SSH issue on inside interface.

mehmoodch · ‎07-18-2013

Hi,

I cant ssh to inside interface access of ASA5505 firewall wihile ASDM and telnet are working. I have opened SSH access along with telnet and ASDM.

I can ssh to outside interface. Its very wied problem that SSH on inside interface is not working.

Below is the oconfiguration of my ASA5505 firewall. Any solution please

ASA Version 8.3(2)4

hostname MEL-ASA-01

domain-name xxxxxxxxxxxxxx

interface Vlan1

nameif inside

security-level 100

ip address 10.0.16.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxxxxxxxxx 255.255.255.252

!

interface Vlan50

shutdown

no forward interface Vlan1

nameif dmz

security-level 50

ip address 10.0.112.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

switchport access vlan 50

!

interface Ethernet0/7

switchport access vlan 50

!

boot system disk0:/asa832-4-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

access-list Inside_noNAT extended permit ip any object-group Edn_LAN

access-list Inside_noNAT extended permit ip any object VPN_Dialup

access-list Inside_noNAT extended permit ip object-group Edn_LAN interface inside

access-list Inside_OUT extended permit tcp object-group email_allowed_hosts object edn-exc-01 eq smtp

access-list Inside_OUT extended deny tcp any any eq smtp

access-list Inside_OUT extended permit ip any any

access-list Outside_IN extended permit icmp any any echo-reply

access-list Edinburgh_tun_acl extended permit ip object MEL_Lan object-group Edn_LAN

access-list Edinburgh_tun_acl extended permit ip object MEL_Lan object VPN_Dialup

pager lines 24

logging enable

logging trap critical

logging history critical

logging asdm warnings

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (inside,any) source static any any destination static Edn_LAN Edn_LAN

nat (inside,any) source static any any destination static VPN_Dialup VPN_Dialup

!

object network obj_any

nat (inside,outside) dynamic interface

access-group Inside_OUT in interface inside

access-group Outside_IN in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http Edn_Svr 255.255.254.0 inside

http 10.0.16.0 255.255.255.0 inside

http xx.xx.xx.xx 255.255.255.224 outside

http Edn_Data 255.255.252.0 inside

snmp-server host inside 10.0.0.32 community ***** version 2c

snmp-server host inside 10.0.0.40 community ***** version 2c

snmp-server location Amsterdam

snmp-server contact

ts@xxxxxxxxxxxxxx

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

telnet Edn_Data 255.255.252.0 inside
telnet 10.0.16.0 255.255.255.0 inside
telnet Edn_Svr 255.255.254.0 inside
telnet timeout 5
ssh Edn_Svr 255.255.254.0 inside
ssh 10.0.16.0 255.255.255.0 inside
ssh Edn_Data 255.255.252.0 inside
ssh 172.16.1.16 255.255.255.255 inside
ssh edn-pix2 255.255.255.255 outside
ssh 94.175.211.224 255.255.255.224 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd option 150 ip 172.17.0.10
!
dhcpd address 10.0.16.128-10.0.16.192 inside
dhcpd dns 10.0.16.11 10.0.0.11 interface inside
dhcpd wins 10.0.0.11 10.0.0.12 interface inside
dhcpd lease 86400 interface inside
dhcpd ping_timeout 750 interface inside
dhcpd domain axiossystems.com interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.0.0.1 source outside prefer
webvpn
username xxxxx password xxxxxxxxxx encrypted privilege 15
tunnel-group xxxxxxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxxx ipsec-attributes
pre-shared-key *****
peer-id-validate cert
tunnel-group xxx type ipsec-l2l
tunnel-group xxxxxxxxxxxxx ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6xxxxxxxxxxxxxxxxxxxxxxxxxx
: end

Jouni Forss · ‎07-18-2013

Hi,

Very strange that it would work from "outside" and not "inside".

You can use the command

show asp table socket

To confirm if the ASA is listening on port TCP/22 on the "inside" interface.

Otherwise I would probably suggest monitoring the SSH Connection attempt through the ASDM to determine what is the cause of the problem.

I assume you are trying to connect from the "inside" network?

- Jouni

mehmoodch · ‎07-18-2013

Hi Jouni Fross

Yes I am trying to access on inside interface. Please find below the output of command. I am not sure how can I monitor via ASDM. can you please help

Thanks

mahmood

Protocol Socket Local Address Foreign Address State

SSL 0003de0f 10.0.16.1:443 0.0.0.0:* LISTEN

SSL 000507cf xxxxxxxxxx:443 0.0.0.0:* LISTEN

TCP 000934ff 10.0.16.1:22 0.0.0.0:* LISTEN

TCP 000c9daf xxxxxxxxxx.22:22 0.0.0.0:* LISTEN

TCP 01d755bf 10.0.16.1:23 0.0.0.0:* LISTEN

SSL 02e95178 10.0.16.1:443 172.16.1.16:50078 ESTAB

SSL 02ed4e28 10.0.16.1:443 172.16.1.16:50080 ESTAB

TCP 031061d8 10.0.16.1:23 172.16.1.16:51609 ESTAB

Jouni Forss · ‎07-18-2013

Hi,

Well first of I would look at the monitor logging section while attempting the SSH connection.

If that doesnt help then you always have the option to use "debug ssh" and monitor the output through ASDM or a Telnet management connection.

The above output would seem to indicate that the ASA is listening on the port TCP/22 on the "inside" interface.

Are you just getting timeout for the SSH connection or are you getting any prompts?

- Jouni

mehmoodch · ‎07-18-2013

Hi

I have run SSH DEBUG command but I am not getting any output on prompt.

I am not getting any log on ASDM as well.

I am getting the following error when trying ssh to inside interface

The session used to hang up for 2-3 minutes and then returned the following error

"Putty fatal Error Network Error: Software caused connection abort "

mvsheik123 · ‎07-18-2013

Hi,

I understand that you are able to connect via outside, but try by regenerating the crypto key. Just a thought .

Thx

MS