Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1757
Views
10
Helpful
3
Replies

Configuring SSH allowed addresses on ASA 5506-X:

Go to solution
Waterbird
Level 1
Level 1

‎12-03-2018 10:08 AM - edited ‎02-21-2020 08:32 AM

I'm using ASA 5506-X.  I have an external network, whose computers need to SSH into the ASA.  To do this I configured:

ssh x.x.x.x x.x.x.x outside

Where x.x.x.x x.x.x.x is the external address range of the outside network somewhere else in the world.

With this config, I think the outside interface will then allow connections with the above range coming from the internet (i.e. no VPN needed for SSH).  But, please correct me if I'm wrong.   

 

Then, to be able to have the SSH reach the inside interfaces also,  I simply add the config:

management-access inside

 

Finally, there is a mysterious config from a previous administrator.  It uses a private-address on the outside interface:

ssh 10.x.x.x x. 255.255.252.0 outside

 

What is the purpose of allowing SSH on an outside interface for an private address?  Why was that config likely put on the device??

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mkazam001
Level 3
Level 3

‎12-04-2018 03:11 PM

full config for ssh to asa on outside interface:

username admin password cisco priv 15
aaa authentication ssh console LOCAL
ssh 172.27.1.5 255.255.255.255 outside             - this is your source network
crypto key generate rsa modulus 1024
sh ssh sessions                - see who is connected

 

regarding private address on the outside - this can be used if the interface connected to a corporate network that had that network as the source.

please accept as solution if it was so :)

regards, mk

 

View solution in original post

3 Replies 3

Go to solution
Sheraz.Salim
VIP
VIP

‎12-03-2018 11:12 AM - edited ‎12-03-2018 11:14 AM

Try this

 

aaa authentication ssh console LOCAL

!

username admin password Cisco priv 15

!

ssh outside x.xx.x x.x.xx 

 

in regards to outside interface with RFC1918 doesn’t make sense.

might he don’t no what he doing

please do not forget to rate.

Go to solution
mkazam001
Level 3
Level 3

‎12-04-2018 03:11 PM

full config for ssh to asa on outside interface:

username admin password cisco priv 15
aaa authentication ssh console LOCAL
ssh 172.27.1.5 255.255.255.255 outside             - this is your source network
crypto key generate rsa modulus 1024
sh ssh sessions                - see who is connected

 

regarding private address on the outside - this can be used if the interface connected to a corporate network that had that network as the source.

please accept as solution if it was so :)

regards, mk

 

Go to solution
Waterbird
Level 1
Level 1
In response to mkazam001

‎12-05-2018 08:37 AM

I see in the object-group configs there is a network object group that includes the private address referenced in ssh as the RFC1918 address.  This object-group  is mapped to the device by an IPsec VPN tunnel.  

 

So I suppose this would allow SSH on inside devices to go through the tunnel instead of through the unprotected internet.  

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card