https://community.cisco.com/t5/network-security/asa-firewall/m-p/4012832#M23167 <P><STRONG>ssh 10.136.100.226 255.255.255.255 outside</STRONG></P><P>in above command it is saying <STRONG>let someone allow to SSH</STRONG> when the source IP of that request is <STRONG>''10.136.100.226 255.255.255.255''</STRONG> and is coming from <STRONG>''outside''</STRONG> interface. If your outisde interface is connected to internet then there is no chance that such request will ever come true.</P><P>so possibly it's a miss configured or type error and i'm sure if you remove it then there will be no impact on operation/management of your firewall.</P> Thu, 16 Jan 2020 17:07:55 GMT salman abid 2020-01-16T17:07:55Z https://community.cisco.com/t5/network-security/asa-firewall/m-p/4012586#M23165 <P>Hello experts,</P><P>&nbsp;</P><P>Could you please explain me the below couple of query?</P><P>&nbsp;</P><P>1.&nbsp;ssh 10.136.100.226 255.255.255.255 outside---- In my asa FW I could see this command. Whether the command is to take the ssh from outside? I tried to ssh into the device with the mentioned IP but failed. But any way I have another IP configured for the vty lines. My query is that what exactly the command do?</P><P>2.&nbsp;no-proxy-arp route-lookup--- I seen for the dynamic NO NAT at least they have given the proxy-arp command. Why this command is used.</P><P>&nbsp;</P><P>Regards,</P><P>Sathish</P> Thu, 16 Jan 2020 12:08:47 GMT https://community.cisco.com/t5/network-security/asa-firewall/m-p/4012586#M23165 SathishkumarSaravanan0348 2020-01-16T12:08:47Z https://community.cisco.com/t5/network-security/asa-firewall/m-p/4012605#M23166 <P>Hi,</P><P>Yes, with that command you should be able to SSH to the ASA itself from 10.136.100.226.</P><P>Have you generated an rsa key, configured the aaa commands for SSH and obviously defined a username and password?</P><P>&nbsp;</P><PRE><EM>crypto key generate rsa modulus 2048</EM><BR /><EM>aaa authentication ssh console LOCAL</EM><BR /><EM>ssh version 2<BR />username admin password YourPWord privilege 15</EM></PRE><P><SPAN class="ILfuVd"><SPAN class="e24Kjd">If you add the keyword <STRONG>no</STRONG>-<STRONG>proxy</STRONG>-<STRONG>arp</STRONG> to specific NAT commands, the ASA will not respond to ARP requests for the global IP subnet identified in those NAT statements. </SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="ILfuVd"><SPAN class="e24Kjd">HTH</SPAN></SPAN></P> Thu, 16 Jan 2020 12:40:27 GMT https://community.cisco.com/t5/network-security/asa-firewall/m-p/4012605#M23166 Rob Ingram 2020-01-16T12:40:27Z https://community.cisco.com/t5/network-security/asa-firewall/m-p/4012832#M23167 <P><STRONG>ssh 10.136.100.226 255.255.255.255 outside</STRONG></P><P>in above command it is saying <STRONG>let someone allow to SSH</STRONG> when the source IP of that request is <STRONG>''10.136.100.226 255.255.255.255''</STRONG> and is coming from <STRONG>''outside''</STRONG> interface. If your outisde interface is connected to internet then there is no chance that such request will ever come true.</P><P>so possibly it's a miss configured or type error and i'm sure if you remove it then there will be no impact on operation/management of your firewall.</P> Thu, 16 Jan 2020 17:07:55 GMT https://community.cisco.com/t5/network-security/asa-firewall/m-p/4012832#M23167 salman abid 2020-01-16T17:07:55Z