Hi,To verify but is the new

Alfredo Bosca Bataller · ‎09-09-2015

I have configured the next to allow remote access from external IP: 217.12.X.X but is not working. The external firewall not is published, the name is: HOst_FirewallIP. The version of ASA firewall is 8.0 (4).

With debug SSH, I am not seeing nothing. Furthermore I have checked other firewalls is not blocking this connections.

1) name 217.12.X.X IP-217.12.X.X-Ext // I have created the name
object-group network IP-217.12.X.X-Ext

network-object host IP-217.12.X.X-Ext // I have created the HOST

2) Allow SSH and HTTP access

access-list outside_access_in extended permit tcp host IP-217.12.X.X-Ext host <HOst_FirewallIP> eq ssh

access-list outside_access_in extended permit tcp host IP-217.12.X.X-Ext host <HOst_FirewallIP> eq http

http IP-217.12.X.X-Ext 255.255.255.255 outside

ssh IP-217.12.X.X-Ext 255.255.255.255 outside

Thanks in advance!

http://networkingcontrol.wordpress.com/ #CCNP CSCO11962956

Vibhor Amrodia · ‎09-09-2015

Hi,

So , If i understand it correctly , If you want to allow SSH on the ASA interface , you don't need any ACL for that be default until and unless you already have a control plane ACL configured.

To allow SSH on the ASA device interface , you would need these things:-

AAA Authentication configuration (show run aaa)

RSA key(show crypto key mypubkey rsa)

SSH configuration (show run ssh)

show run username

Also , do you have any other firewall between the host and this ASA device or is it only the iSP between them ?

Thanks and Regards,

Vibhor Amrodia

Alfredo Bosca Bataller · ‎09-09-2015

Hi Vobhor,

All these is configured because before I was accessing from another external IP. The issue was when we changed the external IP.

1) AAA - OK

show run aaa
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL

2)RSA - OK

# show crypto key mypubkey rsa
Key pair was generated at: 06:52:25 UTC Dec 20 2012
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:

30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 00c7aedd
49cdf0ae 8f96308b 415f95b9 3d213a1d 7868d015 b73ba1c2 c378ab19 b3ca06c3
7a40837f f39450a9 d7cc3dee d1b257a3 8127b5f9 5e8e7356 bd711b5d
da63ab

3) SSH - OK

show run ssh
ssh 0.0.0.0 0.0.0.0 inside
ssh IP-217.12.X.X-Ext host 255.255.255.255 outside

4) Username - OK

Best regards,

http://networkingcontrol.wordpress.com/ #CCNP CSCO11962956

Vibhor Amrodia · ‎09-09-2015

Hi,

To verify but is the new IP from which you are accessing the ASA now ?

IP-217.12.X.X-Ext host ???

If yes , can you apply capture on the ASA outside interface and see if you are even reaching the ASA device ?

https://supportforums.cisco.com/document/6971/packet-capture-asapix-fwsm

Also , check this "show asp table socket"

Thanks and Regards,

Vibhor Amrodia

Alfredo Bosca Bataller · ‎09-10-2015

Yeah, I know the capture command.

Still not seen traffic, whereas the issue is that another device is filtering.

Best regards,

http://networkingcontrol.wordpress.com/ #CCNP CSCO11962956

ASA 5505 remote access