Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

can't ssh to Cisco ASA 5505

Hi, I can't seem to ssh to my 5505, even though I think I have it setup properly. Below is part of the config, can someone tell me what is wrong?

domain-name windriverdev.com

access-list 101 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.

255.0

access-list vpnclient extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 25

5.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.25

5.255.0

access-list acl_in extended permit tcp any host 69.3.19.242 eq 3389

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool clients 10.10.10.100-10.10.10.150

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.90 3389 netmask 255.255.255

.255

route outside 0.0.0.0 0.0.0.0 69.3.19.241 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

http server ena

http 192.168.1.0 255.255.255.0 insideng, statistics or sta

no snmp-server location

dh

no snmp-server contactHCP Relay Agent state,

snmp-server community asa

snmp-server enable traps snmp authentication linkup linkdown coldstart

disk0: Display information ab

snmp-server enable traps syslog

crypto ipsec transform-set national esp-3des esp-md5-hmac

dns-hosts Show DNS ho

crypto ipsec transform-set myset esp-des esp-md5-hmac

failover

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

cisc

hostname Sho

crypto dynamic-map national 20 set transform-set myset

crypto isakmp identity addressof Interface Descriptor Blocks

crypto isakmp enable outside

crypto isakmp p

cisco

encryption 3des

hash sha

group 2erface

lifetime 86400erface status i

crypto isakmp nat-traversal 20

telnet 192.168.1.0 255.255.255.0 insideventory information for all slots

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outsidensi

Platform ASA55

ssh timeout 5p

console timeout 0ss, IDS statistic

!e

class-map inspection_defaultt.ecs (3316 bytes/sec)change

match default-inspection-traffic

5 REPLIES
Hall of Fame Super Silver

Re: can't ssh to Cisco ASA 5505

Mike

I see that you have configured to permit ssh on the outside interface using this:

ssh 0.0.0.0 0.0.0.0 outsidensi

but your post is not specific whether you are attempting SSH from an outside address to the outside interface or whether you are attempting SSH from an inside address to the inside interface. Perhaps you should also enable SSH on the inside interface.

Perhaps it would also help to configure authentication for SSH. It might look something like this:

user password

aaa authentication ssh console LOCAL

(note that LOCAL needs to be upper case).

HTH

Rick

New Member

Re: can't ssh to Cisco ASA 5505

I'm trying to setup ssh for outside users

Thanks

Mike

Re: can't ssh to Cisco ASA 5505

Mike,

Rick is correct, 5P!

You may use this link to verify things:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#configs

HTH,

Toshi

New Member

Re: can't ssh to Cisco ASA 5505

I know a Cisco guy who I want to give access to, but I can't because ssh won't work. I want him to review the setup and enable FTP too

Hall of Fame Super Silver

Re: can't ssh to Cisco ASA 5505

Toshi

Thanks.

Mike

The link that Toshi sent is a good one and it reminds me that you also need to generate RSA keys to enable SSH. You do not mention whether you have done this step or not. The command would be:

crypto key generate rsa modulus modulus_size

HTH

Rick

11798
Views
19
Helpful
5
Replies
CreatePlease to create content