Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1625
Views
0
Helpful
3
Replies

SSH & ASDM access to 5520

jr.herbert
Level 1
Level 1

‎06-25-2013 12:15 PM - edited ‎03-11-2019 07:02 PM

After reading through several similar threads  I believe I have everything setup correctly, but still can't get remote access to SSH or ASDM on my ASA 5520. I can ping the management IP; 10.192.6.15 from my work station IP; 10.192.6.22... I also ran the crypto generate rsa 1024. I'm sure I have missed something simple but I can't see it...  Any help will be appreciated...

Here is my config, flash contents & show version:

ciscoasa# sh flash

--#-- --length-- -----date/time------ path

   2 8192       Jun 21 2013 11:34:54 log

   5 8192       Jun 21 2013 11:35:04 crypto_archive

   11 8192       Jun 21 2013 11:35:12 coredumpinfo

   12 59         Jun 21 2013 11:35:12 coredumpinfo/coredump.cfg

   86 100         Jun 21 2013 11:35:12 upgrade_startup_errors_201306211135.log

   87 24827904   Jun 21 2013 13:34:38 asa846-k8.bin

   88 1520       Jun 21 2013 14:04:00 7_0_6_0_startup_cfg.sav

   89 1138       Jun 21 2013 14:04:02 upgrade_startup_errors_201306211404.log

   90 18097844   Jun 21 2013 17:06:22 asdm-713.bin

255426560 bytes total (211935232 bytes free)

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(6)

Device Manager Version 7.1(3)

Compiled on Fri 26-Apr-13 09:00 by builders

System image file is "disk0:/asa846-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 1 hour 48 mins

Hardware:   ASA5520-K8, 2560 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xfff00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06

                             Number of accelerators: 1

0: Ext: GigabitEthernet0/0 : address is 001a.e268.48f8, irq 9

1: Ext: GigabitEthernet0/1 : address is 001a.e268.48f9, irq 9

2: Ext: GigabitEthernet0/2 : address is 001a.e268.48fa, irq 9

3: Ext: GigabitEthernet0/3 : address is 001a.e268.48fb, irq 9

4: Ext: Management0/0       : address is 001a.e268.48fc, irq 11

5: Int: Not used           : irq 11

6: Int: Not used           : irq 5

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited     perpetual

Maximum VLANs                     : 150           perpetual

Inside Hosts                     : Unlimited     perpetual

Failover                         : Active/Active perpetual

VPN-DES                           : Enabled       perpetual

VPN-3DES-AES                     : Enabled       perpetual

Security Contexts                 : 2             perpetual

GTP/GPRS                         : Disabled       perpetual

AnyConnect Premium Peers         : 2             perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 750           perpetual

Total VPN Peers                   : 750           perpetual

Shared License                   : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone   : Disabled       perpetual

Advanced Endpoint Assessment     : Disabled       perpetual

UC Phone Proxy Sessions           : 2             perpetual

Total UC Proxy Sessions           : 2             perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: <<REDACTED>>

Running Permanent Activation Key: <<REDACTED>>

Configuration register is 0x2001

Configuration last modified by enable_15 at 16:18:36.929 UTC Tue Jun 25 2013

ciscoasa# sh run

: Saved

:

ASA Version 8.4(6)

!

hostname ciscoasa

enable password <<REDACTED>>  encrypted

passwd <<REDACTED>>  encrypted

names

dns-guard

!

interface GigabitEthernet0/0

no nameif

security-level 100

no ip address

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.192.6.15 255.255.255.0

management-only

!

boot system disk0:/asa846-k8.bin

ftp mode passive

pager lines 50

logging enable

logging monitor debugging

logging trap debugging

logging asdm debugging

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.192.6.26 255.255.255.255 management

http 10.192.6.46 255.255.255.255 management

http 10.192.6.22 255.255.255.255 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 10.192.6.22 255.255.255.255 management

ssh 10.192.6.46 255.255.255.255 management

ssh 10.192.6.26 255.255.255.255 management

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username jherbert password <<REDACTED>> encrypted privilege 15

!

prompt hostname context

no call-home reporting anonymous

hpm topN enable

Cryptochecksum:20c0c291a4843991840c05d48104bc85

: end

Labels:
0 Helpful
3 Replies 3

julomban
Level 3
Level 3

‎06-25-2013 12:26 PM

Hello,

Did you try removing the commands? If not, please remove the SSH and HTTP commands and re-add them.

Also you can try the "clear config ssl" to set the SSL values to defaults.

Regards,

Juan Lombana

Please rate helpful posts.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-25-2013 07:01 PM

Try adding "ssl encryption des-sha1 aes256-sha1" for your ASDM issue.

I'm not sure what's going on with your ssh. Are there any log messages your attempts at ssh access fails?

0 Helpful

johnlloyd_13
Level 9
Level 9

‎06-26-2013 08:51 AM

hi,

you SSH config looks ok. could you post show crypto key mypubkey rsa?

try to remove your RSA keys using crypto key zeroize rsa default and then regenerate them again.

for your ASDM, try using ASDM 7.1(2.102). see compatibility matrix:

http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card