ASA Firewall Config Issue with SSH

ITManagerNRMoto · ‎09-15-2025

Hey there.

Im trying to setup a management VLAN on my Switch downstairs through my ASA thats on my same network but im having the address on another network so its routed through the ASA to harden up SSH to my address only.

Some rough config is

Management vlan 999 on switch at 10.0.200.250 I can ping this from my PC and the ASA. I cannot SSH into it

I can ssh into its other ip via layer 2 when im on the same network. EG 10.10.10.* Which is why i wanted it to be address based only to harden it up.

My ruling of Source Address *Mine* Dest 10.0.200.250 ssh permit as rule 1

any Source Address, Dest 10.0.200.250 ssh deny is second. Even when ive disabled this I cannot SSH into it..

Just wondering if i could of missed something? It worked for the other address I had on a different network but its not on this one.

Cheers

ITManagerNRMoto · ‎09-15-2025

debug3: kex names ok: [diffie-hellman-group1-sha1] debug3: kex names ok: [diffie-hellman-group1-sha1] debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2 debug2: resolve_canonicalize: hostname 10.0.200.250 is address debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> 'C:\\Users\\davie/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> 'C:\\Users\\davie/.ssh/known_hosts2' debug3: ssh_connect_direct: entering debug1: Connecting to 10.0.200.250 [10.0.200.250] port 22. debug3: finish_connect - ERROR: async io completed with error: 10060, io:000001F5755BF030 debug1: connect to address 10.0.200.250 port 22: Connection timed out ssh: connect to host 10.0.200.250 port 22: Connection timed out PS C:\Users\davie>

SSH command with -vvv

MHM Cisco World · ‎09-16-2025

Can you draw topolgy

MHM

Stefan Mihajlov · ‎09-15-2025

@ITManagerNRMoto

When you put a switch SVI into a dedicated management VLAN behind the ASA, you need to make sure a couple of pieces line up beyond just the ACLs. The ASA can happily permit the traffic, but the switch has to know how to return it. If the default gateway on that SVI isn’t pointing back to the ASA, the SYN packets from your PC will hit the switch but the replies won’t make it back.

A few quick checks:

Confirm the switch’s VLAN 999 interface has its ip default-gateway (if L2) or ip route (if L3) set toward the ASA interface in that subnet.
On the ASA, verify you have an ACL line permitting SSH to 10.0.200.250 from your host before the deny.
Make sure the ASA interface connected to VLAN 999 is actually in that 10.0.200.0/24 network, or that there’s a static route on the ASA pointing to it.
Lastly, confirm SSH is enabled on the switch for that management IP (ip ssh / transport input ssh under vty).

Once the return path is correct and ASA is permitting it, you should be able to establish the SSH session without needing to rely on the old 10.10.10.x address.

Best regards,
Stefan Mihajlov

Mark this post as Helpful if it helped you, and Accept as Solution if it resolved your question.

ITManagerNRMoto · ‎09-16-2025

Hey @Stefan Mihajlov ,

VLAN 999 IP is 10.0.200.250... the default gateway is 10.0.200.1. The Port on the ASA its connected to is 10.0.200.1.
Can confirm the ACLS work... i switch IP and get refused... but when i have IP as set IP i get the "time out". PC and ASA can Ping 10.0.200.250
Yes SSH is enabled. The reason im doing this is to not have a local network L2 SSH connection and connect only over L3 and My IP to tighten SSH.

Regarding the 10.10.10.* address its just my PC's personal lab. I have a router That is acting as my IP 10.0.2.210 but its doing nat in and nat out. I can SSH into another IP on a different switch. Im just struggling with this one for some reason.

Looking at 12.2(55)SE12 SSH bugs now for SSH as its network SSH only that seems to be the issue...

also used wireshark to see some RST packets being returned... by the switch. Unsure why honestly at this stage

Cheers, Chris

Aref Alsouqi · ‎09-16-2025

Why not to restrict the SSH accesses on the switch via an access list and apply it to the VTY lines? maybe you already have one that is not allowing SSH from your PC? If you do "ping tcp 10.0.200.250 22 source 10.0.200.1 1234" from the ASA what do you get? if that command doesn't work do "ping tcp" and hit enter and fill in the required information please.

Stefan Mihajlov · ‎09-16-2025

@ITManagerNRMoto

given you can ping 10.0.200.250 and you’re seeing RST from the switch, this is almost always a control-plane policy on the switch itself (VTY ACL / quiet-mode) or an SSH algorithm mismatch—your client debug shows it offering only diffie-hellman-group1-sha1, which many IOS/Cat9k images refuse. From the switch, make sure the VTYs allow your routed source (not the old L2 subnet) with an access-class that includes your 10.0.2.210-NATed IP, confirm transport input ssh and ip ssh version 2 are set, and check you’re not in login quiet-mode (show login). If it’s crypto, either use a client that offers group14/sha256 or on the switch enable a compatible set, e.g. ip ssh server algorithm kex diffie-hellman-group14-sha1 (or add sha256) and keep RSA hostkeys. Quick triage: from the ASA run ping tcp 10.0.200.250 22 source 10.0.200.1 1234 to prove L4 reachability, then on the switch debug ip ssh while you attempt the connection—you’ll immediately see whether it’s an ACL/quiet-mode drop or a KEX rejection. Once the VTY ACL matches your routed IP and the KEX lines up, the RSTs stop and SSH lands on VLAN 999 as intended.

Best regards,
Stefan Mihajlov

Mark this post as Helpful if it helped you, and Accept as Solution if it resolved your question.

ITManagerNRMoto · ‎09-17-2025

I have gone over my VTY lines

!
line con 0
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!

and algorithms.. I cant connect on the layer2 just fine with the ssh config like HostName 10.0.2.250
User admin
HostKeyAlgorithms +ssh-rsa
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
MACs +hmac-sha1

For example and regarding logins..

# show login
No login delay has been applied.
No Quiet-Mode access list has been configured.

Router NOT enabled to watch for login Attacks

#

Result of the command: "ping tcp 10.0.200.250 22 source 10.0.200.1 1234"

Type escape sequence to abort.
Sending 5 TCP SYN requests to 10.0.200.250 port 22
from 10.0.200.1 starting port 1234, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

SO this would imply an ACL issue?

From my current network I can access the other switch on 10.0.3.* with this ruling. The hits on deny are from when ive tried on wifi for the 10.0.3 network as im not a set IP at 10.0.2.210 that way.

MHM Cisco World · ‎09-17-2025

Without topolgy I can not help you

MHM

ITManagerNRMoto · ‎09-17-2025

Hi MHM,

Internet>ASA(Each Gig port connects to a vlan on a switch) So basically Gig0/2 and Gig0/4 Into Switch im having issues with.
Gig 0/6, 0/7 and Gig0/3 into the other switch which i can SSH into.

THe switch im having issues with is a 3750 48POE

MHM Cisco World · ‎09-18-2025

The SW interface with issue have same secuirty level with any other interface??

MHM

ITManagerNRMoto · ‎09-18-2025

Yes it has the same as a few others at 50.

MHM Cisco World · ‎09-19-2025

do you use same-secuity permit inter/intra?

MHM

Aref Alsouqi · ‎09-18-2025

The traffic from the ASA to the switch on port 22/tcp doesn't seem to go through. Do you have any ACL applied to the switch port connected to the ASA by any chance? Could you please assign your laptop an IP in the subnet 10.0.200.x and connect it to a switch port in VLAN 999 and try to SSH from there?

ITManagerNRMoto · ‎09-18-2025

No ACLS applied on the switch. I can connect physically and get an address via DHCP on a port on vlan 999 and SSH fine with User admin
HostKeyAlgorithms +ssh-rsa
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
MACs +hmac-sha1

So SSH is working on that port it just seems to be over the network.
I have noticed TCP domain has been enabled on the other interfaces which work. Would TCP and IP need to be enabled I assume?

Enabled it and packet tracer does this...