topic Re: SSH outside question in Network Security

SSH outside question

scott.bridges — Mon, 11 Mar 2019 15:36:48 GMT

This must be a simple problem that I'm just not seeing. I may be just tired, but I can't for the life of me SSH from outside into this ASA. I can RDP into the Windows Server and use Putty to SSH from the inside, but can't do so from home.

Here is part of the config:

elnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 20

ssh version 2

access-group outside_access_in in interface outside

(there is nothing via acl blocking SSH traffic)

aaa authentication ssh console LOCAL

What am I missing?

Re: SSH outside question

lreger — Wed, 27 May 2009 03:12:38 GMT

asa(config)# crypto key generate rsa

Re: SSH outside question

scott.bridges — Wed, 27 May 2009 03:41:55 GMT

ciscoasa(config)# crypto key generate rsa

WARNING: You have a RSA keypair already defined named .

Do you really want to replace them? [yes/no]: no

ERROR: Failed to create new RSA keys named

ciscoasa(config)#

Already have an RSA key. This would need to exist for me to be able to SSH locally (inside), right?

Re: SSH outside question

lreger — Wed, 27 May 2009 03:48:33 GMT

I just tested the command on a new ASA 5505 right out of the box and I received the same notification about replacing the default key. So run the command again and press yes to replace the default key and test the ssh connection from the outside

Re: SSH outside question

scott.bridges — Wed, 27 May 2009 04:03:15 GMT

Same thing. SSH from the outside and it's instant connection refused.

debug1: Reading configuration data /etc/ssh_config

debug1: Connecting to 6.x.138 [6.x.138] port 22.

debug1: connect to address 6.x.138 port 22: Connection refused

ssh: connect to host 6.x.138 port 22: Connection refused

Re: SSH outside question

mondakota — Wed, 27 May 2009 13:32:44 GMT

Please Keep me up. I have the same problem.

ASA 5505. ASA v.8.0(4). ASDM v.6.1(5)57

Re: SSH outside question

John Blakley — Wed, 27 May 2009 16:41:23 GMT

Scott,

I noticed that you said that there wasn't anything blocking ssh in the outside acl, but are you allowing it through from anywhere?

permit tcp any any eq 22

Also, what client are you using? You have version 2 specified, and if you're using putty, you may want to specify it as well.

HTH,

John

Re: SSH outside question

scott.bridges — Thu, 28 May 2009 17:35:40 GMT

Hi John,

With the "ssh 0.0.0.0 0.0.0.0 outside" command, shouldn't that enable SSH connections from the outside? IE, outgoing is not affected? My understanding is that "permit tcp any any eq 22" and applying it to an interface is for hosts/clients on the LAN, *not* the 'outside' interface itself.

Make sense?

And I use a Mac with 10.5.7, so that's the Terminal I'm using, unix SSH.

I'm attaching the running-config in case there is anything I'm missing. I'm not too experienced in firewall IOS, so any help/tips is greatly appreciated. But here is the config to help troubleshoot this annoying SSH problem:

Thanks,

-Scott

Re: SSH outside question

John Blakley — Thu, 28 May 2009 18:15:28 GMT

Scott,

Try this:

management-access outside

HTH,

John

Re: SSH outside question

scott.bridges — Thu, 28 May 2009 18:29:42 GMT

I'm in.

That's crazy. I have never had to issue that command before. Why do you think that needed to happen?

Re: SSH outside question

John Blakley — Thu, 28 May 2009 18:44:49 GMT

Scott,

The ASA has a management interface that allows you to manage the device on a higher security interface. You have to change the management interface to the outside in order to SSH into it.

You also may have been able to add your ssh command like:

ssh 0 0 management

I've never tried the latter, but your ASA has a designated management interface (can be any interface), and I assume that it will just allow ssh connections into whatever your management interface is specified as.

Seeing your config helped 🙂

Thanks for the rating!

John

Re: SSH outside question

datacureinc — Wed, 13 Jan 2010 13:55:52 GMT

I guess I'll bring this post back to life,.. I recently upgraded to 8.2(1) and ssh is no longer working from the outside interface,. same config,. all acl's are there,. generated a new crypto key, rebooted the device, .all of which I knew wouldn't fix it,.. I can still get in from the inside... I entered the command "management-interface outside" with no luck (maybe i need to reboot? but can't unless i have a maintenance window).. I have an ASA 5510

Re: SSH outside question

SOL10 — Wed, 13 Jan 2010 16:47:31 GMT

try this command -

ssh ip address and netmask of the IP you are coming in from - for security purposes i believe you cant specify 0.0.0.0 on the outside inteface

you dont need an ACL rule for it ( i have an ASA5510) and the only config i have is ssh ip add netmask

HTH

post you entire config if you can -

Re: SSH outside question

datacureinc — Wed, 13 Jan 2010 17:56:30 GMT

Sorry,. I should have been more specific,.. I do not have an acl (i know it's not needed for traffic

terminating at the firewall) and yes I do have the "ssh " command to allow for access.,.. The same exact configuration was working fine in version 7,. I recently upgraded to 8.2(1),.. I have a TAC open with Cisco so I'll share what they tell me to do

Re: SSH outside question

datacureinc — Wed, 13 Jan 2010 20:06:37 GMT

Ok so Reminder:.. This configuration worked with v7.2 just fine,.. I could still ssh in from the 78.25 host on the inside,,. there is a lan to lan tunnel and a couple routers between this ASA and the 192.168.10 network.. the 78 network is directly attached to the internal interface on this ASA

hostname# show run | inc ssh 192.168.

aaa authentication ssh console LOCAL

ssh 192.168.10.25 255.255.255.255 outside

ssh 192.168.78.25 255.255.255.255 inside

ssh timeout 10

ssh version 2

for some reason Cisco decided to switch things up in version 8.2

Here is what I did to get it to work

hostname# conf t

hostname(config)# management-access inside

Please remove the management access before configure a new one

hostname(config)# no management-access outside

hostname(config)# management-access inside

hostname(config)# end

Still did not work,..

hostname# show run | inc ssh 192.168.

aaa authentication ssh console LOCAL

ssh 192.168.10.25 255.255.255.255 outside

ssh 192.168.78.25 255.255.255.255 inside

ssh timeout 10

ssh version 2

Still did not work until I changed 10.25 to look like it's coming from the inside even though it is not,..

hostname# conf t

hostname(config)# ssh 192.168.10.25 255.255.255.255 inside

To me this doesn’t make sense because the 192.168.10 network is only reachable via the outside interface,..

At least it is working now,.

Hope this helps you guys out,..

Since I had a tunnel terminating on my outside interface at 10.0.0.1 I had to ssh to the internal interface at 192.168.78.1 from 10.25

I asked the TAC engineer why it changed and he said

"Yes this network and this ip 192.168.10.25 is on outside, but we are connecting to the firewall on the inside interface and that’s why we have to add these commands."