.0 outside". This allows all subnets to access the outside interface. This command works like an access list to limit connectivity to trusted subnets. i.e. "SSH 10.0.0.0 255.0.0.0 outside" only allows hosts on the 10.x.x.x network to connect via SSH.
Turn on "debug ssh" to see what the errors are too.
And, you can always delete your keys (crypto key zeroize rsa) and rebuild them back (crypto key generate rsa gen mod 1024). This will make your ssh client, I'm using PuTTY, think this is a new device and prompt for the OK to connect.
Good luck.
Kevin
07-02-2009 11:27 PM
Hi,
I hope this helps.
Best regards.
Massimiliano.
07-02-2009 11:39 PM
I have done all this already, but I get this message from my ssh client, when trying to connect to ASA
Connecting to host 10.254.17.9:22...
Connected.
Connection closed.
07-05-2009 07:52 AM
Can't say I have seen this before but SSH is easy to do on the ASA.
I recommend taking the access list off of the interface first to see if that could be it.
You only posted a partial section of the config but make sure you have the SSH command with the address of the subnet you are connecting from. Your config is no longer visible as I type this but try "SSH 0.0.0.0 0.0.0.0 outside". This allows all subnets to access the outside interface. This command works like an access list to limit connectivity to trusted subnets. i.e. "SSH 10.0.0.0 255.0.0.0 outside" only allows hosts on the 10.x.x.x network to connect via SSH.
Turn on "debug ssh" to see what the errors are too.
And, you can always delete your keys (crypto key zeroize rsa) and rebuild them back (crypto key generate rsa gen mod 1024). This will make your ssh client, I'm using PuTTY, think this is a new device and prompt for the OK to connect.
Good luck.
Kevin
07-05-2009 10:47 PM
I removed crypto keys and generated again, it helped, thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: