Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13026
Views
0
Helpful
20
Replies

problem with ssh access on asa

Diego Maciel Gomes
Level 1
Level 1

‎09-04-2012 11:21 AM - edited ‎03-11-2019 04:49 PM

Hello All,

I have a problem with my ssh access.

I have two interfaces, 172.17.5.250 = Outside, security Level 0

                                10.11.3.2 = Inside, security Level 1

I can access by ssh using Outside

I can not access by ssh using Inside. I receive this message in my prompt:

ssh user@10.11.3.2

Selected cipher type <unknown> not supported by server.

I tried with ssh -1 and ssh -2. Not works.

I have ssh allowed for this source network. SSH version 1&2.

I tried:

ASA(config)#crypto key zeroize rsa

Issue this command in order to generate the new key:

ASA(config)# crypto key generate rsa modulus 1024

But no success

Cisco 8.2(12)2

Thanks

Labels:
0 Helpful
20 Replies 20

varrao
Level 10
Level 10

‎09-04-2012 11:25 AM

Hi Diego,

can you share the output of :

show run all ssl

You should add this in your configuration:

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Refer to this dic for it:

https://supportforums.cisco.com/docs/DOC-15016

Hope this helps

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

varrao
Level 10
Level 10
In response to varrao

‎09-04-2012 11:30 AM

M sorry but can youa lso post your ssh configuration?

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

varrao
Level 10
Level 10
In response to varrao

‎09-04-2012 11:38 AM

One more thing that you can check is, if you have a 3DES license enabled, you can check it with "show version", ssh by default uses 3des.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

Diego Maciel Gomes
Level 1
Level 1
In response to varrao

‎09-04-2012 11:58 AM

Varun,

I didnt see your post. I get the license and installed it, so.. I did:

1 - Get the License and Install

2 - ssl encryption aes128-sha1 3des-sha1 rc4-md5 des-sha1

But I still receive this error:

Selected cipher type not supported by server.

0 Helpful

Diego Maciel Gomes
Level 1
Level 1
In response to varrao

‎09-04-2012 11:37 AM

Hi Varun,

Look:

FW# sh run all ssl

ssl server-version any

ssl client-version any

ssl encryption des-sha1

FW# sh run all ssh

ssh 172.16.0.0 255.240.0.0 outside

ssh 192.168.41.0 255.255.255.0 outside

ssh 10.11.0.0 255.255.0.0 inside

ssh 172.16.0.0 255.240.0.0 inside

ssh 192.168.11.0 255.255.255.0 inside

ssh timeout 5

My big doubt is because when I try to connect on interface Outside, it works...

Well, I didnt do that command you sent to me yet.. Should I do?

0 Helpful

varrao
Level 10
Level 10
In response to Diego Maciel Gomes

‎09-04-2012 11:43 AM

It is the cipher code that the client and the server exchange between them, are you using the saying client when you connect from outside? You can very well add the comand, but also check for the 3des license. If you do not have it, you can generate it from her for free:

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

Diego Maciel Gomes
Level 1
Level 1

‎09-04-2012 11:47 AM

Varun,

I found my problem..

VPN 3DES AES isn´t enabled in my Firewall...

need a licence for ir?

0 Helpful

varrao
Level 10
Level 10
In response to Diego Maciel Gomes

‎09-04-2012 11:48 AM

Yup I just pinged you the link above, its for free

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

Diego Maciel Gomes
Level 1
Level 1

‎09-04-2012 12:00 PM

Varun,

I didnt see your post. I get the license and installed it, so.. I did:

1 - Get the License and Install

2 - ssl encryption aes128-sha1 3des-sha1 rc4-md5 des-sha1

But I still receive this error:

Selected cipher type not supported by server.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Diego Maciel Gomes

‎09-04-2012 12:17 PM

Hello Diego,

Are you using the same SSH client on both interfaces?

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Diego Maciel Gomes
Level 1
Level 1
In response to Julio Carvajal

‎09-04-2012 12:52 PM

Hello Julio,

Look.

Client = 172.20.65.205, connect on Outside, = OK (Windows with putty)

Client 172.19.4.40, connect on Inside, = NOK (linux with openssh-clients-4.3p2-82.el5)

Client 172.19.1.40, connect on Outise, = NOK (linux with openssh-clients-4.3p2-82.el5

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Diego Maciel Gomes

‎09-04-2012 12:57 PM

Hello Diego,

what happens if you use Putty on the internal machine or any other software besides nok?

I would say it will work.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Diego Maciel Gomes
Level 1
Level 1
In response to Julio Carvajal

‎09-04-2012 01:05 PM

hum... idk..

but, I can connect on SSH in another firewall without problem...

it is weird, isnt it?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Diego Maciel Gomes

‎09-04-2012 01:16 PM

Hello Diego,

I know you already did it but can you do it once :

ASA(config)#crypto key zeroize rsa
crypto key generate rsa modulus 1024




And let me know how it goes 

Regards,

Julio
Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card