06-25-2013 12:15 PM - edited 03-11-2019 07:02 PM
After reading through several similar threads I believe I have everything setup correctly, but still can't get remote access to SSH or ASDM on my ASA 5520. I can ping the management IP; 10.192.6.15 from my work station IP; 10.192.6.22... I also ran the crypto generate rsa 1024. I'm sure I have missed something simple but I can't see it... Any help will be appreciated...
Here is my config, flash contents & show version:
ciscoasa# sh flash
--#-- --length-- -----date/time------ path
2 8192 Jun 21 2013 11:34:54 log
5 8192 Jun 21 2013 11:35:04 crypto_archive
11 8192 Jun 21 2013 11:35:12 coredumpinfo
12 59 Jun 21 2013 11:35:12 coredumpinfo/coredump.cfg
86 100 Jun 21 2013 11:35:12 upgrade_startup_errors_201306211135.log
87 24827904 Jun 21 2013 13:34:38 asa846-k8.bin
88 1520 Jun 21 2013 14:04:00 7_0_6_0_startup_cfg.sav
89 1138 Jun 21 2013 14:04:02 upgrade_startup_errors_201306211404.log
90 18097844 Jun 21 2013 17:06:22 asdm-713.bin
255426560 bytes total (211935232 bytes free)
ciscoasa# sh ver
Cisco Adaptive Security Appliance Software Version 8.4(6)
Device Manager Version 7.1(3)
Compiled on Fri 26-Apr-13 09:00 by builders
System image file is "disk0:/asa846-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 1 hour 48 mins
Hardware: ASA5520-K8, 2560 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: GigabitEthernet0/0 : address is 001a.e268.48f8, irq 9
1: Ext: GigabitEthernet0/1 : address is 001a.e268.48f9, irq 9
2: Ext: GigabitEthernet0/2 : address is 001a.e268.48fa, irq 9
3: Ext: GigabitEthernet0/3 : address is 001a.e268.48fb, irq 9
4: Ext: Management0/0 : address is 001a.e268.48fc, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: <<REDACTED>>
Running Permanent Activation Key: <<REDACTED>>
Configuration register is 0x2001
Configuration last modified by enable_15 at 16:18:36.929 UTC Tue Jun 25 2013
ciscoasa# sh run
: Saved
:
ASA Version 8.4(6)
!
hostname ciscoasa
enable password <<REDACTED>> encrypted
passwd <<REDACTED>> encrypted
names
dns-guard
!
interface GigabitEthernet0/0
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.192.6.15 255.255.255.0
management-only
!
boot system disk0:/asa846-k8.bin
ftp mode passive
pager lines 50
logging enable
logging monitor debugging
logging trap debugging
logging asdm debugging
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.192.6.26 255.255.255.255 management
http 10.192.6.46 255.255.255.255 management
http 10.192.6.22 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.192.6.22 255.255.255.255 management
ssh 10.192.6.46 255.255.255.255 management
ssh 10.192.6.26 255.255.255.255 management
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username jherbert password <<REDACTED>> encrypted privilege 15
!
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:20c0c291a4843991840c05d48104bc85
: end
06-25-2013 12:26 PM
Hello,
Did you try removing the commands? If not, please remove the SSH and HTTP commands and re-add them.
Also you can try the "clear config ssl" to set the SSL values to defaults.
Regards,
Juan Lombana
Please rate helpful posts.
06-25-2013 07:01 PM
Try adding "ssl encryption des-sha1 aes256-sha1" for your ASDM issue.
I'm not sure what's going on with your ssh. Are there any log messages your attempts at ssh access fails?
06-26-2013 08:51 AM
hi,
you SSH config looks ok. could you post show crypto key mypubkey rsa?
try to remove your RSA keys using crypto key zeroize rsa default and then regenerate them again.
for your ASDM, try using ASDM 7.1(2.102). see compatibility matrix:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide