Can't ssh to management 0/0 on transparent fw

mroes1234 · ‎05-28-2013

I can ping the management interface, but I can't ssh to it.

Here is my config:

ASA Version 8.4(6) 
!
command-alias exec sr show run 
firewall transparent
hostname guestfw

interface GigabitEthernet0/0
 nameif inside
 bridge-group 1
 security-level 100
!
interface GigabitEthernet0/1
 nameif outside
 bridge-group 1
 security-level 0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
!             
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
!
interface Management0/0
 nameif management
 security-level 100
 ip address xxx.yyy.2.61 255.255.254.0 
 management-only
!
interface BVI1
 ip address 172.31.32.2 255.255.240.0 
!
interface BVI10
 no ip address
!
boot system disk0:/asa846-k8.bin
ftp mode passive
access-list inside-out extended deny tcp any any eq smtp log 
access-list inside-out extended permit udp any any 
access-list inside-out extended permit icmp any any log 
access-list inside-out extended permit tcp any any log 
access-list outside-in extended permit udp any any eq bootps 
access-list outside-in extended permit udp any any eq bootpc 
access-list outside-in extended permit udp host 172.31.32.1 any eq bootps 
access-list outside-in extended permit udp host 172.31.32.1 any eq bootpc 
pager lines 24
logging enable
logging timestamp
logging host management xxx.yyy.2.66
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group inside-out in interface inside
access-group outside-in in interface outside
route management xxx.yyy.0.0 255.255.0.0 xxx.yyy.3.254 1

ssh xxx.yyy.0.0 255.255.0.0 management
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1

: end

kcnajaf · ‎05-28-2013

Hi,

Have you generated the SSH keys? If not try this?

crypto key generate rsa modulus modulus_size

For these key to work, you should have a hostname/domain-name configured on the ASA as well.

So basically, configure a hostname, domain name and generate the RSA key pair:

hostname NAME_OF_ASA

domain-name NAME_OF_DOMAIN

crypto key generate rsa

Also if you are not using aaa server please configure as below.

username username password password

aaa authentication ssh console LOCAL

Hope that helps

Regards

Najaf

Please rate when applicable or helpful !!!

mroes1234 · ‎05-28-2013

I have generated keys.

I am using:

aaa authentication ssh console LOCAL

username mroes1234 password ************ encrypted

Jouni Forss · ‎05-28-2013

Hi,

Wouldnt the management interface need a route configuration?

Or is the host in the same network/subnet as the management interface?

- Jouni

Jouni Forss · ‎05-28-2013

Ah sorry im blind. The route is there.

- Jouni

mroes1234 · ‎05-28-2013

same network

Jouni Forss · ‎05-28-2013

Not many things that could be wrong then I guess. If you can even ping the device.

I would suggest configuring the appropriate logging level and connect with the console cable if possible and check what the logs say about the SSH connection.

I guess the command "show asp table socket" should say on which ports and interfaces the ASA is listening on.

You might also want to try remove the current SSH configurations and add them again.

- Jouni

Marvin Rhoads · ‎05-28-2013

Looks straightforward. Do you have an RSA key generated on the ASA? ("show crypto key" to confirm, "crypto key generate rsa" to create one if necessary)

mroes1234 · ‎05-28-2013

Both look ok.

# sho asp table socket

Protocol Socket Local Address Foreign Address State

TCP 000022af xxx.yyy.2.61:22 0.0.0.0:* LISTEN

# show crypto key mypubkey rsa

Key pair was generated at: 13:30:01 UTC May 28 2013

Key name:

Usage: General Purpose Key

Modulus Size (bits): 1024

Key Data:

Jouni Forss · ‎05-28-2013

I would suggest monitoring the device logs through CLI or ASDM if that connection works. I dont see the "http" configurations in your post though.

If you do, I would imagine you would have to se the logging level to informational or debugging.

- Jouni

kcnajaf · ‎05-28-2013

Hi,

Could you try enableing SSH in inside interface for testing and verify if that works? This will eliminate any issue with SSH configuration.

Regards

Najaf

Please rate when applicable or helpful !!!

Julio Carvajal · ‎05-28-2013

Hello Mroes,

Do a capture on the managment interface so we can see the exchange of packets between the SSH client and the ASA (download them and share them here)

Also share the debug ssh while attempting to connect,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

julomban · ‎05-28-2013

Mroes,

You may want to try telnet, that way we can discard any issues with the ASA itself and focus on SSH.

Regards,

Juan Lombana

Please rate helpful posts.