01-07-2010 08:00 AM
I have approximately 500 remote sites. They are primarily 5505's connecting to us as EzVPN clients. I have the outside interface configured for SSH, but I get a network connection error any time I try to connect to any of the sites. Below is my config, could someone tell me what I am missing to be able to SSH into these devices?
ASA Version 8.0(3)
!
hostname xxxxxxxx
domain-name xxxxxxxx.com
enable password xxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address x.x.x.x 255.255.255.192
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxx encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server x.x.x.x
name-server x.x.x.x
domain-name xxxxxxx.com
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http x.x.x.x 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
vpnclient server xxxx.xxxx.com
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup xxxx password ********
vpnclient username xxxx password ********
vpnclient enable
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5c86d7e9a681ff69bca5e
: end
01-07-2010 09:04 AM
Hi,
By default, the security appliance allows both SSH version 1 and version 2 but for trouble shooting purpose configure a specific version 2 in ASA and then share the result.
HTH
Regards
Ganesh.H
01-09-2010 08:37 PM
George
First a question: have you generated the RSA keys on the ASA which are needed to support SSH?
Second a suggestion: if you have configured the RSA keys and SSH does not work, then I suggest that you configure at least one user & password on the ASA, and then configure authentication of SSH specifying LOCAL as the authentication source.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: