Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4764
Views
0
Helpful
38
Replies

I can not connect ssh in cisco asa 5515-x

Go to solution
Hamid Amir
Level 1
Level 1

‎02-06-2022 04:48 AM

Dear all

I cannot access ssh after replacing my broking cisco asa 5505 with cisco asa 5515-X, although I can access ASDM .

Can you help Please ?

 

ciscoasa# sh run int
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet0/2
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet0/3
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet0/4
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet0/5
bridge-group 1
nameif inside_5
security-level 100
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

 

ciscoasa# sh run ssh
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1

 

ciscoasa# sh run aaa
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history

 

ciscoasa# sh run http
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 0.0.0.0 0.0.0.0 inside

Labels:
0 Helpful
38 Replies 38

Go to solution
Hamid Amir
Level 1
Level 1
In response to marce1000

‎02-07-2022 08:18 AM

Hi Marce

 

Still same problem with both configuration below.

 

ciscoasa(config)# no ssh 0.0.0.0 0.0.0.0 inside
ciscoasa(config)# no ssh 0.0.0.0 0.0.0.0 outside
ciscoasa(config)# ssh 192.168.1.0 255.255.255.0 outside
ERROR: entry for address/mask = 192.168.1.0/255.255.255.0 exists
ciscoasa(config)# ssh 192.168.1.0 255.255.255.0 inside
WARNING: SSH on BVI works over VPN tunnel only when management-access is enabled on this interface
ERROR: entry for address/mask = 192.168.1.0/255.255.255.0 exists
ciscoasa(config)# man

 

ciscoasa(config)# no ssh 192.168.1.0 255.255.255.0 outside
ciscoasa(config)# no ssh 192.168.1.0 255.255.255.0 inside
ciscoasa(config)# no management-access inside
ciscoasa(config)# management-access inside
ciscoasa(config)# ssh 192.168.1.0 255.255.255.0 outside
ciscoasa(config)# ssh 192.168.1.0 255.255.255.0 inside
WARNING: SSH on BVI works over VPN tunnel only when management-access is enabled on this interface

 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Hamid Amir

‎02-07-2022 09:28 AM

Hello,

 

the DH group configured is the lowest one available. Try and change it to:

 

ssh key-exchange group dh-group14-sha1.

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to Hamid Amir

‎02-07-2022 09:54 AM

 

 - Adding to other reply , I would advise to take the following path to tackle this problem more fundamentally if problems persist : 1) Save the current configuration to an external device/directory (this probably isn't even needed because I assume that you have the configuration that you want to propagate to this device still around somewhere). 2) Erase the configuration on this ASA (write erase) 3) Reboot and start with a basic setup of the network (interfaces) 3) Then configure 'base SSH' as per Cisco documentation 4) If that works then gradually restore configuration parts from the original ASA and or merge them into the new ASA configuration. Any subsequent blocking of SSH-access will then also point out where the problem is.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Hamid Amir
Level 1
Level 1
In response to marce1000

‎02-07-2022 11:59 AM

Hi Marce

Same problem and errors even with clean basic configuration.

May be need open port forward?

I did open port 22, but still same problem.

 

Thanks

Hamid

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Hamid Amir

‎02-07-2022 12:47 PM

Hello,

 

what client are you suing for the SSH connection, what syntax do you use to connect ?

0 Helpful

Go to solution
Hamid Amir
Level 1
Level 1
In response to Georg Pauwen

‎02-07-2022 01:12 PM

Hi George.

I use PuTTYy in windows 10 with either  public  Ip address or local ip address 192.168.1.1, and I use WebSSH in my iphone. Every thing was Ok with Cisco asa 5505.

I have only problem with the replacement  cisco asa 5515-X.

 

Thanks

Hamid

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Hamid Amir

‎02-08-2022 01:52 AM

Hello,

 

the 5505 is an ancient device, so I have a feeling this has something to do with more advanced security settings on the newer 5515-X.

 

When you enable debugging:

 

ASA5515X#debug ssh

 

Do you see any incoming connections at all ?

0 Helpful

Go to solution
Hamid Amir
Level 1
Level 1
In response to Georg Pauwen

‎02-08-2022 03:10 AM

Hi George,

When I try to connect from  the computer connected to cisco I get this message using ASDM

22  TCP access denied by ACL from 192.168.1.5/59578 to inside_1:192.168.1.1/22.

When I use public ip address, no message at all.

 

Kind Regards

Hamid

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Hamid Amir

‎02-08-2022 03:50 AM

Hello,

 

I still think that it has to do with the ssh defaults. I have looked around in other posts, try and configure the ciphers below:

 

ssl cipher default custom "AES256-SHA256:AES256-SHA:AES128-SHA"

ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

ssl cipher tlsv1.1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

ssl cipher tlsv1.2 custom "AES256-SHA256:AES256-SHA:AES128-SHA"

ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

0 Helpful

Go to solution
Hamid Amir
Level 1
Level 1
In response to Georg Pauwen

‎02-08-2022 04:30 AM

Hi

Still same Problem.

Kind Regards

Hamid

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Hamid Amir

‎02-08-2022 05:53 AM

Does the debug output change when you configure these cypher keys ?

0 Helpful

Go to solution
Hamid Amir
Level 1
Level 1
In response to Georg Pauwen

‎02-08-2022 06:06 AM

Hi George

I get same error, still Does not work.

 

Kind Regards

Hamid

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Hamid Amir

‎02-08-2022 06:28 AM

Hello,

 

try and configure an even lower modulus:

 

domain-name cisco
crypto key generate rsa label cisco modulus 1024

0 Helpful

Go to solution
Hamid Amir
Level 1
Level 1
In response to Georg Pauwen

‎02-08-2022 08:00 AM

Hi George.

I tried both lower and higher value, but did not solved the problem.

ciscoasa(config)# domain-name cisco
ciscoasa(config)# crypto key generate rsa label cisco modulus 1024
INFO: The name for the keys will be: cisco
Keypair generation process begin. Please wait...
ciscoasa(config)# exit

Thanks
Hamid
0 Helpful

Go to solution
Hamid Amir
Level 1
Level 1
In response to Georg Pauwen

‎02-08-2022 02:24 PM

Hi Gorge,

The command  sh crypto key mypubkey rsa gave me list of few Keys, I deleted all of them by using  (crypto key zeroize rsa label) and generated  crypto key generate rsa  modulus 1024 with ssh 0.0.0.0 0.0.0.0 outside and ssh 192.168.1.0 255.255.255.0 inside, The problem has been resolved.

Thank you all  very much for great help.

Kind Regards

Hamid

0 Helpful
Customers Also Viewed These Support Documents