topic ASA SSH / Telnet in Network Security

ASA SSH / Telnet

jwood1650 — Tue, 12 Mar 2019 01:16:25 GMT

I just configured my ASA so I can remote access via SSH but I can't seem to get it to work. I have my ASA (10.0.10.1) with my wireleess router (192.168.0.1) connected via the WAN port. I should be able to access the ASA from my laptop (192.168.0.105) correct?

Here is my current config:

ASA Version 8.0(3)6

hostname Firewall

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 10.0.10.1 255.255.255.240

interface Vlan2

nameif outside

security-level 0

ip address 24.234.XXX.XXX 255.255.XXX.XXX

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

shutdown

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

pager lines 24

logging enable

logging asdm warnings

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 24.234.118.193 1

route inside 192.168.0.0 255.255.255.0 10.0.1.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 15

console timeout 0

dhcpd address 10.0.10.2-10.0.10.12 inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

ntp server 64.147.116.229 source outside prefer

username woodjl1650 password slFkVmxAtfauhVaf encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

message-length maximum client auto

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

service-policy global_policy global

prompt hostname context

Cryptochecksum:2f1bd939ffb4683ec5c0b4265bd32951

: end

ASA SSH / Telnet

Jouni Forss — Tue, 19 Mar 2013 16:03:23 GMT

Hi,

In addition to the current SSH configurations you will need to issue the command

crypto key generate rsa modulus 2048

to be able to use SSH into the ASA

I'm not sure if you had problem with Telnet also? For that you dont atleast have the configuration allowing Telnet connections.

telnet 192.168.0.0 255.255.255.0 inside

- Jouni

ASA SSH / Telnet

jwood1650 — Tue, 19 Mar 2013 16:39:29 GMT

added that but now I can't ping from my ASA to my laptop....but I can ping my ASA from my laptop.... are my routes correct?

Firewall# show route

Gateway of last resort is 24.234.118.193 to network 0.0.0.0

C 127.0.0.0 255.255.255.0 is directly connected, _internal_loopback

C 24.234.118.192 255.255.255.224 is directly connected, outside

C 10.0.10.0 255.255.255.240 is directly connected, inside

S 192.168.0.0 255.255.255.0 [1/0] via 10.0.1.10, inside <----192.168.0.1 is my wireless router connected to e0/1

S* 0.0.0.0 0.0.0.0 [1/0] via 24.234.118.193, outside

ASA SSH / Telnet

Jouni Forss — Tue, 19 Mar 2013 16:46:57 GMT

Hi,

The command really shouldnt have any effect on any connections. Its a basic configuration needed on an ASA to enable SSH management connections.

Your route seems to be pointing to an address 10.0.1.10 which IS NOT part of the network 10.0.10.0/24.

So seems to be a typo there. Probably should be 10.0.10.10?

- Jouni

ASA SSH / Telnet

jwood1650 — Tue, 19 Mar 2013 16:55:41 GMT

yep type, corrected and still can't ping from my ASA to my laptop:

Firewall# show route

Gateway of last resort is 24.234.118.193 to network 0.0.0.0

C 127.0.0.0 255.255.255.0 is directly connected, _internal_loopback

C 24.234.118.192 255.255.255.224 is directly connected, outside

C 10.0.10.0 255.255.255.240 is directly connected, inside

S 192.168.0.0 255.255.255.0 [1/0] via 10.0.10.0, inside

S* 0.0.0.0 0.0.0.0 [1/0] via 24.234.118.193, outside

Firewall# ping 192.168.0.1 <----------------Wireless Router

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

interface Vlan1

nameif inside

security-level 100

ip address 10.0.10.1 255.255.255.240 <--------ASA IP Address

ASA SSH / Telnet

Jouni Forss — Tue, 19 Mar 2013 17:01:13 GMT

We dont know how the router is configured.

We for example dont know if its doing some basic Dynamic PAT translation for the network 192.168.0.0/24 when traffic crosses from that network to the interface which is connected to the ASA.

It might be that you can PING from the hosts on the network 192.168.0.0/24 to the ASA interface IP address 10.0.10.1 BUT COULDNT PING the network 192.168.0.0/24 from the ASA. A NAT being on the Router might explain this behaviour.

If the router isnt doing any sort of NAT and is just simply routing then it should work with the ASA configurations.

So for you to be able to ping the network behind the router, the router can not do any type of NAT for its network 192.168.0.0/24

- Jouni

Re:ASA SSH / Telnet

jwood1650 — Tue, 19 Mar 2013 17:24:46 GMT

Sorry..my current config is at the top post...I am away from my ASA right now and can't repost it. But the NAT starement is: NAT (inside) 0.0.0.0 0.0.0.0 1

Sent from Cisco Technical Support Android App

ASA SSH / Telnet

Jouni Forss — Tue, 19 Mar 2013 17:34:12 GMT

I think you missunderstood me

To me it seems you have the following setup

- - 10.0.10.0/24 - - 192.168.0.0/24

And you are telling on the ASA that the network 192.168.0.0/24 is located behind the IP address 10.0.10.1 which to my understanding would be the interface IP address of the Router towards the ASA.

Now what I mean with the NAT is that I think your router is possibly doing a Dynamic NAT or Dynamic PAT between network 192.168.0.0/24 and 10.0.10.0/24 and therefore the router would block the PING.

What makes me think the router is doing NAT is because the PING doesnt work AND the fact that almost every basic router will by default do NAT between its LAN and WAN interfaces.

But again, I dont know how the router is configured but I dont see any problem on the ASA preventing from PINGing the network behind the router

You can add "icmp permit any inside" if you want but not sure if it will help in this case.

- Jouni

Re:ASA SSH / Telnet

jwood1650 — Tue, 19 Mar 2013 17:47:58 GMT

Ok...I misunderstood what you were saying....I'll check my router and see if I can fix it

Sent from Cisco Technical Support Android App