topic SSH on Outside interface on ASA 5510 in Network Security

SSH on Outside interface on ASA 5510

catalystexpress — Tue, 12 Mar 2019 00:05:18 GMT

Hi All,

I need the ssh access on my ASA outside interface and have added

ssh ipremoved 255.255.255.255 outside

access-list acl_outside extended permit tcp host ipremoved any eq 22

but this is the log i get from ASA

Oct 06 2012 16:10:04: %ASA-3-710003: TCP access denied by ACL from ipremoved/39884 to outside:ipremoved/22

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.4(5)

can someone please help me

many thanks

cheers..

SSH on Outside interface on ASA 5510

Jennifer Halim — Sat, 06 Oct 2012 08:16:12 GMT

You don't need to configure access-list on the outside interface to allow ssh if you are trying to ssh to the ASA itself.

All you need is to make sure that the time on the ASA is correct, generate key-pair, and configure the ssh to allow the access from the ip address where you are connecting from (as you've configured above).

Also, make sure that you don't have any static PAT for TCP/22 using the ASA outside interface IP Address.

SSH on Outside interface on ASA 5510

catalystexpress — Sat, 06 Oct 2012 08:21:50 GMT

many thanks for the quick reply

my connection is something like below

Site A Site B

PC--10.6.40.148 ---- ASA public IP -------------cloud --------------------public IP ASA

Site to Site IPsec VPN

Am able to ssh to the ASA on the private ip management interface, now i need to ssh to the site B public IP to manage

I have allowed the acl on site A ASA for the PC to go i can see the hit count on it

The reason being i need to manage the Site B ASA on public because on Site A am changing the internet provider and so if i have the acces to site B ASA i can change the peer IP to new IP and reestablish the VPN

many thanks for the help

cheers

SSH on Outside interface on ASA 5510

Jennifer Halim — Sat, 06 Oct 2012 08:26:08 GMT

Ah OK, make sense.

I assume that since you are accesing Site B public IP address (outside), then the SSH traffic does not go through the VPN tunnel. If that is the case, then you would need to check what is the NATed public ip address of site A and add that public IP on to Site B SSH command.

SSH on Outside interface on ASA 5510

catalystexpress — Sat, 06 Oct 2012 08:38:19 GMT

Thanks again

I have already done that on Site B

ssh ipremoved 255.255.255.255 outside

access-list acl_outside extended permit tcp host ipremoved any eq 22

but still does not go through, the log from Site B

Oct 06 2012 16:10:04: %ASA-3-710003: TCP access denied by ACL from ipremoved/39884 to outside:ipremoved/22

SSH on Outside interface on ASA 5510

Jennifer Halim — Sat, 06 Oct 2012 08:44:18 GMT

do you have any static PAT on port 22 configured on site B using site B outside interface ?

SSH on Outside interface on ASA 5510

catalystexpress — Sun, 07 Oct 2012 06:14:58 GMT

sorry it was a mistake from my end, i had the wrong IP configured in the Site B ssh commad instead of x.x.x.243 i had x.x.x.43

many thanks

SSH on Outside interface on ASA 5510

Jennifer Halim — Sun, 07 Oct 2012 19:55:55 GMT

No problem, great to hear it's all good now.