Re: Unable to SSH ASA from outside interface

Bhadresh Prajapati · ‎04-11-2012

I am unable to access ASA by external interface, i cannot ssh to the ASA to external inteface, it shows port 22 is in use but we don't use port 22.

i appreciate any help

aaa(config)# ssh 0.0.0.0 0.0.0.0 Outside

ERROR: Unable to configure service on port 22, on interface 'Outside'. This port is currently in use by another feature

Usage: [no] ssh {<local_ip>|<hostname>} <mask> <if_name>

[no] ssh timeout <number>

[no] ssh version 1|2

[no] ssh scopy enable

show ssh [sessions [<client_ip>]]

ssh disconnect <session_id>

show running-config [all] ssh

clear configure ssh

when i try to configure SSH for outside it show message it is in use, but actually we don't use 22 port for anything.

#################

msopsasa(config)# packet-tracer input outside tcp 4.2.2.2 22 55.55.55.55 22 detail

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 204.187.93.33 255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x732c54b0, priority=0, domain=permit, deny=true

hits=2544204, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=Outside, output_ifc=any

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

#######################

aaa#sh run

: Saved

:

ASA Version 8.4(1)

!

hostname msopsasa

enable password assss encrypted

passwd ssss encrypted

names

!

interface GigabitEthernet0/0

description Outside

nameif Outside

security-level 0

ip address 55.55.55.55 255.255.255.0

!

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 3.2.1.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa841-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network NETWORK_OBJ_172.16.0.192_27

subnet 172.16.0.192 255.255.255.224

object network obj-remote

subnet 10.1.0.0 255.255.252.0

object network obj-local

subnet 3.2.1.0 255.255.255.0

object network remote-vpn

subnet 172.16.0.0 255.255.255.0

object network INSIDE-GLOBAL

subnet 0.0.0.0 0.0.0.0

object network OpManager

host 3.2.1.241

object service WEB

service tcp destination eq www

object-group network SERVER

network-object 172.16.0.0 255.255.255.0

object-group network aaa

network-object 10.0.0.0 255.0.0.0

object-group network aaa

network-object 192.168.20.0 255.255.255.0

network-object 192.168.30.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

object-group network aaa

network-object 192.168.1.0 255.255.255.0

network-object 192.168.3.0 255.255.255.0

network-object 192.168.2.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

object-group network aaa

network-object 192.168.111.0 255.255.255.0

network-object 192.168.99.0 255.255.255.0

object-group network SCIENTA

network-object 192.168.101.0 255.255.255.0

object-group network aaa

network-object 3.2.5.0 255.255.255.0

object-group network aaaa

network-object 3.6.0.0 255.255.0.0

network-object 3.7.0.0 255.255.0.0

network-object 3.8.0.0 255.255.0.0

network-object 3.9.0.0 255.255.0.0

network-object 3.10.0.0 255.255.0.0

object-group network aaaa

network-object 3.2.6.0 255.255.255.0

access-list Split_Tunnel_ACL standard permit 3.2.1.0 255.255.255.0

access-list PRINCESSAUTO-DR extended permit ip 3.2.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list REACH extended permit ip 3.2.1.0 255.255.255.0 object-group REACH

access-list Inside_access_in extended permit ip any any

access-list WIREIE extended permit ip 3.2.1.0 255.255.255.0 object-group WIREIE

access-list PSTG extended permit ip 3.2.1.0 255.255.255.0 object-group PSTG

access-list SCIENTA extended permit ip 3.2.1.0 255.255.255.0 object-group SCIENTA

access-list outside_access_in extended permit tcp any object OpManager eq www

access-list outside_inside_in extended permit tcp any host 3.2.1.241 eq 3389

access-list outside_inside_in extended permit tcp any host 3.2.1.241 eq www

access-list outside_inside_in extended permit tcp any any eq 4343

access-list outside_inside_in extended permit udp any host 3.2.1.241 eq snmptrap

access-list outside_inside_in extended permit udp any host 3.2.1.241 eq snmp

access-list outside_inside_in extended permit tcp any host 3.2.1.241 eq 4443

access-list outside_inside_in extended permit tcp any host 3.2.1.241 eq https

access-list AIM extended permit ip 3.2.1.0 255.255.255.0 3.2.5.0 255.255.255.0

access-list PRINCESSAUTO extended permit ip 3.2.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list NAFA extended permit ip 3.2.1.0 255.255.255.0 object-group NAFA

access-list CAPSTONE extended permit ip 3.2.1.0 255.255.255.0 3.2.6.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging console debugging

logging monitor debugging

logging trap informational

logging asdm informational

logging device-id hostname

flow-export destination Inside 3.2.1.202 9996

mtu Outside 1500

mtu Inside 1500

mtu management 1500

ip local pool VPN_Pool 172.16.0.200-172.16.0.220 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-643.bin

asdm history enable

arp timeout 14400

nat (Inside,Outside) source static obj-local obj-local destination static aaa aaa

!

object network INSIDE-GLOBAL

nat (Inside,Outside) dynamic interface

object network OpManager

nat (Inside,Outside) static interface service tcp https https

access-group outside_inside_in in interface Outside

access-group Inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 204.187.93.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable 4433

http 192.168.1.0 255.255.255.0 management

http 172.16.0.0 255.255.255.0 Outside

http 0.0.0.0 0.0.0.0 Outside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-

MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 70 set ikev1 transform-set ESP-AES-256-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto ikev1 enable Outside

crypto ikev1 enable Inside

crypto ikev1 policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 Inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Inside

ssh timeout 30

ssh version 2

console timeout 0

management-access Inside

dhcpd dns 204.187.93.1 8.8.8.8 interface Inside

dhcpd domain asdf interface Inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy msops internal

group-policy msops attributes

dns-server value 8.8.8.8 4.4.4.2

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_ACL

tunnel-group msops type remote-access

tunnel-group msops general-attributes

address-pool VPN_Pool

default-group-policy msops

tunnel-group msops ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:f1e5c68b650fca411d4ef6a5fc10c880

: end

rmeans · ‎04-11-2012

From the config...

telnet 0.0.0.0 0.0.0.0 Inside

ssh 0.0.0.0 0.0.0.0 Inside

management-access Inside

Notice each reference inside. You will need to reference outside (SSH) or not use (mgmt-access).

Also, I didn't see any AAA or any username passwords defined.

Bhadresh Prajapati · ‎04-11-2012

Username and password I have removed for security purpose.

AAA is configured (aaa authentication ssh console LOCAL)

I don’t understand following statement.

Notice each reference inside. You will need to reference outside (SSH) or not use (mgmt-access).

Thank you.

Bhadresh

rmeans · ‎04-12-2012

Your config has the following

interface GigabitEthernet0/0

nameif Outside

ip address 55.55.55.55 255.255.255.0

interface GigabitEthernet0/1

nameif Inside

ip address 3.2.1.1 255.255.255.0

ssh 0.0.0.0 0.0.0.0 Inside

management-access Inside

If you want to SSH to the outside interface (55.55.55.55) then you will need to add an entry allowing SSH access to the outside interface

ssh 0.0.0.0 0.0.0.0 outside

! this anyone can try to ssh

! you may want to limit the address range

I see you have VPN connections configured on the ASA. If you want to manage the ASA after you have made a VPN connection use the inside IP address (3.2.1.1). The management-access command gives you this capability.