topic Re: ASA 5506 - no SSH possible in Network Security

ASA 5506 - no SSH possible

Maurizio Caloro — Sun, 28 Feb 2021 10:02:40 GMT

Hello Together
Please i will open for LAN "Inside" the SSH Port. try with this commands but no postive result appair "Connection redused"

i know iam on the right way, please and thanks for any Update:

asa(config)# crypto key generate rsa general-keys modulus 2048
Keypair generation process begin. Please wait...
asa(config)# username SSH password *********
asa(config)# aaa authentication ssh console LOCAL
asa(config)# ssh version 2
asa(config)# wr

regards

Mauri

Re: ASA 5506 - no SSH possible

balaji.bandi — Sun, 28 Feb 2021 10:09:13 GMT

Try below and test it

ssh 10.10.10.0 255.255.255.0 inside ( replace the network 10.10.10.0/24 with your network)

Re: ASA 5506 - no SSH possible

ngkin2010 — Sun, 28 Feb 2021 10:11:30 GMT

Hi,

You will need to define the whitelist for incoming SSH connection.

ssh [security-zone] [whitelisted-prefix/ip] [mask]
ssh inside 192.168.1.100 255.255.255.255

Also, you need to ssh from the same security zone that with the ASA interface. For example, outisde interface (100.64.0.1/30) & inside interface (192.168.1.1/24). You could ssh to ASA's 192.168.1.1 from 192.168.1.100, but you cannot ssh to ASA's 100.64.0.1 from 192.168.1.100.

Re: ASA 5506 - no SSH possible

Marvin Rhoads — Sun, 28 Feb 2021 11:08:42 GMT

In addition to what the other have mentioned, please also ensure that you have the 3DES-AES license enabled on your ASA.

Re: ASA 5506 - no SSH possible

Sheraz.Salim — Sun, 28 Feb 2021 11:26:25 GMT

as Marvin mentioned you need to make sure you have the 3DES-AES licence. to check if you have 3DES and 3DES-AES enable. issue a command "show version"

Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual

also you can issue a command "show ssh ciphers" to check what encrytion is available and what encrytion is configured. or

show run all ssh cipher
ssh cipher encryption medium
ssh cipher integrity high

show run all ssh

your command/configuration is right. however, just to mention you need to define the privi level too.

"username SSH password xxxxx privilege 15"

as ngkin2010 mentioned you need to specified which interface you landing/coming from (source ip). rest your configuration is solid.

Re: ASA 5506 - no SSH possible

Maurizio Caloro — Sun, 28 Feb 2021 13:49:01 GMT

thanks for so meny answer, did anything but no result.... the ssh port for LAN usage still closed.

asa(config)# ssh 192.168.1.1 255.255.255.0 inside
ERROR: % Ambiguous command: "ssh 192.168.1.0 255.255.255.0 inside"

Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual

asa(config)# show run all ssh
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh cipher encryption medium
ssh cipher integrity high
ssh key-exchange group dh-group1-sha1
ssh 192.168.1.0 255.255.255.0 inside_7
ssh 192.168.1.1 255.255.255.255 inside_7

Inside_7 = are connectec to my PC

yes, wr also are done.

Re: ASA 5506 - no SSH possible

balaji.bandi — Sun, 28 Feb 2021 14:29:04 GMT

ssh 192.168.1.0 255.255.255.0 inside_7 (inside most people uses , if this is your only insde interface that should work)
no ssh 192.168.1.1 255.255.255.255 inside_7 - you do not need this one since above subnet cover all.

To assists better post-complete configuration. ( show run post output.)

what is the IP address you trying to SSH to ASA ?

Re: ASA 5506 - no SSH possible

Marvin Rhoads — Sun, 28 Feb 2021 14:31:56 GMT

Please share the output of:

show asp table socket | i 22

Re: ASA 5506 - no SSH possible

Sheraz.Salim — Sun, 28 Feb 2021 14:49:18 GMT

I think the problem is you give the ip address and than you mentioned the subnet.

asa(config)# ssh 192.168.1.1 255.255.255.0 inside
ERROR: % Ambiguous command: "ssh 192.168.1.0 255.255.255.0 inside"

where as it has to be like thiks "ssh 192.168.1.0 255.255.255.0 inside_7" not ssh 192.168.1.1 255.255.255.0 inside

now if you want only 192.168.1.1 to access the firewall on ssh than it has to be in this way 192.168.1.1 255.255.255.255 inside.

Re: ASA 5506 - no SSH possible

Maurizio Caloro — Mon, 01 Mar 2021 07:24:27 GMT

thanks for answer, try to reach with the application Putty the ASA

asa(config)# show asp table socket | i 22
TCP 040fb558 LISTEN 192.168.1.1:22 0.0.0.0:*

asa(config)# sh run ssh
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
ssh 192.168.1.0 255.255.255.0 inside_7
ssh 192.168.1.1 255.255.255.255 inside_7

@Sheraz.Salim

Sorry this was my error, hear reply:

asa(config)# ssh 192.168.1.1 255.255.255.0 inside
ERROR: % Ambiguous command: "ssh 192.168.1.1 255.255.255.0 inside"

this FW are new... but have also other strange problem..... SSH are not reachable (Network Connection refused)
Clients that are connected to ASA like ESXI, Printers, DNS Server are not pingable at all times !

if unplug Printer,Esx to other switch, Printer are pingable, if plugin back to ASA, for first the Printer, Esxi and all other Clients are pingable, after a certain time, the printer, Esxi cannot be reached again.

G1/1 Outside - WAN
G1/2 INSIDE - Switch to other floor
G1/4 INSIDE - Printer
G1/5 INSIDE - ESXI
G1/6 INSIDE - DNS
G1/7 INSIDE - other Server

Bevor i had Juniper and Forti, and newer, newer i had problem like this 🙂

also attached the ASA Config, thanks for possible answer
Mauri

Re: ASA 5506 - no SSH possible

Marvin Rhoads — Mon, 01 Mar 2021 07:46:17 GMT

You asp table socket shows the ASA is only listening for incoming ssh from 192.168.1.1. Since that is the address of the BVI on the ASA, you need to remove that line in the config and makes sure the "ssh 192.168.1.0 255.255.255.0 inside" is the only ssh access restriction command in place.

For your devices on the subnet not being reachable, please add "same-security-traffic permit intra-interface" to the configuration. This will allow the ASA to forward traffic back out the incoming interface for those hosts. They work for a while when moved from the other switch due to their being in the clients' arp caches and when that times out the ASA gets the requests for them and by default will not forward the traffic back ou the receiving interface.

Re: ASA 5506 - no SSH possible

balaji.bandi — Mon, 01 Mar 2021 14:45:56 GMT

as suggested before :

ssh 192.168.1.0 255.255.255.0 inside_7   (inside most people uses , if this is your only insde interface that should work)
no ssh 192.168.1.1 255.255.255.255 inside_7  - you do not need this one since above subnet cover all.

Re: ASA 5506 - no SSH possible

Maurizio Caloro — Tue, 02 Mar 2021 06:46:35 GMT

Hello Everyone

now reset the FW with "config factory-default" ok.

Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual

but ssh stil are closed, connection refused.

Re: ASA 5506 - no SSH possible

balaji.bandi — Tue, 02 Mar 2021 09:58:52 GMT

After resetting did you configure below :

aaa authentication ssh console LOCAL
username XXXX passowrd

please post the complete config again, show run, also what client you using.

are you able to ping 192.168.1.1

Quick question is this your intention of BVI with inside_1 to 7 (since we see this is a bug) - it automatically creates.

read this post :

https://www.petenetlive.com/KB/Article/0001422

in that case, still, you need to use the inside interface here. Try below :

no ssh 192.168.1.0 255.255.255.0 inside_7

ssh 192.168.1.0 255.255.255.0 inside