https://community.cisco.com/t5/network-security/cannot-ssh-or-ping-asa-5510-from-the-inside-interface/m-p/1907205#M457318 <HTML><HEAD></HEAD><BODY><P>Hey,</P><P></P><P>When you say that you have been able to manage the ASA directly from Management interface, does that mean also with SSH?</P><P></P><P>I was just wondering if you've issued the "crypto key generate rsa modules 1024" from the console CLI? Or same from the ASDM tools -&gt; Command Line Interface (or something similiar)</P><P></P><P>Atleast thats the most common mistake I sometimes make when starting configuraitons with ASA on console (forget to create the keys)</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 06 Apr 2012 14:44:32 GMT Jouni Forss 2012-04-06T14:44:32Z https://community.cisco.com/t5/network-security/cannot-ssh-or-ping-asa-5510-from-the-inside-interface/m-p/1907202#M457312 <P>The ASA is configured in very simple transparent mode. As desired, traffic can flow in each direction between inside and outside. I can manage the ASA via console and direct connection to the management interface. The problem is that I cannot ping or ssh to the ASA via the inside interface. I need to be able to manage the ASA from any PC on the inside LAN. I suspect I am missing some easy aspect of the configuration but after a lot of hours I'm about at the end of my patience with it. Here is what I believe to be the relevant parts of the config.&nbsp; Any assistance will be greatly appreciated.</P><P></P><P>ASA Version 8.2(1) </P><P>!</P><P>firewall transparent</P><P>hostname issr1</P><P>enable password 2alej83t5cqT0FWd encrypted</P><P>passwd 4kleUY438I93.4ljdh encrypted</P><P>names</P><P>name xxx.125.144.0 myLAN</P><P>!</P><P>interface Ethernet0/0</P><P> nameif Outside</P><P> security-level 0</P><P>!</P><P>interface Ethernet0/1</P><P> nameif inside</P><P> security-level 100</P><P>!</P><P>interface Ethernet0/2</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P>!</P><P>interface Ethernet0/3</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P>!</P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> ip address xxx.125.145.173 255.255.255.0 </P><P> management-only</P><P>!</P><P>dns server-group DefaultDNS</P><P> domain-name myLAN.circ6.dcn</P><P>object-group protocol TCPUDP</P><P> protocol-object tcp</P><P>access-list inside_access_in_2 extended permit ip any any </P><P>access-list Outside_access_in_1 extended permit ip myLAN 255.255.254.0 any </P><P>mtu Outside 1500</P><P>mtu inside 1500</P><P>mtu management 1500</P><P>ip address xxx.125.145.175 255.255.254.0</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit host xxx.125.145.175 inside</P><P>asdm history enable</P><P>access-group Outside_access_in_1 in interface Outside</P><P>access-group inside_access_in_2 in interface inside control-plane</P><P>route inside myLAN 255.255.254.0 xxx.125.144.240 1</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>aaa authentication ssh console LOCAL </P><P>http server enable</P><P>http xxx.125.144.0 255.255.254.0 management</P><P>http myLAN 255.255.254.0 inside</P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>ssh xxx.125.144.14 255.255.255.255 inside</P><P>ssh xxx.125.145.174 255.255.255.255 management</P><P>ssh timeout 60</P><P>console timeout 0</P><P>!</P><P>Cryptochecksum:f1c9377arda5b6aef83928h0b0058f9</P> Mon, 11 Mar 2019 22:51:12 GMT https://community.cisco.com/t5/network-security/cannot-ssh-or-ping-asa-5510-from-the-inside-interface/m-p/1907202#M457312 kywbcisco 2019-03-11T22:51:12Z https://community.cisco.com/t5/network-security/cannot-ssh-or-ping-asa-5510-from-the-inside-interface/m-p/1907203#M457313 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have never actually configured a transparent ASA firewall so I am just guessing.</P><P></P><P>What I am wondering is that if you have a transparent firewall acting as a L2 device in the network. Shouldnt you just have a default route pointing to the networks only L3 interfaces IP address.</P><P></P><P>Have you tried giving the management interface a totally different IP address? Something like 10.10.10.1/24 so it doesnt have anything to do with the actual network you have your ASA connected to?</P><P></P><P>Can you ping the IP address mentioned in the global configuration line "ip address" from your computer connected to the L2 network?</P></BODY></HTML> Thu, 05 Apr 2012 20:00:01 GMT https://community.cisco.com/t5/network-security/cannot-ssh-or-ping-asa-5510-from-the-inside-interface/m-p/1907203#M457313 Jouni Forss 2012-04-05T20:00:01Z https://community.cisco.com/t5/network-security/cannot-ssh-or-ping-asa-5510-from-the-inside-interface/m-p/1907204#M457315 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply.</P><P></P><P>I had an error in a netmask. After fixing that I can ping and connect with ASDM from the inside to the global IP address. I still cannot SSH from the inside but I should be able to figure that out.</P><P></P><P>Thanks for the help. Although your suggestion wasn't exactly the solution, it did prompt me to review all of my network settings and find the immediate problem.</P><P></P><P>Thanks again.</P></BODY></HTML> Fri, 06 Apr 2012 14:02:32 GMT https://community.cisco.com/t5/network-security/cannot-ssh-or-ping-asa-5510-from-the-inside-interface/m-p/1907204#M457315 kywbcisco 2012-04-06T14:02:32Z https://community.cisco.com/t5/network-security/cannot-ssh-or-ping-asa-5510-from-the-inside-interface/m-p/1907205#M457318 <HTML><HEAD></HEAD><BODY><P>Hey,</P><P></P><P>When you say that you have been able to manage the ASA directly from Management interface, does that mean also with SSH?</P><P></P><P>I was just wondering if you've issued the "crypto key generate rsa modules 1024" from the console CLI? Or same from the ASDM tools -&gt; Command Line Interface (or something similiar)</P><P></P><P>Atleast thats the most common mistake I sometimes make when starting configuraitons with ASA on console (forget to create the keys)</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 06 Apr 2012 14:44:32 GMT https://community.cisco.com/t5/network-security/cannot-ssh-or-ping-asa-5510-from-the-inside-interface/m-p/1907205#M457318 Jouni Forss 2012-04-06T14:44:32Z https://community.cisco.com/t5/network-security/cannot-ssh-or-ping-asa-5510-from-the-inside-interface/m-p/1907206#M457320 <HTML><HEAD></HEAD><BODY><P>From the management interface I can use SSH and ASDM.</P><P>I had already done the 'crypto..." command. </P><P>After tweaking another netmask I can now do SSH and ASDM from the inside interface. So my immediate problems are all resolved.</P><P></P><P>Thanks again,</P></BODY></HTML> Fri, 06 Apr 2012 17:29:07 GMT https://community.cisco.com/t5/network-security/cannot-ssh-or-ping-asa-5510-from-the-inside-interface/m-p/1907206#M457320 kywbcisco 2012-04-06T17:29:07Z