03-19-2013 08:56 AM - edited 03-11-2019 06:16 PM
I just configured my ASA so I can remote access via SSH but I can't seem to get it to work. I have my ASA (10.0.10.1) with my wireleess router (192.168.0.1) connected via the WAN port. I should be able to access the ASA from my laptop (192.168.0.105) correct?
Here is my current config:
ASA Version 8.0(3)6
!
hostname Firewall
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.10.1 255.255.255.240
!
interface Vlan2
nameif outside
security-level 0
ip address 24.234.XXX.XXX 255.255.XXX.XXX
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 24.234.118.193 1
route inside 192.168.0.0 255.255.255.0 10.0.1.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 15
console timeout 0
dhcpd address 10.0.10.2-10.0.10.12 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
ntp server 64.147.116.229 source outside prefer
username woodjl1650 password slFkVmxAtfauhVaf encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2f1bd939ffb4683ec5c0b4265bd32951
: end
03-19-2013 09:03 AM
Hi,
In addition to the current SSH configurations you will need to issue the command
crypto key generate rsa modulus 2048
to be able to use SSH into the ASA
I'm not sure if you had problem with Telnet also? For that you dont atleast have the configuration allowing Telnet connections.
telnet 192.168.0.0 255.255.255.0 inside
- Jouni
03-19-2013 09:39 AM
added that but now I can't ping from my ASA to my laptop....but I can ping my ASA from my laptop.... are my routes correct?
Firewall# show route
Gateway of last resort is 24.234.118.193 to network 0.0.0.0
C 127.0.0.0 255.255.255.0 is directly connected, _internal_loopback
C 24.234.118.192 255.255.255.224 is directly connected, outside
C 10.0.10.0 255.255.255.240 is directly connected, inside
S 192.168.0.0 255.255.255.0 [1/0] via 10.0.1.10, inside <----192.168.0.1 is my wireless router connected to e0/1
S* 0.0.0.0 0.0.0.0 [1/0] via 24.234.118.193, outside
03-19-2013 09:46 AM
Hi,
The command really shouldnt have any effect on any connections. Its a basic configuration needed on an ASA to enable SSH management connections.
Your route seems to be pointing to an address 10.0.1.10 which IS NOT part of the network 10.0.10.0/24.
So seems to be a typo there. Probably should be 10.0.10.10?
- Jouni
03-19-2013 09:55 AM
yep type, corrected and still can't ping from my ASA to my laptop:
Firewall# show route
Gateway of last resort is 24.234.118.193 to network 0.0.0.0
C 127.0.0.0 255.255.255.0 is directly connected, _internal_loopback
C 24.234.118.192 255.255.255.224 is directly connected, outside
C 10.0.10.0 255.255.255.240 is directly connected, inside
S 192.168.0.0 255.255.255.0 [1/0] via 10.0.10.0, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 24.234.118.193, outside
Firewall# ping 192.168.0.1 <----------------Wireless Router
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
interface Vlan1
nameif inside
security-level 100
ip address 10.0.10.1 255.255.255.240 <--------ASA IP Address
03-19-2013 10:01 AM
We dont know how the router is configured.
We for example dont know if its doing some basic Dynamic PAT translation for the network 192.168.0.0/24 when traffic crosses from that network to the interface which is connected to the ASA.
It might be that you can PING from the hosts on the network 192.168.0.0/24 to the ASA interface IP address 10.0.10.1 BUT COULDNT PING the network 192.168.0.0/24 from the ASA. A NAT being on the Router might explain this behaviour.
If the router isnt doing any sort of NAT and is just simply routing then it should work with the ASA configurations.
So for you to be able to ping the network behind the router, the router can not do any type of NAT for its network 192.168.0.0/24
- Jouni
03-19-2013 10:24 AM
Sorry..my current config is at the top post...I am away from my ASA right now and can't repost it. But the NAT starement is: NAT (inside) 0.0.0.0 0.0.0.0 1
Sent from Cisco Technical Support Android App
03-19-2013 10:34 AM
I think you missunderstood me
To me it seems you have the following setup
And you are telling on the ASA that the network 192.168.0.0/24 is located behind the IP address 10.0.10.1 which to my understanding would be the interface IP address of the Router towards the ASA.
Now what I mean with the NAT is that I think your router is possibly doing a Dynamic NAT or Dynamic PAT between network 192.168.0.0/24 and 10.0.10.0/24 and therefore the router would block the PING.
What makes me think the router is doing NAT is because the PING doesnt work AND the fact that almost every basic router will by default do NAT between its LAN and WAN interfaces.
But again, I dont know how the router is configured but I dont see any problem on the ASA preventing from PINGing the network behind the router
You can add "icmp permit any inside" if you want but not sure if it will help in this case.
- Jouni
03-19-2013 10:47 AM
Ok...I misunderstood what you were saying....I'll check my router and see if I can fix it
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide