12-05-2012 04:07 PM - edited 03-11-2019 05:33 PM
I need to be able to ssh to local interface on an ASA 7.2.5 cluster, IP=X.147.1.110 (primary cluster address) for management.
- the acl on the interface allows the connection, and shows hits
- ssh is allowed "ssh Y.35.252.0 255.255.254.0 elink"
- fw is sending a TCP reset (service resetinbound and service resetoutside are set)
- packet tracer shows
# packet-tracer input elink tcp Y.35.252.89 9999 X.147.1.110 22
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in X.147.1.0 255.255.255.0 elink
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Anyone know why this is failing? elink is the middle security level of the three interfaces, and there are PATs on X.147.1.110, that is, traffic leaving elink is being hidden behind X.147.1.110.
12-05-2012 04:12 PM
Hello ,
If you are trying to innitiate sessions from behind the X interface of the ASA to the Ip address of the X interface, then you need the following:
- ssh 0 0 inside ( or the name)
- a crypto key on your ASA
CRYPTO key generate rsa
Let me know how it goes.
12-05-2012 04:23 PM
- ssh 0 0 inside ( or the name)
This is already achieved with the line "ssh Y.35.252.0 255.255.254.0 elink". The source of the connection is Y.35.252.0/23 and the interface name is elink.
- a crypto key on your ASA
CRYPTO key generate rsa
Yep - that's already been done.
Is there a way to verify the sshd is running? Something like ps on unix?
12-05-2012 04:35 PM
Hello,
Can you run a debug SSH 255 and then attemtp to connect,
What logs is the firewall showing you?
Also the show asp table socket
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide