topic how to enable ssh on ASA 5525 in Network Security

how to enable ssh on ASA 5525

purpletech — Mon, 11 Mar 2019 23:43:22 GMT

May I know how to configure for remote accessing ASA 5525 via ssh

I have issued the following commands

ssh 10.60.0.0 255.255.0.0 outside

ssh 10.60.0.0 255.255.0.0 dmz

ssh 10.60.0.0 255.255.0.0 inside

ssh timeout 5

but I am not able to access ASA via ssh. Do I need to add any other command

Re: how to enable ssh on ASA 5525

Karsten Iwen — Thu, 16 Aug 2012 21:26:42 GMT

you need a public/private keypair:

asa(config)# crypto key generate rsa general-keys modulus 2048

a username:

asa(config)# username testuser password testpass

and the system should know where your useraccounts are:

asa(config)# aaa authentication ssh console LOCAL

Edit: And only allowing SSHv2:

asa(config)# ssh version 2

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

how to enable ssh on ASA 5525

purpletech — Tue, 21 Aug 2012 15:36:11 GMT

Thank you.

I am able to ssh into the inside interface but not to the outside interface or dmz

Should I need to add any access list

Re: how to enable ssh on ASA 5525

Karsten Iwen — Tue, 21 Aug 2012 15:57:16 GMT

The two most important rules for the ASA:

1) Interface-ACLs are never involved when the communication is to the ASA (which is different to an IOS-router)

2) You can only reach the nearest interface when communicating to the ASA (again a difference to the router). The only exception is communication through a VPN where a configured Mgmt-interface can be reached.

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

how to enable ssh on ASA 5525

purpletech — Wed, 22 Aug 2012 17:04:52 GMT

Will I be able to ssh into the ASA using it's Public IP address

Re: how to enable ssh on ASA 5525

Karsten Iwen — Wed, 22 Aug 2012 20:14:25 GMT

Yes: "ssh 0.0.0.0 0.0.0.0 outside"

Sent from Cisco Technical Support iPad App

how to enable ssh on ASA 5525

purpletech — Thu, 23 Aug 2012 19:54:44 GMT

Thank you Karsten

how to enable ssh on ASA 5525

purpletech — Fri, 24 Aug 2012 18:25:07 GMT

How to configure the ssh for outside interface in the cisco Router 2800

I have configured the following on the outside interface

ip access-list extended dsl-in

permit icmp any host 67.*.*.*

permit tcp any host 67.*.*.* eq 22

But I am not able to ssh from outside . Following is the overload for the outside interface

ip nat inside source route-map dsl-nat interface FastEthernet0/2/0 overload

ip access-list extended pat-out

deny ip any 10.0.0.0 0.255.255.255

deny ip any 192.168.0.0 0.0.255.255

permit ip 10.10.0.0 0.0.255.255 any

permit ip 10.20.0.0 0.0.255.255 any

route-map dsl-nat permit 10

match interface FastEthernet0/2/0

Re: how to enable ssh on ASA 5525

Karsten Iwen — Fri, 24 Aug 2012 19:22:50 GMT

The route-map is missing your acl "pat-out". And on the router you also need the piblic/private keypair. A SSH-config could look like that:

crypto key generate rsa general-keys modulus 2048 label SSH-KEYS

ip ssh version 2

ip ssh rsa keypair-name SSH-KEYS

ip ssh dh min size 2048

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

how to enable ssh on ASA 5525

purpletech — Fri, 24 Aug 2012 20:19:05 GMT

ip ssh dh min size 2048

I added the first 3 commands

on 4th one , there is no option for dh after #ip ssh ?

authentication-retries Specify number of authentication retries

break-string break-string

logging Configure logging for SSH

maxstartups Maximum concurrent sessions allowed

port Starting (or only) Port number to listen on

rsa Configure RSA keypair name for SSH

source-interface Specify interface for source address in SSH

connections

time-out Specify SSH time-out interval

version Specify protocol version to be supported

Re: how to enable ssh on ASA 5525

Karsten Iwen — Fri, 24 Aug 2012 20:40:16 GMT

That command is not mandatory. It just makes sure that stronger cryptograhy has to be used. But it's only available in very new IOS-versions. SSH will work without that.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

how to enable ssh on ASA 5525

purpletech — Mon, 27 Aug 2012 12:58:20 GMT

I am still not able to ssh from outside using the public ip. It is a cisco 2800 router

when, I issue the command, it sows the following

(config)#$generate rsa general-keys modulus 2048 label SSH-KEYS

% You already have RSA keys defined named SSH-KEYS.

% They will be replaced.

% The key modulus size is 2048 bits

% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

how to enable ssh on ASA 5525

Karsten Iwen — Mon, 27 Aug 2012 13:02:07 GMT

Well, then you already have the keys ...

What is your actual config? Any Log-messages while you try to connect?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

how to enable ssh on ASA 5525

purpletech — Mon, 27 Aug 2012 13:22:33 GMT

we have recently installed ASA 5525 firewall.

Router1 ------MPLS------Router2-------ASA

Router3

Is the ASA blocking ssh for Router 1 and Router 3 ? I am able to ssh with private ips but not with public ips

how to enable ssh on ASA 5525

purpletech — Mon, 27 Aug 2012 13:26:10 GMT

The Routers have separate DSL connections

how to enable ssh on ASA 5525

Karsten Iwen — Mon, 27 Aug 2012 13:38:10 GMT

If the SSH goes through the ASA it has to be allowed. Where is your client when you try to SSH and into which router do you want to login?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

how to enable ssh on ASA 5525

purpletech — Mon, 27 Aug 2012 13:48:19 GMT

Router1 (10.30.0.1 public IP 67.*.*.*) Router 3 (172.16.0.1 public ip 212. *.*.*)

From 172.16.*.* network , I am able to ssh into Router1 using private ip but not using public IP. Outside the company network also I am not able to ssh using public IP. But from the same network (10.30.0.0), I am able to ssh using public ip. Same for Router 3

how to enable ssh on ASA 5525

purpletech — Tue, 28 Aug 2012 13:20:02 GMT

Router1 ------MPLS------Router2-------ASA

Router3

Router1 (10.30.0.1 public IP 67.*.*.*) Router 3 (172.16.0.1 public ip 212. *.*.*)

how to enable ssh on ASA 5525

Karsten Iwen — Tue, 28 Aug 2012 13:25:25 GMT

So what doesn't work is the following:

PC in 172.16.x.x connects via R3-DSL to R1-DSL? But the PC can reach other ressources in the internet?

What's the NAT, ACL and SSH-config from R1?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

how to enable ssh on ASA 5525

purpletech — Tue, 28 Aug 2012 14:25:24 GMT

ip nat inside source route-map dsl-nat interface FastEthernet0/2/0 overload
!

ip access-list extended dsl-in
permit icmp any host 67.*.*.*
permit tcp any eq 22 host 67.*.*.*
permit tcp any host 67.*.*.* eq 22

!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
snmp-server community s3cur3 RO snmp
no cdp run
!
!
!
route-map dsl-nat permit 10
match interface FastEthernet0/2/0
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
privilege level 15
login authentication local_auth
transport input telnet ssh
line vty 5 15
login authentication local_auth
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

ip inspect udp idle-time 1800

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect tcp finwait-time 60

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip inspect SDM_LOW out

Should I allow inspect for ssh?