05-28-2013 07:26 AM - edited 03-11-2019 06:50 PM
I can ping the management interface, but I can't ssh to it.
Here is my config:
ASA Version 8.4(6) ! command-alias exec sr show run firewall transparent hostname guestfw interface GigabitEthernet0/0 nameif inside bridge-group 1 security-level 100 ! interface GigabitEthernet0/1 nameif outside bridge-group 1 security-level 0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level ! interface GigabitEthernet0/3 shutdown no nameif no security-level ! interface Management0/0 nameif management security-level 100 ip address xxx.yyy.2.61 255.255.254.0 management-only ! interface BVI1 ip address 172.31.32.2 255.255.240.0 ! interface BVI10 no ip address ! boot system disk0:/asa846-k8.bin ftp mode passive access-list inside-out extended deny tcp any any eq smtp log access-list inside-out extended permit udp any any access-list inside-out extended permit icmp any any log access-list inside-out extended permit tcp any any log access-list outside-in extended permit udp any any eq bootps access-list outside-in extended permit udp any any eq bootpc access-list outside-in extended permit udp host 172.31.32.1 any eq bootps access-list outside-in extended permit udp host 172.31.32.1 any eq bootpc pager lines 24 logging enable logging timestamp logging host management xxx.yyy.2.66 mtu inside 1500 mtu outside 1500 mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any management no asdm history enable arp timeout 14400 no arp permit-nonconnected access-group inside-out in interface inside access-group outside-in in interface outside route management xxx.yyy.0.0 255.255.0.0 xxx.yyy.3.254 1 ssh xxx.yyy.0.0 255.255.0.0 management ssh timeout 30 ssh version 2 ssh key-exchange group dh-group1-sha1 : end
05-28-2013 07:37 AM
Hi,
Have you generated the SSH keys? If not try this?
crypto key generate rsa modulus modulus_size
For these key to work, you should have a hostname/domain-name configured on the ASA as well.
So basically, configure a hostname, domain name and generate the RSA key pair:
hostname NAME_OF_ASA
domain-name NAME_OF_DOMAIN
crypto key generate rsa
Also if you are not using aaa server please configure as below.
username username password password
aaa authentication ssh console LOCAL
Hope that helps
Regards
Najaf
Please rate when applicable or helpful !!!
05-28-2013 07:40 AM
I have generated keys.
I am using:
aaa authentication ssh console LOCAL
username mroes1234 password ************ encrypted
05-28-2013 07:44 AM
Hi,
Wouldnt the management interface need a route configuration?
Or is the host in the same network/subnet as the management interface?
- Jouni
05-28-2013 07:45 AM
Ah sorry im blind. The route is there.
- Jouni
05-28-2013 07:45 AM
same network
05-28-2013 07:49 AM
Not many things that could be wrong then I guess. If you can even ping the device.
I would suggest configuring the appropriate logging level and connect with the console cable if possible and check what the logs say about the SSH connection.
I guess the command "show asp table socket" should say on which ports and interfaces the ASA is listening on.
You might also want to try remove the current SSH configurations and add them again.
- Jouni
05-28-2013 07:54 AM
Looks straightforward. Do you have an RSA key generated on the ASA? ("show crypto key" to confirm, "crypto key generate rsa" to create one if necessary)
05-28-2013 07:55 AM
Both look ok.
# sho asp table socket
Protocol Socket Local Address Foreign Address State
TCP 000022af xxx.yyy.2.61:22 0.0.0.0:* LISTEN
# show crypto key mypubkey rsa
Key pair was generated at: 13:30:01 UTC May 28 2013
Key name:
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
05-28-2013 08:00 AM
I would suggest monitoring the device logs through CLI or ASDM if that connection works. I dont see the "http" configurations in your post though.
If you do, I would imagine you would have to se the logging level to informational or debugging.
- Jouni
05-28-2013 08:07 AM
Hi,
Could you try enableing SSH in inside interface for testing and verify if that works? This will eliminate any issue with SSH configuration.
Regards
Najaf
Please rate when applicable or helpful !!!
05-28-2013 10:02 AM
Hello Mroes,
Do a capture on the managment interface so we can see the exchange of packets between the SSH client and the ASA (download them and share them here)
Also share the debug ssh while attempting to connect,
Regards
05-28-2013 10:09 AM
Mroes,
You may want to try telnet, that way we can discard any issues with the ASA itself and focus on SSH.
Regards,
Juan Lombana
Please rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide