https://community.cisco.com/t5/network-security/ssh-on-asa/m-p/1284822#M76803 <HTML><HEAD></HEAD><BODY><P>Also, on remote ASA I have no debug ssh messages even though debug level is set to 255.</P><P>Moreover, when I apply NAT with ssh session already established to remote ASA, connection does not terminate.</P></BODY></HTML> Mon, 06 Jul 2009 08:29:22 GMT fgasimzade 2009-07-06T08:29:22Z https://community.cisco.com/t5/network-security/ssh-on-asa/m-p/1284821#M76802 <P>I have a weird problem with ssh configuration on ASA. We have VPN established between 2 ASA's. I configured ssh to the remote ASA's outside interface. I had troubles with ssh unless I regenerated the keys. Now, on local ASA I have configured NAT so that when ssh to the remote ASA to translate local IP addresses to local ASA's outside address. Since that I can not ssh to remote ASA. My ssh client says:</P><P>Connecting to host 10.254.17.10:22...</P><P>Connected.</P><P>Connection closed.</P><P></P><P>I had the same message before I regenerated the keys for the first time. No it doesnt help either. If I remove NAT, everything works fine.</P><P></P><P>Here my config of local ASA:</P><P>ASA Version 8.2(1) </P><P>!</P><P>hostname gyd-asa</P><P>enable password XeY1QWHKPK75Y48j encrypted</P><P>passwd XeY1QWHKPK75Y48j encrypted</P><P>names</P><P>dns-guard</P><P>!</P><P>interface GigabitEthernet0/0</P><P> no nameif</P><P> security-level 100</P><P> no ip address</P><P>!</P><P>interface GigabitEthernet0/1</P><P> nameif outside</P><P> security-level 0</P><P> ip address 10.254.17.9 255.255.255.248 </P><P>!</P><P>interface GigabitEthernet0/2</P><P> no nameif</P><P> security-level 100</P><P> no ip address</P><P>!</P><P>interface GigabitEthernet0/3</P><P> description EIGRP 2008</P><P> nameif eigrp </P><P> security-level 100</P><P> ip address 10.40.50.65 255.255.255.252 </P><P>! </P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.251.1 255.255.255.0 </P><P> management-only</P><P>! </P><P>boot system disk0:/asa821-k8.bin</P><P>ftp mode passive</P><P>access-list 110 extended permit ip any any </P><P>access-list nat extended permit tcp any host 10.254.17.10 eq ssh </P><P>pager lines 24</P><P>logging asdm informational</P><P>mtu outside 1500</P><P>mtu eigrp 1500</P><P>mtu management 1500</P><P>no failover</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit any outside</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>nat (eigrp) 1 access-list nat</P><P>!</P><P>router eigrp 2008</P><P> no auto-summary</P><P> neighbor 10.254.17.10 interface outside</P><P> neighbor 10.40.50.66 interface eigrp</P><P> network 10.40.50.64 255.255.255.252</P><P> network 10.254.17.8 255.255.255.248</P><P> redistribute connected</P><P> redistribute static</P><P>!</P><P>route management 0.0.0.0 0.0.0.0 192.168.251.14 1</P><P>route outside 192.1.1.0 255.255.255.0 10.254.17.10 1</P><P>route outside 192.168.208.16 255.255.255.240 10.254.17.10 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>aaa-server TACACS protocol tacacs+</P><P>aaa-server TACACS (management) host 192.168.1.8</P><P> key * </P><P>aaa-server TACACS (management) host 192.168.22.46</P><P> key * </P><P>aaa authentication ssh console TACACS LOCAL</P><P>aaa authentication telnet console TACACS LOCAL</P><P>aaa authentication enable console TACACS LOCAL</P><P>aaa accounting ssh console TACACS</P><P>aaa accounting telnet console TACACS</P><P>http server enable</P><P>http 192.168.1.0 255.255.255.0 management</P><P>snmp-server host eigrp 192.168.1.13 poll community vlan</P><P>snmp-server host eigrp 192.168.1.27 poll community vlan</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>crypto ipsec transform-set myset esp-3des esp-md5-hmac </P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto map mymap 10 match address 110</P><P>crypto map mymap 10 set peer 10.254.17.10 </P><P>crypto map mymap 10 set transform-set myset</P><P>crypto map mymap interface outside</P><P>crypto isakmp identity address </P><P>crypto isakmp enable outside</P><P>crypto isakmp enable eigrp</P><P>crypto isakmp policy 10</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash md5</P><P> group 2</P><P> lifetime 28800</P><P>no crypto isakmp nat-traversal</P><P>telnet timeout 5</P><P>ssh 192.168.1.0 255.255.255.192 eigrp</P><P>ssh timeout 20</P><P>console timeout 0</P><P></P> Sun, 10 Mar 2019 11:41:21 GMT https://community.cisco.com/t5/network-security/ssh-on-asa/m-p/1284821#M76802 fgasimzade 2019-03-10T11:41:21Z https://community.cisco.com/t5/network-security/ssh-on-asa/m-p/1284822#M76803 <HTML><HEAD></HEAD><BODY><P>Also, on remote ASA I have no debug ssh messages even though debug level is set to 255.</P><P>Moreover, when I apply NAT with ssh session already established to remote ASA, connection does not terminate.</P></BODY></HTML> Mon, 06 Jul 2009 08:29:22 GMT https://community.cisco.com/t5/network-security/ssh-on-asa/m-p/1284822#M76803 fgasimzade 2009-07-06T08:29:22Z