Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1478
Views
5
Helpful
2
Replies

Cisco ASA 5510 // Enable SSH // Unable to configure service

Tobias_Ingentive
Level 1
Level 1

‎02-04-2015 04:42 AM - edited ‎02-21-2020 05:23 AM

Hello,

 

I have an issue with enabling the ssh functionality on the outgoing interface called "internet".

 

ciscoasa(config)# ssh 10.1.1.0 255.255.255.0 internet


ERROR: Unable to configure service on port 22, on interface 'internet'. This port is currently in use by another feature
Usage: [no] ssh {<local_ip>|<hostname>} <mask> <if_name>
        [no] ssh timeout <number>
        [no] ssh version 1|2
        [no] ssh scopy enable
        show ssh [sessions [<client_ip>]]
        ssh disconnect <session_id>
        show running-config [all] ssh
        clear configure ssh

 

 

I want to implement port forwarding for ssh. So I created a static NAT entry and some ACLs to get it done:

object network switch
 host 172.20.32.115

 nat (lan,internet) static interface service tcp ssh ssh

 

access-list internet_access_in extended permit tcp any object switch eq ssh

access-list internet_access_in extended permit tcp any interface internet eq ssh

access-list internet_access_out extended permit tcp any any eq ssh

 

 

Nevertheless it is not working. An ACL is always blocking the ssh traffic arriving on the "internet" port of the ASA. So i had the idea, that I also have to enable ssh on the internet port. But as you can see on top, i couldn't do that.

 

Questions: Is it possible to activate ssh for the outgoing "internet" port? Or is my port forwarding configuration wrong?

 

Thanks in advance for your help,

Toby

 

 

PS: Additional Stuff

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 9.1(5)

 

ciscoasa# sh run ssh
ssh scopy enable
ssh stricthostkeycheck
ssh 172.20.32.0 255.255.224.0 lan
ssh timeout 5
ssh key-exchange group dh-group1-sha1

 

0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-05-2015 04:03 PM

The first ssh command is to allow ssh to the ASA itself (for management) from the outside. Since you already have a static NAT listening on port 22, you can't also ssh to that interface to manage the ASA.

Have you applied the internet_access_in ACL to the interface?

     access-group internet_access_in in interface internet

The internet_access_out access-list should not be used. It will filter everything outbound but traffic going TO tcp 22 (ssh). That will break most everything. Also, it's not needed for the return traffic from your switch.

Tobias_Ingentive
Level 1
Level 1
In response to Marvin Rhoads

‎02-05-2015 11:12 PM

Thank you for your response.

 

Yes, I applied the ACL to the correct interface. But I figured it out on my own. I configured two NAT rules. First, the dynamic rule for the clients and second the static entry for the ssh port forwarding. Anyway the order of the NAT rules seemed to be important. After I put the static NAT entry on top of the list (using ASDM) it worked pretty fine.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card