Re: ASA 5506 - no SSH possible

Maurizio Caloro · ‎02-28-2021

Hello Together
Please i will open for LAN "Inside" the SSH Port. try with this commands but no postive result appair "Connection redused"

i know iam on the right way, please and thanks for any Update:

asa(config)# crypto key generate rsa general-keys modulus 2048
Keypair generation process begin. Please wait...
asa(config)# username SSH password *********
asa(config)# aaa authentication ssh console LOCAL
asa(config)# ssh version 2
asa(config)# wr

regards

Mauri

balaji.bandi · ‎02-28-2021

Try below and test it

ssh 10.10.10.0 255.255.255.0 inside ( replace the network 10.10.10.0/24 with your network)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ngkin2010 · ‎02-28-2021

Hi,

You will need to define the whitelist for incoming SSH connection.

ssh [security-zone] [whitelisted-prefix/ip] [mask]
ssh inside 192.168.1.100 255.255.255.255

Also, you need to ssh from the same security zone that with the ASA interface. For example, outisde interface (100.64.0.1/30) & inside interface (192.168.1.1/24). You could ssh to ASA's 192.168.1.1 from 192.168.1.100, but you cannot ssh to ASA's 100.64.0.1 from 192.168.1.100.

Marvin Rhoads · ‎02-28-2021

In addition to what the other have mentioned, please also ensure that you have the 3DES-AES license enabled on your ASA.

Sheraz.Salim · ‎02-28-2021

as Marvin mentioned you need to make sure you have the 3DES-AES licence. to check if you have 3DES and 3DES-AES enable. issue a command "show version"

Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual

also you can issue a command "show ssh ciphers" to check what encrytion is available and what encrytion is configured. or

show run all ssh cipher
ssh cipher encryption medium
ssh cipher integrity high

or

show run all ssh

your command/configuration is right. however, just to mention you need to define the privi level too.

"username SSH password xxxxx privilege 15"

as ngkin2010 mentioned you need to specified which interface you landing/coming from (source ip). rest your configuration is solid.

please do not forget to rate.

Maurizio Caloro · ‎02-28-2021

thanks for so meny answer, did anything but no result.... the ssh port for LAN usage still closed.

asa(config)# ssh 192.168.1.1 255.255.255.0 inside
ERROR: % Ambiguous command: "ssh 192.168.1.0 255.255.255.0 inside"

Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual

asa(config)# show run all ssh
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh cipher encryption medium
ssh cipher integrity high
ssh key-exchange group dh-group1-sha1
ssh 192.168.1.0 255.255.255.0 inside_7
ssh 192.168.1.1 255.255.255.255 inside_7

Inside_7 = are connectec to my PC

yes, wr also are done.

balaji.bandi · ‎02-28-2021

ssh 192.168.1.0 255.255.255.0 inside_7 (inside most people uses , if this is your only insde interface that should work)
no ssh 192.168.1.1 255.255.255.255 inside_7 - you do not need this one since above subnet cover all.

To assists better post-complete configuration. ( show run post output.)

what is the IP address you trying to SSH to ASA ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎02-28-2021

Please share the output of:

show asp table socket | i 22

Maurizio Caloro · ‎02-28-2021

thanks for answer, try to reach with the application Putty the ASA

asa(config)# show asp table socket | i 22
TCP 040fb558 LISTEN 192.168.1.1:22 0.0.0.0:*

asa(config)# sh run ssh
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
ssh 192.168.1.0 255.255.255.0 inside_7
ssh 192.168.1.1 255.255.255.255 inside_7

@Sheraz.Salim

Sorry this was my error, hear reply:

asa(config)# ssh 192.168.1.1 255.255.255.0 inside
ERROR: % Ambiguous command: "ssh 192.168.1.1 255.255.255.0 inside"

this FW are new... but have also other strange problem..... SSH are not reachable (Network Connection refused)
Clients that are connected to ASA like ESXI, Printers, DNS Server are not pingable at all times !

if unplug Printer,Esx to other switch, Printer are pingable, if plugin back to ASA, for first the Printer, Esxi and all other Clients are pingable, after a certain time, the printer, Esxi cannot be reached again.

G1/1 Outside - WAN
G1/2 INSIDE - Switch to other floor
G1/4 INSIDE - Printer
G1/5 INSIDE - ESXI
G1/6 INSIDE - DNS
G1/7 INSIDE - other Server

Bevor i had Juniper and Forti, and newer, newer i had problem like this

also attached the ASA Config, thanks for possible answer
Mauri

Marvin Rhoads · ‎02-28-2021

You asp table socket shows the ASA is only listening for incoming ssh from 192.168.1.1. Since that is the address of the BVI on the ASA, you need to remove that line in the config and makes sure the "ssh 192.168.1.0 255.255.255.0 inside" is the only ssh access restriction command in place.

For your devices on the subnet not being reachable, please add "same-security-traffic permit intra-interface" to the configuration. This will allow the ASA to forward traffic back out the incoming interface for those hosts. They work for a while when moved from the other switch due to their being in the clients' arp caches and when that times out the ASA gets the requests for them and by default will not forward the traffic back ou the receiving interface.

balaji.bandi · ‎03-01-2021

as suggested before :

ssh 192.168.1.0 255.255.255.0 inside_7   (inside most people uses , if this is your only insde interface that should work)
no ssh 192.168.1.1 255.255.255.255 inside_7  - you do not need this one since above subnet cover all.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Sheraz.Salim · ‎02-28-2021

I think the problem is you give the ip address and than you mentioned the subnet.

asa(config)# ssh 192.168.1.1 255.255.255.0 inside
ERROR: % Ambiguous command: "ssh 192.168.1.0 255.255.255.0 inside"

where as it has to be like thiks "ssh 192.168.1.0 255.255.255.0 inside_7" not ssh 192.168.1.1 255.255.255.0 inside

now if you want only 192.168.1.1 to access the firewall on ssh than it has to be in this way 192.168.1.1 255.255.255.255 inside.

please do not forget to rate.

Maurizio Caloro · ‎03-01-2021

Hello Everyone

now reset the FW with "config factory-default" ok.

Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual

asa(config)# show run all ssh
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh cipher encryption medium
ssh cipher integrity high
ssh key-exchange group dh-group1-sha1
ssh 192.168.1.0 255.255.255.0 inside_7

but ssh stil are closed, connection refused.

balaji.bandi · ‎03-02-2021

After resetting did you configure below :

aaa authentication ssh console LOCAL
username XXXX passowrd

please post the complete config again, show run, also what client you using.

are you able to ping 192.168.1.1

Quick question is this your intention of BVI with inside_1 to 7 (since we see this is a bug) - it automatically creates.

read this post :

https://www.petenetlive.com/KB/Article/0001422

in that case, still, you need to use the inside interface here. Try below :

no ssh 192.168.1.0 255.255.255.0 inside_7

ssh 192.168.1.0 255.255.255.0 inside

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help