https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818772#M1099703 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/135620">@nflnetwork</a> that command should permit access SSH access from any IP address connecting on the outside interface, no ACL required.</P> <P>Can you actually SSH to the ASA from any other interface?<BR />Is authentication and RSA keypair already setup?</P> <P>Example - <A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118075-configure-asa-00.pdf" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118075-configure-asa-00.pdf</A></P> <P>username admin password &lt;password&gt; privilege 15<BR />crypto key generate rsa modulus 2048<BR />aaa authentication ssh console LOCAL<BR />ssh version 2</P> <P>&nbsp;</P> Thu, 20 Apr 2023 17:16:04 GMT Rob Ingram 2023-04-20T17:16:04Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818765#M1099702 <P>i aded ssh 0.0.0.0 0.0.0.0 Outside but still cannot connect ssh to my outside interfae&nbsp;</P><P>&nbsp;</P><P>do I also require any access-list?</P><P>&nbsp;</P><P>do we have any example i can look at?</P> Thu, 20 Apr 2023 17:00:26 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818765#M1099702 nflnetwork 2023-04-20T17:00:26Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818772#M1099703 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/135620">@nflnetwork</a> that command should permit access SSH access from any IP address connecting on the outside interface, no ACL required.</P> <P>Can you actually SSH to the ASA from any other interface?<BR />Is authentication and RSA keypair already setup?</P> <P>Example - <A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118075-configure-asa-00.pdf" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118075-configure-asa-00.pdf</A></P> <P>username admin password &lt;password&gt; privilege 15<BR />crypto key generate rsa modulus 2048<BR />aaa authentication ssh console LOCAL<BR />ssh version 2</P> <P>&nbsp;</P> Thu, 20 Apr 2023 17:16:04 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818772#M1099703 Rob Ingram 2023-04-20T17:16:04Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818773#M1099704 <P>Try this way</P> <P>Add new interfaces (any one)</P> <P>Make it security level =0 and make security level of outside interface =1</P> <P>Abd the&nbsp; try ssh to ASA</P> Thu, 20 Apr 2023 17:16:23 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818773#M1099704 MHM Cisco World 2023-04-20T17:16:23Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818783#M1099705 <P>still not able to pass traffic.</P><P>&nbsp;</P><P>ssh traffic on my outside interface OR inside traffic out to Outside other than ICMP&nbsp;</P><P>&nbsp;also noticing cannot get inside, outside traffic working now&nbsp;</P><P>&nbsp;</P><P>i can ping 8.8.8.8 from inside host but cannot get anything else&nbsp;</P><P>&nbsp;</P><P>no ACL should be required for this correct???</P><P>&nbsp;</P><P>ge0/0 -wan&nbsp;</P><P>security level 1</P><P>&nbsp;</P><P>ge 0/1 - lan&nbsp;</P><P>security level 100</P><P>nat (Inside,Outside) dynamic interface&nbsp;</P><P>&nbsp;</P> Thu, 20 Apr 2023 17:50:14 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818783#M1099705 nflnetwork 2023-04-20T17:50:14Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818786#M1099706 <P>No ACL require but there must be any interface in ASA that have security level lower than outside, add any dummy interface and check.</P> Thu, 20 Apr 2023 17:54:43 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818786#M1099706 MHM Cisco World 2023-04-20T17:54:43Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818789#M1099707 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/135620">@nflnetwork</a> if you cannot from SSH from any interface do you even have the 3DES/AES license?</P> <P>You didn't respond to the initial question regarding with you have a RSA keypair and authentication setup.</P> Thu, 20 Apr 2023 17:58:13 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818789#M1099707 Rob Ingram 2023-04-20T17:58:13Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818791#M1099708 <P>configured ge0/2 with security level 0&nbsp;</P><P>changed ge0/0 - wan to security level 1</P><P>same issue&nbsp;</P> Thu, 20 Apr 2023 17:58:48 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818791#M1099708 nflnetwork 2023-04-20T17:58:48Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818795#M1099710 <P>if not solve you issue then check&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp; suggestion&nbsp;</P> Thu, 20 Apr 2023 18:03:17 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818795#M1099710 MHM Cisco World 2023-04-20T18:03:17Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818797#M1099711 <P>yes, it works on inside interface.&nbsp;</P> Thu, 20 Apr 2023 18:04:50 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818797#M1099711 nflnetwork 2023-04-20T18:04:50Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818802#M1099712 <P>yes i can SSH from the inside interface - no issue&nbsp;</P> Thu, 20 Apr 2023 18:12:21 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818802#M1099712 nflnetwork 2023-04-20T18:12:21Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818807#M1099713 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/135620">@nflnetwork</a> so when you fail to SSH to the outside interface, where are you physically connected? You cannot be connected on the inside and SSH to the outside interface, that won't work. You'd need to SSH to the outside interface when connected on the outside.</P> <P>&nbsp;</P> Thu, 20 Apr 2023 18:21:11 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818807#M1099713 Rob Ingram 2023-04-20T18:21:11Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818809#M1099714 <P>host on my LAN (192.168.254.2) &gt; to inside interface on ASA (192.168.254.1) - ssh works</P><P>&nbsp;</P><P>when trying to ssh to outside interface i am on the internet</P> Thu, 20 Apr 2023 18:23:42 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818809#M1099714 nflnetwork 2023-04-20T18:23:42Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818811#M1099715 <P>Under g0/2</P> <P>No shut&nbsp;</P> <P>And check again.&nbsp;</P> <P>Thanks&nbsp;</P> <P>MHM</P> Thu, 20 Apr 2023 18:23:54 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818811#M1099715 MHM Cisco World 2023-04-20T18:23:54Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818813#M1099716 <P>done. no change</P> Thu, 20 Apr 2023 18:26:24 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818813#M1099716 nflnetwork 2023-04-20T18:26:24Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818822#M1099717 <P>Ok, last point to check is are you config any PAT of SSH in asa?&nbsp;</P> Thu, 20 Apr 2023 18:43:19 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818822#M1099717 MHM Cisco World 2023-04-20T18:43:19Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818828#M1099718 <P>the only nat i have is&nbsp;</P><P>&nbsp;</P><PRE>object network inside-subnet<BR /> subnet 192.168.254 255.255.255.0<BR /> nat (inside,outside) dynamic interface</PRE><P>&nbsp;</P> Thu, 20 Apr 2023 18:53:48 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818828#M1099718 nflnetwork 2023-04-20T18:53:48Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818842#M1099720 <P>hello all - it is workin now.&nbsp;</P><P>&nbsp;</P><P>we had an upstream WAN switch with an ACL blocking the traffic.&nbsp;</P> Thu, 20 Apr 2023 19:38:00 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818842#M1099720 nflnetwork 2023-04-20T19:38:00Z https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818844#M1099722 <P>glad your issue solved<BR />thanks for update&nbsp;<BR />just for note it work with or without security level change of OUTside interface ?</P> Thu, 20 Apr 2023 19:40:18 GMT https://community.cisco.com/t5/network-security/unable-to-ssh-to-asa-on-outside-interface/m-p/4818844#M1099722 MHM Cisco World 2023-04-20T19:40:18Z