https://community.cisco.com/t5/network-security/ssh-to-outside-interface/m-p/1276182#M76810 <HTML><HEAD></HEAD><BODY><P>I have done all this already, but I get this message from my ssh client, when trying to connect to ASA</P><P></P><P>Connecting to host 10.254.17.9:22...</P><P>Connected.</P><P> </P><P>Connection closed.</P><P></P></BODY></HTML> Fri, 03 Jul 2009 06:39:12 GMT fgasimzade 2009-07-03T06:39:12Z https://community.cisco.com/t5/network-security/ssh-to-outside-interface/m-p/1276180#M76805 <P>How to configure ssh on the outside interface of asa? I have defined an access list for outside interface, applied it, but it didnt work for some reason</P><P></P><P>Here is the access list</P><P></P><P>interface GigabitEthernet0/1</P><P> nameif outside</P><P> security-level 0</P><P> ip address 10.254.17.9 255.255.255.248 </P><P>!</P><P>interface GigabitEthernet0/2</P><P> no nameif</P><P> security-level 100</P><P> no ip address</P><P>!</P><P>interface GigabitEthernet0/3</P><P> description EIGRP 2008</P><P> nameif eigrp</P><P> security-level 100</P><P> ip address 10.40.50.65 255.255.255.252 </P><P>!</P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.251.1 255.255.255.0 </P><P> management-only</P><P>!</P><P>boot system disk0:/asa821-k8.bin</P><P>ftp mode passive</P><P>access-list 110 extended permit ip any any </P><P>access-list nat extended permit ip any any </P><P>access-list allow_ping extended permit icmp any any echo-reply </P><P>access-list allow_ping extended permit icmp any any source-quench </P><P>access-list allow_ping extended permit icmp any any unreachable </P><P>access-list allow_ping extended permit icmp any any time-exceeded </P><P>access-list allow_ping extended permit udp any any eq isakmp </P><P>access-list allow_ping extended permit esp any any </P><P>access-list allow_ping extended permit ah any any </P><P>access-list allow_ping extended permit gre any any </P><P>access-list allow_ping extended permit tcp any any eq ssh </P><P>access-list nonat extended permit ip any any </P><P>access-list icmp_inside extended permit icmp any any </P><P>access-list icmp_inside extended permit ip any any </P><P>pager lines 24</P><P>logging asdm informational</P><P>mtu outside 1500</P><P>mtu eigrp 1500</P><P>mtu management 1500</P><P>no failover </P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit any outside</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>access-group allow_ping in interface outside</P> Sun, 10 Mar 2019 11:41:13 GMT https://community.cisco.com/t5/network-security/ssh-to-outside-interface/m-p/1276180#M76805 fgasimzade 2019-03-10T11:41:13Z https://community.cisco.com/t5/network-security/ssh-to-outside-interface/m-p/1276181#M76807 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Look at <A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml</A></P><P></P><P>I hope this helps.</P><P>Best regards.</P><P>Massimiliano.</P></BODY></HTML> Fri, 03 Jul 2009 06:27:17 GMT https://community.cisco.com/t5/network-security/ssh-to-outside-interface/m-p/1276181#M76807 massimiliano.serafino 2009-07-03T06:27:17Z https://community.cisco.com/t5/network-security/ssh-to-outside-interface/m-p/1276182#M76810 <HTML><HEAD></HEAD><BODY><P>I have done all this already, but I get this message from my ssh client, when trying to connect to ASA</P><P></P><P>Connecting to host 10.254.17.9:22...</P><P>Connected.</P><P> </P><P>Connection closed.</P><P></P></BODY></HTML> Fri, 03 Jul 2009 06:39:12 GMT https://community.cisco.com/t5/network-security/ssh-to-outside-interface/m-p/1276182#M76810 fgasimzade 2009-07-03T06:39:12Z https://community.cisco.com/t5/network-security/ssh-to-outside-interface/m-p/1276183#M76812 <HTML><HEAD></HEAD><BODY><P>Can't say I have seen this before but SSH is easy to do on the ASA.</P><P></P><P>I recommend taking the access list off of the interface first to see if that could be it.</P><P></P><P>You only posted a partial section of the config but make sure you have the SSH command with the address of the subnet you are connecting from. Your config is no longer visible as I type this but try "SSH 0.0.0.0 0.0.0.0 outside". This allows all subnets to access the outside interface. This command works like an access list to limit connectivity to trusted subnets. i.e. "SSH 10.0.0.0 255.0.0.0 outside" only allows hosts on the 10.x.x.x network to connect via SSH.</P><P></P><P>Turn on "debug ssh" to see what the errors are too.</P><P></P><P>And, you can always delete your keys (crypto key zeroize rsa) and rebuild them back (crypto key generate rsa gen mod 1024). This will make your ssh client, I'm using PuTTY, think this is a new device and prompt for the OK to connect.</P><P></P><P>Good luck.</P><P>Kevin</P><P></P></BODY></HTML> Sun, 05 Jul 2009 14:52:43 GMT https://community.cisco.com/t5/network-security/ssh-to-outside-interface/m-p/1276183#M76812 kevinglong 2009-07-05T14:52:43Z https://community.cisco.com/t5/network-security/ssh-to-outside-interface/m-p/1276184#M76813 <HTML><HEAD></HEAD><BODY><P>I removed crypto keys and generated again, it helped, thank you</P></BODY></HTML> Mon, 06 Jul 2009 05:47:20 GMT https://community.cisco.com/t5/network-security/ssh-to-outside-interface/m-p/1276184#M76813 fgasimzade 2009-07-06T05:47:20Z