Cisco ASA - ssh not working on WAN interface

LovejitSingh1313 — Tue, 11 Aug 2020 12:55:06 GMT

Hello Guys,

Need help on troubleshooting the ssh from outside(WAN) interface, I attached the config below. Please advice with commands for troubleshooting.

Thanks,

Result of the command: "sh run"

: Saved

Result of the command: "sh run"

: Saved

:

ASA Version 9.9(1)
!
hostname A1ASA

enable password mgCeL9SBd2ZbybMR encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool TechMonks-Pool 192.168.235.1-192.168.235.10 mask 255.255.255.0
ip local pool VPNpool 10.222.225.1-10.222.225.254 mask 255.255.255.0
ip local pool McCallum-Pool 10.123.123.1-10.123.123.21 mask 255.255.255.0

!
interface GigabitEthernet1/1
description Outside
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet1/2
description inside
nameif inside
security-level 90
ip address 10.222.222.1 255.255.252.0
!
interface GigabitEthernet1/3
nameif AirbossMimic
security-level 40
ip address 192.168.1.7 255.255.255.0
!
interface GigabitEthernet1/4
description Development
nameif Development
security-level 50
ip address 192.168.175.1 255.255.255.0
!
interface GigabitEthernet1/5
description Security
nameif Security
security-level 80
ip address 10.211.211.1 255.255.255.0
!
interface GigabitEthernet1/6
description Rogers-LAN-EXT
speed 100
duplex full
nameif Rogers-LAN-EXT
security-level 90
ip address 172.30.1.222 255.255.255.0
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
description Phone System
nameif New-Phone
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
ip address 192.168.149.3 255.255.255.0
!
boot system disk0:/asa991-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup Development
dns domain-lookup Security
dns server-group DefaultDNS
name-server 10.222.222.12
domain-name ableone.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.199.196.0_22
subnet 10.199.196.0 255.255.252.0
object network NETWORK_OBJ_10.222.220.0_22
subnet 10.222.220.0 255.255.252.0
object network Inside_Network
subnet 10.222.220.0 255.255.252.0
description Inside_Network
object network Generic
subnet 0.0.0.0 0.0.0.0
object network SecurityController
host 10.211.211.10
description SecurityController
object network Security_Net
subnet 10.211.211.0 255.255.255.0
description Security_Net
object network Sec-Net
subnet 10.222.220.0 255.255.252.0
description Sec-Net
object network NETWORK_OBJ_10.222.225.0_24
subnet 10.222.225.0 255.255.255.0
object network NETWORK_OBJ_172.30.1.0_24
subnet 172.30.1.0 255.255.255.0
description NETWORK_OBJ_172.30.1.0_24
object network PoC-Phone
subnet 10.10.10.0 255.255.255.0
object network TechMonksVPN
description TechMonksVPN Client Range
object network TechMonksNet
subnet 192.168.235.0 255.255.255.0
description TechMonks VPN Network
object network Fibernetics-Phone
subnet 10.10.10.0 255.255.255.0
description Fibernetics-Phone
object network NETWORK_OBJ_192.168.175.0_24
subnet 192.168.175.0 255.255.255.0
object network FOCU-NET
subnet 10.1.30.0 255.255.255.0
object network NETWORK_OBJ_10.123.123.0_27
subnet 10.123.123.0 255.255.255.224
object network A1Cogent-Internal
subnet 10.17.25.0 255.255.255.0
description A1Cogent Internal Network
object network A1Cogent-Management
subnet 10.20.77.0 255.255.255.0
description A1 Cogent Management Network
object network TMGInside
subnet 10.170.150.0 255.255.254.0
description Trimach Inside Network in staging area
object network TMG-HQLocalNetwork
subnet 192.168.6.0 255.255.255.0
description Trimach Elmira local network
object network A1-Rogers-VPNPool
subnet 192.168.222.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object 192.168.175.0 255.255.255.0
network-object object Inside_Network
network-object object Security_Net
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_2
network-object 10.222.220.0 255.255.252.0
network-object object NETWORK_OBJ_10.222.225.0_24
object-group service DM_INLINE_SERVICE_4
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_5
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_6
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_8
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service POC-Phones udp
port-object range 10000 20000
port-object eq sip
object-group service DM_INLINE_SERVICE_9
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service POC-Phone_Ports
object-group service DM_INLINE_SERVICE_10
service-object ip
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_11
service-object ip
service-object tcp destination eq www
object-group network DM_INLINE_NETWORK_3
network-object object NETWORK_OBJ_10.222.220.0_22
network-object object NETWORK_OBJ_10.222.225.0_24
object-group network FOCU
network-object host 10.1.30.45
network-object host 10.1.40.45
network-object host 10.1.80.12
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_4
network-object object A1Cogent-Internal
network-object object A1Cogent-Management
object-group network DM_INLINE_NETWORK_5
network-object 192.168.175.0 255.255.255.0
network-object object TMGInside
object-group network DevNetwork
network-object 192.168.175.0 255.255.255.0
access-list outside_cryptomap extended permit ip object Inside_Network object NETWORK_OBJ_10.199.196.0_22
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any any
access-list outside_access_in extended permit tcp any any eq 2601
access-list outside_access_in extended permit udp any any object-group POC-Phones inactive
access-list inside_access_in extended permit ip 10.222.220.0 255.255.252.0 any
access-list inside_access_in extended permit ip 10.222.220.0 255.255.252.0 10.222.225.0 255.255.255.0
access-list inside_access_in_1 extended permit ip host 10.222.221.221 192.168.235.0 255.255.255.0
access-list inside_access_in_1 extended deny ip 10.222.220.0 255.255.252.0 192.168.235.0 255.255.255.0
access-list inside_access_in_1 extended permit ip any 10.222.225.0 255.255.255.0
access-list inside_access_in_1 extended permit ip any 10.10.10.0 255.255.255.0
access-list inside_access_in_1 extended permit ip any 10.211.211.0 255.255.255.0
access-list inside_access_in_1 extended permit ip any 10.199.196.0 255.255.252.0
access-list inside_access_in_1 extended permit ip any 192.168.175.0 255.255.255.0
access-list inside_access_in_1 extended permit udp any 10.199.196.0 255.255.252.0
access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_5 any any
access-list inside_access_in_1 extended permit ip any any
access-list Security_access_in extended permit object-group DM_INLINE_SERVICE_4 any any
access-list Security_access_in extended permit ip any any
access-list Development_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list Development_access_in extended permit ip any object Inside_Network
access-list Development_access_in extended permit ip any object-group DM_INLINE_NETWORK_3 inactive
access-list Development_access_in extended permit ip object TMGInside object TMG-HQLocalNetwork
access-list Development_access_in extended permit ip any any
access-list SPLIT standard permit 10.222.220.0 255.255.252.0
access-list SPLIT standard permit 10.10.10.0 255.255.255.0
access-list SPLIT standard permit 192.168.175.0 255.255.255.0
access-list SPLIT standard permit 10.199.196.0 255.255.252.0
access-list SPLIT standard permit 192.168.222.0 255.255.255.0
access-list Rogers-LAN-EXT_access_in extended permit object-group DM_INLINE_SERVICE_8 any any
access-list Rogers-LAN-EXT_access_in extended permit ip any any
access-list AllIn1_splitTunnelAcl standard permit 192.168.175.0 255.255.255.0
access-list PoC-Phone_access_in extended permit object-group DM_INLINE_SERVICE_10 object PoC-Phone object-group DM_INLINE_NETWORK_2
access-list PoC-Phone_access_in extended permit object-group DM_INLINE_SERVICE_11 object PoC-Phone any
access-list PoC-Phone_access_in extended permit object-group DM_INLINE_SERVICE_9 any any
access-list PoC-Phone_access_in extended permit ip any any
access-list TechMonks-Split standard permit 10.222.220.0 255.255.252.0
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.222.225.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.175.0 255.255.255.0 object FOCU-NET
access-list McCallum_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list McCallum_access_in extended permit ip any any
access-list McCallum-Split standard permit 10.40.40.0 255.255.252.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list outside_cryptomap_1 extended permit ip 10.222.220.0 255.255.252.0 object-group DM_INLINE_NETWORK_4
access-list outside_cryptomap_3 extended permit ip object-group DM_INLINE_NETWORK_5 object TMG-HQLocalNetwork
access-list AirbossMimic_access_in extended permit ip any any
pager lines 24
logging enable
logging history informational
logging asdm informational
logging host Rogers-LAN-EXT 10.199.198.225
logging permit-hostdown
flow-export destination Rogers-LAN-EXT 10.199.199.59 2055
flow-export destination Rogers-LAN-EXT 10.199.198.225 2055
flow-export template timeout-rate 1
mtu outside 1500
mtu inside 1500
mtu AirbossMimic 1500
mtu Development 1500
mtu Security 1500
mtu Rogers-LAN-EXT 1500
mtu New-Phone 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any Development
icmp permit any Security
icmp permit any Rogers-LAN-EXT
icmp permit any New-Phone
asdm image disk0:/asdm-791.bin
no asdm history enable
arp inside 10.222.220.225 5cff.3505.9be2
arp inside 10.222.222.222 013c.970e.7be6
arp timeout 28800
no arp permit-nonconnected
arp rate-limit 16384
nat (Development,outside) source static TMGInside TMGInside destination static TMG-HQLocalNetwork TMG-HQLocalNetwork no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.222.220.0_22 NETWORK_OBJ_10.222.220.0_22 destination static NETWORK_OBJ_10.199.196.0_22 NETWORK_OBJ_10.199.196.0_22 route-lookup
nat (inside,Rogers-LAN-EXT) source static Inside_Network Inside_Network destination static NETWORK_OBJ_10.199.196.0_22 NETWORK_OBJ_10.199.196.0_22 route-lookup
nat (inside,outside) source static Inside_Network Inside_Network destination static A1-Rogers-VPNPool A1-Rogers-VPNPool no-proxy-arp route-lookup
nat (inside,Rogers-LAN-EXT) source static Inside_Network Inside_Network destination static A1-Rogers-VPNPool A1-Rogers-VPNPool no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.222.220.0_22 NETWORK_OBJ_10.222.220.0_22 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup
nat (Development,outside) source static NETWORK_OBJ_192.168.175.0_24 NETWORK_OBJ_192.168.175.0_24 destination static FOCU-NET FOCU-NET no-proxy-arp route-lookup
nat (inside,outside) source static Inside_Network Inside_Network destination static NETWORK_OBJ_10.222.225.0_24 NETWORK_OBJ_10.222.225.0_24
nat (New-Phone,outside) source static PoC-Phone PoC-Phone destination static NETWORK_OBJ_10.222.225.0_24 NETWORK_OBJ_10.222.225.0_24
nat (inside,outside) source static Inside_Network Inside_Network destination static TechMonksNet TechMonksNet
nat (inside,New-Phone) source static NETWORK_OBJ_10.222.220.0_22 NETWORK_OBJ_10.222.220.0_22 destination static Fibernetics-Phone Fibernetics-Phone
nat (Development,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.222.225.0_24 NETWORK_OBJ_10.222.225.0_24
nat (inside,Development) source static Inside_Network Inside_Network destination static NETWORK_OBJ_192.168.175.0_24 NETWORK_OBJ_192.168.175.0_24
nat (inside,Security) source static Inside_Network Inside_Network destination static Security_Net Security_Net
nat (Development,outside) source static NETWORK_OBJ_192.168.175.0_24 NETWORK_OBJ_192.168.175.0_24 destination static TMG-HQLocalNetwork TMG-HQLocalNetwork no-proxy-arp route-lookup
nat (inside,outside) source static Inside_Network Inside_Network destination static NETWORK_OBJ_10.199.196.0_22 NETWORK_OBJ_10.199.196.0_22 no-proxy-arp route-lookup
!
object network Generic
nat (any,outside) dynamic interface
object network SecurityController
nat (Security,outside) static interface service tcp 2601 2601
object network Security_Net
nat (inside,inside) dynamic interface dns
object network Fibernetics-Phone
nat (inside,inside) dynamic interface dns
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
access-group AirbossMimic_access_in in interface AirbossMimic
access-group Development_access_in in interface Development
access-group Security_access_in in interface Security
access-group Rogers-LAN-EXT_access_in in interface Rogers-LAN-EXT
access-group PoC-Phone_access_in in interface New-Phone
route Rogers-LAN-EXT 10.199.196.0 255.255.252.0 172.30.1.199 1 track 1
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route Development 10.170.150.0 255.255.254.0 192.168.175.2 1
route outside 10.199.196.0 255.255.252.0 x.x.x.x 150
route Rogers-LAN-EXT 192.168.222.0 255.255.255.0 172.30.1.199 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable 666
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 Development
http 0.0.0.0 0.0.0.0 Security
snmp-server host Rogers-LAN-EXT 10.199.198.225 community ***** version 2c
snmp-server host inside 10.199.199.250 community *****
snmp-server host Rogers-LAN-EXT 10.199.199.59 community ***** version 2c udp-port 161
snmp-server host inside 10.222.220.135 community ***** version 2c
snmp-server host inside 10.222.222.12 community ***** version 2c udp-port 161
snmp-server host Development 10.199.199.125 community *****
snmp-server location A1-Office-KW
snmp-server contact The Man
snmp-server community *****
sysopt noproxyarp inside
sysopt noproxyarp Development
sysopt noproxyarp Security
sysopt noproxyarp Rogers-LAN-EXT
sysopt noproxyarp New-Phone
sla monitor 123
type echo protocol ipIcmpEcho 10.199.199.241 interface Rogers-LAN-EXT
num-packets 2
frequency 5
sla monitor schedule 123 life forever start-time now
sla monitor 124
type echo protocol ipIcmpEcho 172.30.1.199 interface Rogers-LAN-EXT
num-packets 2
frequency 5
sla monitor schedule 124 life forever start-time now
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set security-association lifetime kilobytes unlimited
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer x.x.x.x
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 3 match address outside_cryptomap_1
crypto map outside_map 3 set peer x.x.x.x
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 3 set security-association lifetime kilobytes unlimited
crypto map outside_map 4 match address outside_cryptomap_3
crypto map outside_map 4 set peer x.x.x.x
crypto map outside_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 4 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=A1ASA.ableone.local
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=72.143.29.6
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca server
shutdown
cdp-url http://A1ASA/+CSCOCA+/asa_ca.crl
issuer-name CN=A1ASA
smtp from-address admin@A1ASA.null
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable Rogers-LAN-EXT
crypto ikev1 enable outside
crypto ikev1 enable Rogers-LAN-EXT
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 124 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 Development
ssh 0.0.0.0 0.0.0.0 Security
ssh 0.0.0.0 0.0.0.0 Rogers-LAN-EXT
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
vpn-addr-assign local reuse-delay 15

dhcpd update dns both override
!
dhcpd address 10.222.220.1-10.222.220.200 inside
dhcpd dns 10.222.222.12 10.199.199.110 interface inside
dhcpd lease 14400 interface inside
dhcpd domain ableone.com interface inside
dhcpd update dns both override interface inside
!
dhcpd address 192.168.1.15-192.168.1.20 AirbossMimic
dhcpd dns 8.8.8.8 interface AirbossMimic
dhcpd lease 28800 interface AirbossMimic
dhcpd enable AirbossMimic
!
dhcpd address 192.168.175.100-192.168.175.200 Development
dhcpd dns 8.8.8.8 8.8.4.4 interface Development
dhcpd lease 28800 interface Development
dhcpd domain ableone.com interface Development
dhcpd enable Development
!
dhcpd address 10.211.211.100-10.211.211.110 Security
dhcpd dns 10.222.222.12 10.199.199.110 interface Security
dhcpd enable Security
!
dhcpd address 10.10.10.11-10.10.10.200 New-Phone
dhcpd dns 8.8.8.8 interface New-Phone
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 69.87.223.252 source outside
ntp server 198.245.51.213 source outside
ntp server 174.142.39.145 source outside
ntp server 144.217.65.182 source outside
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:DES-CBC-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:DES-CBC-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:DES-CBC-SHA"
webvpn
port 444
enable outside
enable Development
dtls port 444
anyconnect image disk0:/anyconnect-win-4.4.04030-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-linux64-4.4.04030-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-macos-4.4.04030-webdeploy-k9.pkg 3
anyconnect enable
tunnel-group-list enable
internal-password enable
cache
disable
error-recovery disable
group-policy A1-Office internal
group-policy A1-Office attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT
vlan none
group-policy TechMonks internal
group-policy TechMonks attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-lock value TechMonks
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TechMonks-Split
address-pools value TechMonks-Pool
webvpn
anyconnect keep-installer installed
group-policy DfltGrpPolicy attributes
dns-server value 10.222.222.12
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT
default-domain value ableone.com
group-policy GroupPolicy_McCallumVPN internal
group-policy GroupPolicy_McCallumVPN attributes
wins-server none
dns-server value 10.40.40.3 10.40.40.4
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value McCallum-Split
default-domain value mccs.local
group-policy GroupPolicy_206.47.171.229 internal
group-policy GroupPolicy_206.47.171.229 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_108.63.14.146 internal
group-policy GroupPolicy_108.63.14.146 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_38.17.20.92 internal
group-policy GroupPolicy_38.17.20.92 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_162.212.232.190 internal
group-policy GroupPolicy_162.212.232.190 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy AllIn1 internal
group-policy AllIn1 attributes
dns-server value 10.222.222.12
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AllIn1_splitTunnelAcl
default-domain value ableone.local
dynamic-access-policy-record A1Office-VPN
webvpn
file-browsing enable
file-entry enable
svc ask enable default svc
always-on-vpn profile-setting
dynamic-access-policy-record DfltAccessPolicy
username sshah password $sha512$5000$ClD9dCJ3YKRaTRNSsHNgfQ==$NHmW8ZGmZWHIJvIWkIzGFQ== pbkdf2
username sshah attributes
vpn-group-policy A1-Office
username rbruce password $sha512$5000$5RHk0rfna+EIf+JIliQwfg==$2Ast7zSQjYSCLQcLQ/e9vA== pbkdf2
username rbruce attributes
service-type remote-access
username duane password $sha512$5000$eIUdrP+2sUi793Y5dXITFQ==$+lBhAG9YTqx31d75yYkjvg== pbkdf2
username duane attributes
service-type remote-access
username TechWiz password xOJJwOGzbSO9kaoh encrypted privilege 0
username TechWiz attributes
vpn-group-policy TechMonks
username rcampbell password Xrq5bBsSgAwmVi6/ encrypted
username ModernWorks password lEz0kDHlI4p17C1A encrypted
username asuter password $sha512$5000$tJiJxbT9YAljbs6/UDygSw==$9KTGAjw2HZssB7fAD7sUmw== pbkdf2
username ableone password 0Tf7jgrtHuufsPfn encrypted privilege 15
username dperco password 0MLknrIFlnuxm2yq encrypted
username grant password yosASoGeVtPsSimX encrypted
username dbryndza password $sha512$5000$NukH6y2heDYMNfVLuEgTeA==$geQe68P3mxvmUsyLqTdaPw== pbkdf2
username dbryndza attributes
vpn-group-policy A1-Office
username gary password pw4mQ7q5jaWBQAwY encrypted privilege 0
username gary attributes
vpn-group-policy A1-Office
username tschmied password $sha512$5000$b9D4n9NkYDC3mP2k5ctqbw==$kfWRi3l2bJUa1lJJvSQhOA== pbkdf2
username tschmied attributes
vpn-group-policy A1-Office
username stefan password zY5pJt05Q/cLKBQu encrypted privilege 0
username stefan attributes
vpn-group-policy A1-Office
username kstewart password r.8BdlmN.awUt.jr encrypted
username ltelford password Oeiv3AKot.fFvAeQ encrypted
username iainc password FNTpNDsweZwyUbq6 encrypted
username ahmad password $sha512$5000$07NbzR/UlobCUCnG5sbRkw==$xryLn0YmK/NCymSXAyk9IQ== pbkdf2
username hreis password PO/dXbvjQvgwuhVU encrypted privilege 15
username jacques password $sha512$5000$SoRvhXGGTL4eazlCy4TgDw==$2gvmthISgFHxhOZNRje4qA== pbkdf2
username jacques attributes
vpn-group-policy A1-Office
username ConnsVPN password kqpJnFnJzCSLBiNb encrypted
username Mark password 6CqaphipqizA6Oak encrypted
username Boris password cppW657xqLCPmd99 encrypted
username lainc password jXJwMr8udXb0Ou/U encrypted
username Henrique password D8B0md9ueZShbM8h encrypted privilege 15
username MC-Test password $sha512$5000$56wKwJmsFr5B8PJSz0zh1w==$Gwehw5e2qeIlk+Y4TWeqwA== pbkdf2
username MC-Test attributes
vpn-group-policy GroupPolicy_McCallumVPN
group-lock value McCallumVPN
username lsingh password $sha512$5000$hE+PMcJpeidWMGQiJTv3mA==$Hj8aX/o6mIx2V1oaaZUSIw== pbkdf2 privilege 15
username BMcKnight password dTSBl1FwtuN5DHVH encrypted
username BMcKnight attributes
service-type remote-access
tunnel-group 108.63.14.146 type ipsec-l2l
tunnel-group 108.63.14.146 general-attributes
default-group-policy GroupPolicy_108.63.14.146
tunnel-group 108.63.14.146 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group A1Office type remote-access
tunnel-group A1Office general-attributes
address-pool VPNpool
default-group-policy A1-Office
tunnel-group A1Office webvpn-attributes
group-alias A1Office enable
tunnel-group ServiceVPN type remote-access
tunnel-group ServiceVPN general-attributes
address-pool VPNpool
tunnel-group ServiceVPN webvpn-attributes
group-alias A1-Service enable

tunnel-group AllIn1 type remote-access
tunnel-group AllIn1 general-attributes
address-pool VPNpool
default-group-policy AllIn1
tunnel-group AllIn1 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group TechMonks type remote-access
tunnel-group TechMonks general-attributes
address-pool TechMonks-Pool
default-group-policy TechMonks
tunnel-group TechMonks webvpn-attributes
group-alias TechMonks enable

tunnel-group 206.47.171.229 type ipsec-l2l
tunnel-group 206.47.171.229 general-attributes
default-group-policy GroupPolicy_206.47.171.229
tunnel-group 206.47.171.229 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group McCallumVPN type remote-access
tunnel-group McCallumVPN general-attributes
address-pool McCallum-Pool
default-group-policy GroupPolicy_McCallumVPN
tunnel-group McCallumVPN webvpn-attributes
group-alias McCallumVPN enable
tunnel-group 38.17.20.92 type ipsec-l2l
tunnel-group 38.17.20.92 general-attributes
default-group-policy GroupPolicy_38.17.20.92
tunnel-group 38.17.20.92 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 162.212.232.190 type ipsec-l2l
tunnel-group 162.212.232.190 general-attributes
default-group-policy GroupPolicy_162.212.232.190
tunnel-group 162.212.232.190 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
description class-default
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect pptp
class class-default
flow-export event-type all destination 10.199.199.59 10.199.198.225
user-statistics accounting
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:28e111de1cbc1cd58bf1a3963111d5c5
: end

topic Re: Cisco ASA - ssh not working on WAN interface in Network Security

Cisco ASA - ssh not working on WAN interface

Re: Cisco ASA - ssh not working on WAN interface

Re: Cisco ASA - ssh not working on WAN interface

Re: Cisco ASA - ssh not working on WAN interface

Re: Cisco ASA - ssh not working on WAN interface

Re: Cisco ASA - ssh not working on WAN interface

Re: Cisco ASA - ssh not working on WAN interface

Re: Cisco ASA - ssh not working on WAN interface