09-09-2015 07:43 AM - edited 03-11-2019 11:34 PM
I have configured the next to allow remote access from external IP: 217.12.X.X but is not working. The external firewall not is published, the name is: HOst_FirewallIP. The version of ASA firewall is 8.0 (4).
With debug SSH, I am not seeing nothing. Furthermore I have checked other firewalls is not blocking this connections.
1) name 217.12.X.X IP-217.12.X.X-Ext // I have created the name
object-group network IP-217.12.X.X-Ext
network-object host IP-217.12.X.X-Ext // I have created the HOST
2) Allow SSH and HTTP access
access-list outside_access_in extended permit tcp host IP-217.12.X.X-Ext host <HOst_FirewallIP> eq ssh
access-list outside_access_in extended permit tcp host IP-217.12.X.X-Ext host <HOst_FirewallIP> eq http
http IP-217.12.X.X-Ext 255.255.255.255 outside
ssh IP-217.12.X.X-Ext 255.255.255.255 outside
Thanks in advance!
09-09-2015 12:30 PM
Hi,
So , If i understand it correctly , If you want to allow SSH on the ASA interface , you don't need any ACL for that be default until and unless you already have a control plane ACL configured.
To allow SSH on the ASA device interface , you would need these things:-
AAA Authentication configuration (show run aaa)
RSA key(show crypto key mypubkey rsa)
SSH configuration (show run ssh)
show run username
Also , do you have any other firewall between the host and this ASA device or is it only the iSP between them ?
Thanks and Regards,
Vibhor Amrodia
09-09-2015 02:08 PM
Hi Vobhor,
All these is configured because before I was accessing from another external IP. The issue was when we changed the external IP.
1) AAA - OK
show run aaa
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
2)RSA - OK
# show crypto key mypubkey rsa
Key pair was generated at: 06:52:25 UTC Dec 20 2012
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 00c7aedd
49cdf0ae 8f96308b 415f95b9 3d213a1d 7868d015 b73ba1c2 c378ab19 b3ca06c3
7a40837f f39450a9 d7cc3dee d1b257a3 8127b5f9 5e8e7356 bd711b5d
da63ab
3) SSH - OK
show run ssh
ssh 0.0.0.0 0.0.0.0 inside
ssh IP-217.12.X.X-Ext host 255.255.255.255 outside
4) Username - OK
Best regards,
09-09-2015 05:59 PM
Hi,
To verify but is the new IP from which you are accessing the ASA now ?
IP-217.12.X.X-Ext host ???
If yes , can you apply capture on the ASA outside interface and see if you are even reaching the ASA device ?
https://supportforums.cisco.com/document/6971/packet-capture-asapix-fwsm
Also , check this "show asp table socket"
Thanks and Regards,
Vibhor Amrodia
09-10-2015 04:08 AM
Yeah, I know the capture command.
Still not seen traffic, whereas the issue is that another device is filtering.
Best regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide