Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
995
Views
0
Helpful
2
Replies

ASA SSH issue

Michael Dombek
Level 1
Level 1

‎04-26-2012 01:59 AM - edited ‎03-11-2019 03:58 PM

Dear CSC,

I just stumbled upon a strange ASA / SSH problem.

First of all some specs:

ASA 5520 - Active /Standby Multi Context mode running 8.4.3

I’ve configured SSH login with local authentication and it works fine if I permit access from anywhere.

I wanted to tighten management access to the MGMT interface and MGMT network and applied the following SSH access restriction

ssh 10.0.0.0 255.255.255.240 MGMT

MGMT Interface IP address is 10.0.0.1 (2) and ssh client was 10.0.0.4

Surprisingly I could not connect to the ASA anymore. I than changed to configuration to

Ssh 10.0.0.0 255.255.255.0 MGMT - it was still not working

So I’ve opened the access to

Ssh 10.0.0.0 255.0.0.0 MGMT and it worked!

Has anyone an explanation for this? Did I miss anything?

Thanks in advance

Michael

Labels:
0 Helpful
2 Replies 2

varrao
Level 10
Level 10

‎04-26-2012 02:18 AM

Well the only explanation I can think of at this moment is that the subnet from where you were doing SSH is not the same as defined on the ASA, can you check the IP from where you are accessing it.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Michael Dombek
Level 1
Level 1
In response to varrao

‎04-26-2012 02:30 AM

Hey Varoun

Just checked it again –

that was my first thought but well as mentioned ASA is using 10.0.0.1 (2)/28 and the client was using 10.0.0.4/28 in fact I could see the following log entry:


302013 - Build inbound TCP connection 564479 for MGMT:10.0.0.4/56858 (10.0.0.4/56858) to identity 10.0.0.1/22 (10.0.0.1/22)


So basically my ssh connection reached the ASA but never got processed until I changed the allowed ssh IPs.

I'll check tonight in my lab if this issue comes up on other devices.


Cheers Michael


0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card