Solved: Re: I can not connect ssh in cisco asa 5515-x - Page 3

Hamid Amir · ‎02-06-2022

Dear all

I cannot access ssh after replacing my broking cisco asa 5505 with cisco asa 5515-X, although I can access ASDM .

Can you help Please ?

ciscoasa# sh run int
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet0/2
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet0/3
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet0/4
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet0/5
bridge-group 1
nameif inside_5
security-level 100
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

ciscoasa# sh run ssh
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1

ciscoasa# sh run aaa
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history

ciscoasa# sh run http
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 0.0.0.0 0.0.0.0 inside

marce1000 · ‎02-07-2022

- Post the full running-config of this basic configuration that you tried.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hamid Amir · ‎02-08-2022

Hi Marce

Please see the attachment file as requested.

Kind Regards

Hamid

marce1000 · ‎02-08-2022

- Sorry this looks way far from an initial config + basic SSH configuration.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hamid Amir · ‎02-08-2022

: Serial Number: FCH194876G8
: Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)
:
ASA Version 9.9(2)
!
hostname ciscoasa
enable password $sha512$5000$dR8oMJgWF3K7ICy1+IIabQ==$fcJKeURp46bP6+F63WcYSA== pbkdf2
names

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet0/2
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet0/3
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet0/4
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet0/5
bridge-group 1
nameif inside_5
security-level 100
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.0.0.1 255.0.0.0
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
no failover
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.4.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 10.0.0.0 255.0.0.0 management
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.2-10.0.1.1 management
dhcpd enable management
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
cache
disable
error-recovery disable
dynamic-access-policy-record DfltAccessPolicy
username hamid password $sha512$5000$+1dYqiqj579Mdi4FCfG4FQ==$9vh2Blq4gD+vlMBSeEcx2Q== pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2da68cc47e896b08bc91d0f43353de42
: end

Jitendra Kumar · ‎02-07-2022

Before you go for the factory reset please upgrade ASA with

Release 9.12.4 Interim

and reconfigure ssh .

Thanks,

Jitendra

Thanks,
Jitendra

Hamid Amir · ‎02-08-2022

ਊ⌣汐慥敳琠灹⁥潹牵爠灥祬愠潢敶琠楨⁳楬敮ⴠ⌣
Sent from Mail for Windows
Hi Jitendra
I do no have subscription account to download the Release 9.12.4 Interim .

Kind Regards
Hamid

marce1000 · ‎02-08-2022

- Adding to current iterations a number of bug reports may be applicable :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw02009

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu42434

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc82270

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15503

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

marce1000 · ‎02-09-2022

- Good to know you got this resolved , now that you can use SSH , a useful tool can sometimes be : https://cway.cisco.com/cli . You can connect with the CLI analyzer and in the upper left corner press on System Diagnostics, this will sometimes provide useful configuration advice(s) too. When problems or crashes are observed you can also at the right run the Crash dump Analyzer.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hamid Amir · ‎02-09-2022

Thank you very much for the link.

Kind Regards

Hamid