topic Hi Mike,I have started over in Network Security

permit ssh from external to internal

styler001 — Tue, 12 Mar 2019 06:25:33 GMT

Hello,

Haven't used Cisco firewall in over a decade.

I have a shiny new Cisco ASA 5506-x. I have configured it almost exactly like this:

http://blog.router-switch.com/2015/03/quick-guide-how-to-start-a-cisco-asa-5506-x/

and I used the ASDM app to add a rule under Configuration->Firewall->Access rules to permit inbound SSH.

When I try to connect via SSH, the connection times out. The error I see on the Cisco is:

denied due to nat reverse path failure

I am trying to set up a test environment and permit ssh, once I have that in place I think I can iterate and get a proper config up.

How do I permit SSH from external to internal?

Thanks for your patience,

: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.3(2)2
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address xxx.89.50.122 255.255.255.248

ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_access_in extended permit tcp any any eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any unidirectional no-proxy-arp
!
object network obj_any
nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http xxx.89.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address xxx.89.50.124-xxx.89.50.126 inside
dhcpd enable inside

You are trying to allow SSH

Maykol Rojas — Fri, 14 Aug 2015 17:23:28 GMT

You are trying to allow SSH access from outside to the box or to a machine inside the network?

To the box would be:

ssh 0 0 outside (allowing any, you can make it more specific putting the subnet or host)

aaa authentitcation ssh console LOCAL

crypto key generate rsa mod 1024

and then create a username and a password and you should be good.

If it is to allow access from outside to inside over ssh (and using the firewall IP to do port forward), you can do the following:

object network host

host x.x.x.x

object service SSH

service tcp source eq 22

nat (inside,outside) source static host service SSH SSH

access-list outside permit tcp any host x.x.x.x eq 22

access-group outside in interface outside

At this point, try to ssh to the Outside interface of the firewall, that should do it.

If you want to access it using the internal real IP address, modify the config I gave you to reflect the values you want (meaning on the interface keyword, using the same object "host")

Mike.

ciscoasa(config)# nat (inside

styler001 — Fri, 14 Aug 2015 20:47:58 GMT

ciscoasa(config)# nat (inside,outside) source static host service SSH SSH
^
ERROR: % Invalid input detected at '^' marker.

ciscoasa(config)# access-list outside permit tcp any host 192.168.110.201 eq 22
ciscoasa(config)# access-group outside in interface outside

The error is detected at the first SSH

Hi Mike,I have started over

styler001 — Fri, 14 Aug 2015 21:00:00 GMT

Hi Mike,

I have started over again.

my intent is to allow access from outside to inside over ssh, as a simple test, using the firewall IP to do port forward. It appears from reading the builtin help as if I can do this purely via GUI, and without manually configuring NAT/ACL, simply by using the Firewall function "Public Servers" however this fails to work; I believe that command line work is required. While I'm not familiar with Cisco I've worked with Juniper, Sonicwall, iptables. Part of my problem is that a lot of the examples i can find on the net refer to older ASA version.

I am on ASA 9.3 and I suspect the syntax differs from what you suggest, here is what I'm trying:

a static one to one NAT as a simple test

ciscoasa(config)# object network vmware
ciscoasa(config-network-object)# host 192.168.1.6
ciscoasa(config-network-object)# nat (inside,outside) static 192.168.110.201
ERROR: Address 192.168.110.201 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

current error: tcp access denied by ACL from 192.168.110.199/41256 to outside 192.168110.201/22

I see no way using the GUI to assign another IP to the external interface.

ASA Version 9.3(2)2
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.110.201 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network VmwareHypervisor
host 192.168.1.6
object network Vmware
host 192.168.1.6
object network Public_Vmware
host 192.168.110.202
object network public_outside
host 192.168.110.201
object network host
host 192.168.1.6
object service SSH
service tcp source eq ssh
object network vmware
host 192.168.1.6
access-list outside_access_in extended permit tcp interface outside object VmwareHypervisor eq ssh
access-list outside_access_in extended permit tcp interface outside interface inside eq ssh
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp interface outside interface inside eq ssh
access-list ACL-OUTSIDE-IN extended permit tcp any host 192.168.1.6 eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected

!
object network obj_any
nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.110.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 208.69.120.201 source outside
ntp server 23.226.142.216 source outside
ntp server 108.59.2.24 source outside
dynamic-access-policy-record DfltAccessPolicy

object network vmwarehost 192

Jon Marshall — Fri, 14 Aug 2015 21:47:18 GMT

object network vmware
host 192.168.1.6
nat (inside,outside) static interface service tcp 22 22

in addition your acls are wrong ie.

the "inside_access_in" is permitting ip any any which is allowed by default from a higher to lower security interface so you may as well remove it ie. -

"no access-group inside_access_in in interface inside"

your "outside_access_in" acl makes no sense because the source will never be the interface IP address however your "ACL-OUTSIDE-IN" does make sense and is correct so can you replace the existing acl with that one ie. -

"access-group ACL-OUTSIDE-IN in interface outside"

from memory that should overwrite the existing entry. If it complains that there is already an acl applied to the outside interface then remove the existing one first ie.

"no access-group outside_access_in in interface outside"

You may also want to read this doc which gives an excellent overview of NAT post 8.3 and recommendations as to where to place certain rules etc. -

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Jon

Thank you for the

styler001 — Fri, 14 Aug 2015 21:59:18 GMT

Thank you for the recommendations. I'm trying to use the GUI but I think i might actually be better off learning the cisco command line. I will try your recommendations on Monday and report back in. also I could swear that the inside_access_in permitting ip any any was created by default by the ADSM GUI,

It may have been created by

Jon Marshall — Fri, 14 Aug 2015 22:09:02 GMT

It may have been created by default, couldn't really say because I don't use the GUI.

You should be able to do all of the above using ASDM and there will be configuration examples on the Cisco site but I only know the CLI unfortunately.

See how you get on with it next week and by all means come back if you need more help.

Jon