Solved: Re: I can not connect ssh in cisco asa 5515-x

Hamid Amir · ‎02-06-2022

Dear all

I cannot access ssh after replacing my broking cisco asa 5505 with cisco asa 5515-X, although I can access ASDM .

Can you help Please ?

ciscoasa# sh run int
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet0/2
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet0/3
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet0/4
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet0/5
bridge-group 1
nameif inside_5
security-level 100
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

ciscoasa# sh run ssh
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1

ciscoasa# sh run aaa
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history

ciscoasa# sh run http
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 0.0.0.0 0.0.0.0 inside

marce1000 · ‎02-07-2022

- Perhaps you could relax you ssh 'access spectrum' for a test and use these commands in the configuration instead :

>...

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

Georg Pauwen · ‎02-08-2022

Hello,

try and configure an even lower modulus:

domain-name cisco
crypto key generate rsa label cisco modulus 1024

View solution in original post

marce1000 · ‎02-06-2022

- Did you generate the ssh key pair as in :ciscoasa# crypto key generate rsa modulus 4096 (for example)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hamid Amir · ‎02-06-2022

Thank for your quick reply.

Yes I did, but still I have same problem.

Please see below.

ciscoasa(config)# crypto key generate rsa modulus 4096
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: y
Keypair generation process begin. Please wait...
ciscoasa(config)# exit

Georg Pauwen · ‎02-06-2022

Hello,

post the full running configuration of the ASA (sh run), it is difficult to tell what you are missing.

D you have:

ssh 0.0.0.0 0.0.0.0 inside

configured ?

Hamid Amir · ‎02-06-2022

Hi George,

I get error message Network error: Connection refused.

Please see below as requested.

ciscoasa# sh run
: Saved

:
: Serial Number: FCH194876G8
: Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
:
ASA Version 9.9(2)
!
hostname ciscoasa
enable password $sha512$5000$2sChCFCDwppwbU2ezDGUSA==$/VvQMBWBOyffJ5We+cnfJQ== pbkdf2
names
ip local pool vpnpool 192.168.100.1-192.168.100.10 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet0/2
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet0/3
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet0/4
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet0/5
bridge-group 1
nameif inside_5
security-level 100
!
interface Management0/0
management-only
shutdown
nameif management
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.100.0_28
subnet 192.168.100.0 255.255.255.240
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network obi-inside
subnet 192.168.1.0 255.255.255.0
object network obj-AnyconnectPool
subnet 192.168.100.0 255.255.255.0
object network obj-inside
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
access-list remotevpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu management 1500
no failover
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any
nat (inside_1,outside) dynamic interface
object network obj-AnyconnectPool
nat (outside,outside) dynamic interface
object network obj-inside
nat (inside_1,outside) dynamic interface
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.4.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=ciscoasa
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint2
certificate 2fcafa61
308201cf 30820138 a0030201 0202042f cafa6130 0d06092a 864886f7 0d01010b
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
86f70d01 09021608 63697363 6f617361 301e170d 32323032 30323232 33343239
5a170d33 32303133 31323233 3432395a 302c3111 300f0603 55040313 08636973
636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b4 886d6a61
294d74f5 d7e95dda d629f05c 8c6b7a64 0ad5fc3e 5aff3ed9 e19c8fcd cb14490a
0165c67a c57c8a52 0a11c32a f623c7c7 284af9ac 6f6acc36 82e4d9af 222e657c
bbfaed6a 573117aa fdf164a2 6c9c2bcd 10ed1454 4c7bb81d 98a134cf 23767557
1da41d02 0da8c387 21a3170f 8ca2bba6 f7db7695 a4be0cf3 ecc96902 03010001
300d0609 2a864886 f70d0101 0b050003 81810029 88cc72d9 482dcfc3 6af12887
a1a19b80 8819cc48 ab1faec3 f660d7f5 5006f286 41530a4d 92801907 9edfc27a
88c29934 5fe87fbb 719a0958 bf0a9dd2 90b04e95 20925501 593f2d62 174f10dc
3682d89c bc30f1a1 f4fb0a02 31f5cb53 2b82f12f 21d3d363 936b4243 40461bbd
d64a4faa 123352f0 268a2397 3e03a773 892265
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 50
encryption aes-256
integrity sha256
group 19
prf sha512
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint2
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl cipher default custom "AES256-SHA:DES-CBC-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "AES256-SHA:DES-CBC-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:DES-CBC-SHA:DES-CBC3-SHA"
ssl trust-point ASDM_TrustPoint2 outside
ssl trust-point ASDM_TrustPoint2 inside_1
ssl trust-point ASDM_TrustPoint2 inside_2
ssl trust-point ASDM_TrustPoint2 inside_3
ssl trust-point ASDM_TrustPoint2 inside_4
ssl trust-point ASDM_TrustPoint2 inside_5
ssl trust-point ASDM_TrustPoint2 inside
webvpn
enable outside
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.10.02086-webdeploy-k9.pkg 1
anyconnect profiles remote_client_profile disk0:/remote_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_hamid internal
group-policy GroupPolicy_hamid attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
default-domain none
webvpn
anyconnect profiles value remote_client_profile type user
always-on-vpn profile-setting
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remotevpn_splitTunnelAcl
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record DfltAccessPoelicy
username hamid password $sha512$5000$Wb6CmAOOMZXDHNOMr2C7ng==$nxq8T2coN0AyF7wY/21KEA== pbkdf2 privilege 15
tunnel-group remotevpn type remote-access
tunnel-group remotevpn general-attributes
address-pool vpnpool
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group hamid type remote-access
tunnel-group hamid general-attributes
address-pool vpnpool
default-group-policy GroupPolicy_hamid
tunnel-group hamid webvpn-attributes
group-alias hamid enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:68462d19928939fae146fed460bb6d40
: end

Georg Pauwen · ‎02-06-2022

Hello,

also, try and add:

aaa authentication enable console LOCAL

to the configuration.

Jitendra Kumar · ‎02-06-2022

Change the RSA key String to 2048 bit. It is advisable to use the 2048 bit.

edledge-asa#conf t
edledge-asa(config)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be: 
Keypair generation process begin. Please wait.....

all a good and SSH is configured correctly then try the last option to reboot the ASA so that all services will get restart.

Thanks,

Jitendra

Thanks,
Jitendra

Hamid Amir · ‎02-07-2022

Hi Jitendra

Still same problem.

ciscoasa# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: fce20062
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
hostname=ciscoasa
cn=ciscoasa
Subject Name:
hostname=ciscoasa
cn=ciscoasa
Validity Date:
start date: 09:35:31 UTC Feb 7 2022
end date: 09:35:31 UTC Feb 5 2032
Storage: config
Associated Trustpoints: ASDM_TrustPoint3

ciscoasa# sh run aaa
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history

Thanks

Jitendra Kumar · ‎02-07-2022

what is the current firmware version??

Thanks,

Jitendra

Thanks,
Jitendra

Hamid Amir · ‎02-07-2022

Hi Jitendra

As requested

Cisco Adaptive Security Appliance Software Version 9.9(2)
Firepower Extensible Operating System Version 2.3(1.84)
Device Manager Version 7.16(1)150

Compiled on Sun 25-Mar-18 17:39 PDT by builders
System image file is "disk0:/asa992-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 2 hours 42 mins

Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1 )
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

Thanks

Hamid

marce1000 · ‎02-07-2022

- Perhaps you could relax you ssh 'access spectrum' for a test and use these commands in the configuration instead :

>...

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hamid Amir · ‎02-07-2022

Hi Marce,

Still same problem..

Please see below.

ciscoasa(config)# ssh 0.0.0.0 0.0.0.0 inside
WARNING: SSH on BVI works over VPN tunnel only when management-access is enabled on this interface
ERROR: entry for address/mask = 0.0.0.0/0.0.0.0 exists
ciscoasa(config)# ssh 0.0.0.0 0.0.0.0 outside
ciscoasa(config)# exit

marce1000 · ‎02-07-2022

- Revert these commands , and after try with management-access inside , added to the configuration

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hamid Amir · ‎02-07-2022

Hi Marce

Thank you for your valuable time.

Still same problem.

Please see below,

ciscoasa(config)# management-access inside
ciscoasa(config)# ssh 0.0.0.0 0.0.0.0 inside
WARNING: SSH on BVI works over VPN tunnel only when management-access is enabled on this interface
ciscoasa(config)# ssh 0.0.0.0 0.0.0.0 outside

Kind Regards

Hamid

marce1000 · ‎02-07-2022

- Ok, but put your old ssh access region commands back in :

no ssh 0.0.0.0 0.0.0.0 inside

no ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.1.0 255.255.255.0 outside
ssh 192.168.1.0 255.255.255.0 inside

management-access inside

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '