topic Re: can't SSH to inside interface on ASA in Network Security

can't SSH to inside interface on ASA

naresh.narang — Tue, 12 Mar 2019 00:54:46 GMT

Hi there

I have generated the key and can ssh to outside interface. I have allowed access on inside interface. I can telnet but not ssh. I captured packets and can see incoming only. Any ideas?

TIA

Sent from Cisco Technical Support iPhone App

can't SSH to inside interface on ASA

Jennifer Halim — Thu, 31 Jan 2013 03:15:35 GMT

Can you pls share the config, and also advise which ip you are trying to ssh to the inside interface from?

can't SSH to inside interface on ASA

naresh.narang — Thu, 31 Jan 2013 04:00:16 GMT

Hi there,

Here it is -

interface Ethernet0/1

switchport access vlan 2

speed 100

duplex full

interface Vlan2

description INSIDE

nameif INSIDE

security-level 100

ip address 192.168.1.1 255.255.255.0

ssh 192.168.1.0 255.255.255.0 INSIDE

Trying to ssh from the L3 switch directly connected to the inside interface.

Thanks -

can't SSH to inside interface on ASA

Julio Carvajal — Thu, 31 Jan 2013 05:33:03 GMT

Hello Naresh,

Share the following

cap asp type asp-drop all circular-buffer

cap capin interface inside match tcp x.x.x.x (switch ip address) 192.168.1.1 eq 22

Then try to connect and share the whole output of

show cap capin

show cap asp | include x.x.x.x (Switch Ip)

Can you ping the Switch interface from the ASA?

Can you ping the ASA from the switch?

Regards

can't SSH to inside interface on ASA

naresh.narang — Thu, 31 Jan 2013 06:04:00 GMT

Hi there,

Here it is -

asa01(config)# sh cap capin

4 packets captured

1: 21:59:03.583343 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128

2: 21:59:05.586990 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128

3: 21:59:09.588577 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128

4: 21:59:17.591659 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128

4 packets shown

asa01(config)#

asa01(config)# sh cap asp

0 packet captured

0 packet shown

asa01(config)#

Can you ping the Switch interface from the ASA? - Yes

Can you ping the ASA from the switch? - Yes

Re: can't SSH to inside interface on ASA

Andrew Phirsov — Thu, 31 Jan 2013 06:47:18 GMT

Maybe your problem has something to do with incompartability of ssh versions (1,2) current/allowed key size or smth between an ASA and your switch . Try to regenerate keys with greater/lower modulus size, check ssh version on a switch, try to connect not from a sitch but from some ssh-client.

can't SSH to inside interface on ASA

naresh.narang — Thu, 31 Jan 2013 06:56:03 GMT

Andrew,

Thanks for your ideas. I reduced key size from 2k to 1k but it still didn't work. From same switch I can ssh to ASA's public IP but I tried from ssh client on a server but encountered same issue.

Naresh

can't SSH to inside interface on ASA

Jennifer Halim — Thu, 31 Jan 2013 07:24:57 GMT

What is the ASA version?

Re: can't SSH to inside interface on ASA

david.tran — Thu, 31 Jan 2013 10:33:42 GMT

I think this is a "known" issue. I had this ssh issue several years on a Pix525 (telnet worked but not ssh) on the "inside" interface. SSH was working before on the "inside" interface for a long time and all of the sudden, it just stopped working

After 3 months of troubleshooting with TAC, it went nowhere and I had to reboot the Pix to fix the issue. TAC was not helpful at all.

You can either waste a lot time with TAC or just reboot the box. 99.99% of the time, a reboot will fix it. Remember, sometime the ASA box behaves just like Microsoft Windows

can't SSH to inside interface on ASA

naresh.narang — Thu, 31 Jan 2013 14:40:43 GMT

Adaptive Security Appliance Software Version 8.2(5)

Yes David, that was it. I had seen this with Pix and thought of rebooting but couldn't believe this can happen again. It gave me a lot of headache. Worked after reboot. Thanks so much all.

--Naresh