topic Re: SSH Access to ASA in Network Security

SSH Access to ASA

Scott Pazelt — Mon, 11 Mar 2019 17:36:44 GMT

I can't access our ASA 5505 via SSH from the outside. I've configured this through the ASDM to allow SSH (Device Management > Management Access > ASDM/HTTPS/Telnet/SSH). I added a rule that allows SSH on the outside interface from 0.0.0.0 0.0.0.0. When I try to ssh in with putty, it says "server unexpectedly closed network connection" When I watch the logs on the ASA, it shows a Built inbound TCP connection on port 22, but then immediately a Teardown TCP connection. It doesn't show it's being blocked by any rule. Is there something I'm missing on enabling SSH?

Thanks,

Scott

Re: SSH Access to ASA

Federico Coto Fajardo — Fri, 23 Apr 2010 17:40:32 GMT

Hi,

Besides allowing the permitted hosts to SSH to the ASA, you need to define RSA keys for the secure connection.

In the CLI:

crypto key generate rsa

For these key to work, you should have a hostname/domain-name configured on the ASA as well (unless you configure a dedicated RSA keys).

So basically, configure a hostname, domain name and generate the RSA key pair:

hostname NAME_OF_ASA

domain-name NAME_OF_DOMAIN

crypto key generate rsa

Accept the default of 1024 and it should work.

Federico.

Re: SSH Access to ASA

Scott Pazelt — Fri, 23 Apr 2010 17:50:19 GMT

Thanks for your response.

I had to enter that command through the ASDM and got the results below. Do I need to replace the existing key?

Result of the command: "crypto key generate rsa"

WARNING: You have a RSA keypair already defined named .

Do you really want to replace them? [yes/no]:
% Please answer 'yes' or 'no'.
Do you really want to replace them? [yes/no]:
% Please answer 'yes' or 'no'.
Do you really want to replace them? [yes/no]:
% ERROR: Timed out waiting for a response.
ERROR: Failed to create new RSA keys named

Re: SSH Access to ASA

Federico Coto Fajardo — Fri, 23 Apr 2010 17:54:14 GMT

Are those RSA keys already in used for something else? If not, you can do: crypto key zeroize and regenerate the RSA keys.

You should be able to SSH fine.

We know the connection is getting to the ASA because you see the log.

Can you regenerate the RSA keys and attempt the connection?

If it does not work, please post the output of the ''sh run ssh'' command and the public IP address where the SSH client connection is coming from.

Federico.

Re: SSH Access to ASA

Scott Pazelt — Fri, 23 Apr 2010 18:15:17 GMT

I ran "crypto key zeroize" and removed the key, then ran" crypto key generate rsa" to regenerate the key. I tried ssh'ing back in, but got the same error. I checked the logs and saw the same thing again.

Here is the output of sh run ssh

ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60

Thanks,

Scott

Re: SSH Access to ASA

Scott Pazelt — Fri, 23 Apr 2010 18:32:18 GMT

I wonder if since I'm running these commands from the ASDM CLI, if they're running all the way. I thought when you run the crypto key generate rsa command it asks you some questions. I didn't get anything returned. Is there a way to pull up an actual cli session from the ASDM?

Re: SSH Access to ASA

Federico Coto Fajardo — Fri, 23 Apr 2010 18:37:32 GMT

Scott,

I think you're correct and the RSA needs to be done via the CLI.

Can you telnet/SSH to the ASA?

Cannot be done via ADSM.

Federico.

Re: SSH Access to ASA

Scott Pazelt — Fri, 23 Apr 2010 18:49:46 GMT

I can't. It's at a remote location in another country so I don't even have physical access. Not sure how I'm going to do this, but thanks for your help.

Re: SSH Access to ASA

Federico Coto Fajardo — Fri, 23 Apr 2010 18:53:04 GMT

To be sure, we can run the debug for SSH:

debug ssh 127

The output of this command should tell us what the problem is.

Federico.

Re: SSH Access to ASA

Scott Pazelt — Fri, 23 Apr 2010 19:09:43 GMT

Is there a way to run this in the ASDM CLI? I tried from but got the message "debug commands are not supported".

Re: SSH Access to ASA

Federico Coto Fajardo — Fri, 23 Apr 2010 19:27:39 GMT

As far as I've seen you'll need CLI access to enable SSH.

Debugs don't seem to work on ASDM either.

Apologies, I always use CLI only.

Federico.

Re: SSH Access to ASA

Scott Pazelt — Fri, 23 Apr 2010 20:03:49 GMT

OK. I'll see what I can do. Thanks.

Re: SSH Access to ASA

rzghadhab — Wed, 08 Feb 2012 16:24:31 GMT

you can regenerate the rsa keys from the asdm as well.

use the noconfirm keyword at the end of each command (in Multiline, I use following):

conf t

crypto key zero noconfirm

crypto key generate rsa no confirm

http://www.cisco.com/en/US/docs/security/asdm/6_1/release/notes/rn61.html#wp70204

hope this helps.

Ramzi

SSH Access to ASA

gyterpena — Tue, 05 Feb 2013 16:05:37 GMT

Be careful with "crypto key zero noconfirm" as it will remove ALL keys you have configured on ASA including 3rd party that might be used.

I'm sure you have this

Joseph Dworak — Tue, 26 Aug 2014 16:25:18 GMT

I'm sure you have this figured out by now. But you have to go to Configuration > Device management > Users/AAA > AAA Access and "Enable" SSH and assign to "LOCAL". Doing a Debug ssh 127 will show you keys to the reason. If you are getting a "no AAA" message then your device is trying to use external AAA. Enable it to Local and you are good to go.

Correct. It's AAA

APPIREDDY — Fri, 13 Feb 2015 13:59:22 GMT

Correct. It's AAA authentication what is missing.

Re: SSH Access to ASA

blake.d.green.mil1 — Thu, 11 Jun 2020 15:56:34 GMT

Morning

Currently having problem ssh into my ASA aswell. Any help would be greatly appreciated

hostname CASHE-M-ASA
domain-name USCG
enable password $sha512$5000$QePGHWSUUC6U3pFSTvMqHA==$/hpBhma3C8/MUSMnk9ghyw== pbkdf2
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.90.185 255.255.255.0
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name USCG
access-list OUTSIDE-IN extended permit icmp any any
pager lines 24
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
router ospf 1
network 192.168.90.0 255.255.255.0 area 0
log-adj-changes
!
route outside 192.168.83.0 255.255.255.0 192.168.90.186 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.83.0 255.255.255.0 outside
ssh 192.168.90.0 255.255.255.0 outside
ssh 192.168.90.184 255.255.255.252 outside
ssh timeout 5
ssh version 2
ssh cipher encryption high
ssh cipher integrity high
ssh key-exchange group dh-group14-sha1
console timeout 0

dhcpd dns 192.168.83.0
!
dhcpd dns 192.168.83.0 interface outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username spawar password $sha512$5000$iW9kLubyKfl/OHZ7ZvzKCA==$a7ONgvEnBhlmMUyzgZPN1Q== pbkdf2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:dbcedd7f9fc5f14cc980dd87cc74b4b6
: end

Re: SSH Access to ASA

Ricky Sandhu — Wed, 03 May 2023 15:39:55 GMT

I know this is an old thread but I have another suggestion which may help someone in future. I ran into the exact same issue. Was setting up a brand new ASA but for the life of me couldn't SSH into the device. I then went under Configuration > Device Management > Advanced > SSH Ciphers and set the CipherSecurity Level to ALL for both Encryption and Integrity. Hit Apply and when I tried to SSH, I got the prompt to Accept the certificate. After I got connected, I went back to ASDM and set the Ciper Security Level back to Medium. Tried to SSH again and it worked each time.

Cheers

Re: SSH Access to ASA

jrharmdx — Wed, 22 May 2024 20:45:12 GMT

I was able to do this in the ASDM GUI by typing
"crypto key gen rsa mod 2048 noconfirm" and this allowed me to accept/skip the Yes/No Dialogue. I was able to CLI SSH after that.
__
Wow, that was 14 years ago. Cheers if your still looking.