topic Re: problem with ssh access on asa in Network Security

problem with ssh access on asa

Diego Maciel Gomes — Mon, 11 Mar 2019 23:49:52 GMT

Hello All,

I have a problem with my ssh access.

I have two interfaces, 172.17.5.250 = Outside, security Level 0

10.11.3.2 = Inside, security Level 1

I can access by ssh using Outside

I can not access by ssh using Inside. I receive this message in my prompt:

ssh user@10.11.3.2

Selected cipher type <unknown> not supported by server.

I tried with ssh -1 and ssh -2. Not works.

I have ssh allowed for this source network. SSH version 1&2.

I tried:

ASA(config)#crypto key zeroize rsa

Issue this command in order to generate the new key:

ASA(config)# crypto key generate rsa modulus 1024

But no success

Cisco 8.2(12)2

Thanks

problem with ssh access on asa

varrao — Tue, 04 Sep 2012 18:25:12 GMT

Hi Diego,

can you share the output of :

show run all ssl

You should add this in your configuration:

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Refer to this dic for it:

https://supportforums.cisco.com/docs/DOC-15016

Hope this helps

Thanks,
Varun Rao
Security Team,
Cisco TAC

problem with ssh access on asa

varrao — Tue, 04 Sep 2012 18:30:58 GMT

M sorry but can youa lso post your ssh configuration?

Thanks,
Varun Rao
Security Team,
Cisco TAC

problem with ssh access on asa

Diego Maciel Gomes — Tue, 04 Sep 2012 18:37:50 GMT

Hi Varun,

Look:

FW# sh run all ssl

ssl server-version any

ssl client-version any

ssl encryption des-sha1

FW# sh run all ssh

ssh 172.16.0.0 255.240.0.0 outside

ssh 192.168.41.0 255.255.255.0 outside

ssh 10.11.0.0 255.255.0.0 inside

ssh 172.16.0.0 255.240.0.0 inside

ssh 192.168.11.0 255.255.255.0 inside

ssh timeout 5

My big doubt is because when I try to connect on interface Outside, it works...

Well, I didnt do that command you sent to me yet.. Should I do?

problem with ssh access on asa

varrao — Tue, 04 Sep 2012 18:38:39 GMT

One more thing that you can check is, if you have a 3DES license enabled, you can check it with "show version", ssh by default uses 3des.

Thanks,
Varun Rao
Security Team,
Cisco TAC

problem with ssh access on asa

varrao — Tue, 04 Sep 2012 18:43:21 GMT

It is the cipher code that the client and the server exchange between them, are you using the saying client when you connect from outside? You can very well add the comand, but also check for the 3des license. If you do not have it, you can generate it from her for free:

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139

Thanks,
Varun Rao
Security Team,
Cisco TAC

problem with ssh access on asa

Diego Maciel Gomes — Tue, 04 Sep 2012 18:47:17 GMT

Varun,

I found my problem..

VPN 3DES AES isn´t enabled in my Firewall...

need a licence for ir?

problem with ssh access on asa

varrao — Tue, 04 Sep 2012 18:48:32 GMT

Yup I just pinged you the link above, its for free

Thanks,
Varun Rao
Security Team,
Cisco TAC

Re: problem with ssh access on asa

Diego Maciel Gomes — Tue, 04 Sep 2012 18:58:57 GMT

Varun,

I didnt see your post. I get the license and installed it, so.. I did:

1 - Get the License and Install

2 - ssl encryption aes128-sha1 3des-sha1 rc4-md5 des-sha1

But I still receive this error:

Selected cipher type not supported by server.

Re: problem with ssh access on asa

Diego Maciel Gomes — Tue, 04 Sep 2012 19:00:06 GMT

Varun,

I didnt see your post. I get the license and installed it, so.. I did:

1 - Get the License and Install

2 - ssl encryption aes128-sha1 3des-sha1 rc4-md5 des-sha1

But I still receive this error:

Selected cipher type not supported by server.

Re: problem with ssh access on asa

Julio Carvajal — Tue, 04 Sep 2012 19:17:01 GMT

Hello Diego,

Are you using the same SSH client on both interfaces?

Julio

Re: problem with ssh access on asa

Diego Maciel Gomes — Tue, 04 Sep 2012 19:52:36 GMT

Hello Julio,

Look.

Client = 172.20.65.205, connect on Outside, = OK (Windows with putty)

Client 172.19.4.40, connect on Inside, = NOK (linux with openssh-clients-4.3p2-82.el5)

Client 172.19.1.40, connect on Outise, = NOK (linux with openssh-clients-4.3p2-82.el5

Re: problem with ssh access on asa

Julio Carvajal — Tue, 04 Sep 2012 19:57:18 GMT

Hello Diego,

what happens if you use Putty on the internal machine or any other software besides nok?

I would say it will work.

Regards,

Julio

Re: problem with ssh access on asa

Diego Maciel Gomes — Tue, 04 Sep 2012 20:05:31 GMT

hum... idk..

but, I can connect on SSH in another firewall without problem...

it is weird, isnt it?

Re: problem with ssh access on asa

Julio Carvajal — Tue, 04 Sep 2012 20:16:20 GMT

Hello Diego,

I know you already did it but can you do it once :

ASA(config)#crypto key zeroize rsacrypto key generate rsa modulus 1024


And let me know how it goes

Regards,

Julio

Re: problem with ssh access on asa

Diego Maciel Gomes — Wed, 05 Sep 2012 11:17:07 GMT

Hi Jullio...

Follow..

FW(config)# crypto key zeroize rsa
WARNING: All RSA keys will be removed.
WARNING: All device digital certificates issued using these keys will also be removed.

Do you really want to remove these keys? [yes/no]: yes

and now? generate new?

Re: problem with ssh access on asa

Diego Maciel Gomes — Wed, 05 Sep 2012 12:06:57 GMT

I generated... but, no way

Re: problem with ssh access on asa

Julio Carvajal — Wed, 05 Sep 2012 16:27:13 GMT

Hello Diego,

Do you still get the same log from the client?

What logs are being showed by the ASA?

Regards,

Julio

Re: problem with ssh access on asa

Diego Maciel Gomes — Wed, 05 Sep 2012 16:55:01 GMT

So..

FWINTERNO# debug ssh
debug ssh enabled at level 1

FW# Device ssh opened successfully.
SSH1: SSH client: IP = '172.19.4.121' interface # = 2
SSH: host key initialised
SSH1: starting SSH control process
SSH1: Exchanging versions - SSH-1.5-Cisco-1.25

SSH1: send SSH message: outdata is NULL

server version string:SSH-1.5-Cisco-1.25SSH1: receive SSH message: 83 (83)
SSH1: client version is - SSH-1.5-OpenSSH_4.3

client version string:SSH-1.5-OpenSSH_4.3SSH1: begin server key generation
SSH1: complete server key generation, elapsed time = 910 ms
SSH1: declare what cipher(s) we support:
00 0x00 0x00 0x04 0xSSH1: send SSH message: SSH_SMSG_PUBLIC_KEY (2)
SSH1: SSH_SMSG_PUBLIC_KEY message sent
SSH1: receive SSH message: [no message ID: variable *data is NULL]
SSH1: Session disconnected by SSH server - error 0x00 "Internal error"
SSH0: receive SSH message: SSH_CMSG_WINDOW_SIZE (11)

Re: problem with ssh access on asa

Diego Maciel Gomes — Wed, 05 Sep 2012 20:57:33 GMT

And now?

Any idea???