Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1576
Views
0
Helpful
6
Replies

Get SSH access from outside on ASA 5505

sergioloporto
Level 1
Level 1

‎02-17-2016 05:10 AM - edited ‎03-12-2019 12:19 AM

Hello, I am trying to add SSH access from Outside (public IP) on my ASA 5505, but it's not working. Even after adding SSH 0.0.0.0 outside and management-access outside is not working.

Result of the command: "show run"

ASA Version 9.2(3)4 
!
hostname xxxxasa
enable password xxxx encrypted
passwd xxxx  encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.2 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
boot system disk0:/asa923-4-k8.bin
ftp mode passive
clock timezone Warsaw 1
clock summer-time Warsaw recurring last Sun Mar 2:00 last Sun Oct 3:00
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network SSH_2222_Raspberry_Pi
 host 192.168.1.28
 description Raspberry_Pi
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-741.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (inside,outside) dynamic interface
object network SSH_2222_Raspberry_Pi
 nat (inside,outside) static interface service tcp 2222 2222 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.1.26,CN=xxxxasa
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca xxxx 
 quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate xxxx 
 quit
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access outside
dhcpd auto_config outside
!
dhcprelay server 192.168.1.1 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0
username xxxx password xxxx  encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
 inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
Cryptochecksum:xxxx 
: end

Can anybody help?

Labels:
0 Helpful
6 Replies 6

johnd2310
Level 8
Level 8

‎02-17-2016 09:58 PM

Hi,

Can you ssh from Inside? Try to re-generate crypto keys.

thanks

John

**Please rate posts you find helpful**
0 Helpful

sergioloporto
Level 1
Level 1
In response to johnd2310

‎02-18-2016 09:27 AM

It now works... I had to add this:

object-group service Port2222 tcp
 port-object eq 2222
access-list outside_access_in_1 extended permit tcp any object SSH_2222_Raspberry_Pi object-group Port2222
0 Helpful

Marius Gunnerud
VIP
VIP
In response to sergioloporto

‎02-20-2016 12:06 AM

were you trying to SSH to the ASA itself or to a device behind the ASA?  From your post it sounds like you were trying to access the ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

sergioloporto
Level 1
Level 1
In response to Marius Gunnerud

‎02-20-2016 12:08 AM

Actually both of them. None was working. But now I can SSH the ASA on port 22 and the device inside on port 2222.

0 Helpful

David99
Level 1
Level 1
In response to sergioloporto

‎02-20-2016 05:29 AM

Just with my security hat on I would say that having SSH listening on your outside Interface to any source is a really, really bad idea so if you can avoid this then I'd suggest that you do.

As an alternative how about VPN'ing in and then using an internal server to access SSH management on your ASA?

Failing that, at least only allow your own IP(s) on the outside interface, 0.0.0.0 means anybody can have a try.

0 Helpful

sergioloporto
Level 1
Level 1
In response to David99

‎02-20-2016 10:46 AM

I plan to change the listening port to a different one. And the password is very complicated. I know it's not perfect, but for now I'll use it like this. In future I'll use a jumpserver, without VPN.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card