08-16-2012 12:59 PM - edited 03-11-2019 04:43 PM
May I know how to configure for remote accessing ASA 5525 via ssh
I have issued the following commands
ssh 10.60.0.0 255.255.0.0 outside
ssh 10.60.0.0 255.255.0.0 dmz
ssh 10.60.0.0 255.255.0.0 inside
ssh timeout 5
but I am not able to access ASA via ssh. Do I need to add any other command
Solved! Go to Solution.
08-16-2012 02:26 PM
you need a public/private keypair:
asa(config)# crypto key generate rsa general-keys modulus 2048
a username:
asa(config)# username testuser password testpass
and the system should know where your useraccounts are:
asa(config)# aaa authentication ssh console LOCAL
Edit: And only allowing SSHv2:
asa(config)# ssh version 2
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-22-2012 01:14 PM
Yes: "ssh 0.0.0.0 0.0.0.0 outside"
Sent from Cisco Technical Support iPad App
08-16-2012 02:26 PM
you need a public/private keypair:
asa(config)# crypto key generate rsa general-keys modulus 2048
a username:
asa(config)# username testuser password testpass
and the system should know where your useraccounts are:
asa(config)# aaa authentication ssh console LOCAL
Edit: And only allowing SSHv2:
asa(config)# ssh version 2
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-21-2012 08:36 AM
Thank you.
I am able to ssh into the inside interface but not to the outside interface or dmz
Should I need to add any access list
08-21-2012 08:57 AM
The two most important rules for the ASA:
1) Interface-ACLs are never involved when the communication is to the ASA (which is different to an IOS-router)
2) You can only reach the nearest interface when communicating to the ASA (again a difference to the router). The only exception is communication through a VPN where a configured Mgmt-interface can be reached.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-22-2012 10:04 AM
Will I be able to ssh into the ASA using it's Public IP address
08-22-2012 01:14 PM
Yes: "ssh 0.0.0.0 0.0.0.0 outside"
Sent from Cisco Technical Support iPad App
08-23-2012 12:54 PM
Thank you Karsten
08-24-2012 11:25 AM
How to configure the ssh for outside interface in the cisco Router 2800
I have configured the following on the outside interface
ip access-list extended dsl-in
permit icmp any host 67.*.*.*
permit tcp any host 67.*.*.* eq 22
But I am not able to ssh from outside . Following is the overload for the outside interface
ip nat inside source route-map dsl-nat interface FastEthernet0/2/0 overload
!
ip access-list extended pat-out
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 10.10.0.0 0.0.255.255 any
permit ip 10.20.0.0 0.0.255.255 any
!
l
route-map dsl-nat permit 10
match interface FastEthernet0/2/0
!
!
08-24-2012 12:22 PM
The route-map is missing your acl "pat-out". And on the router you also need the piblic/private keypair. A SSH-config could look like that:
crypto key generate rsa general-keys modulus 2048 label SSH-KEYS
ip ssh version 2
ip ssh rsa keypair-name SSH-KEYS
ip ssh dh min size 2048
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
06-01-2020 08:50 AM
Enabling SSH to ANY on the outside interface would not be a good idea.
08-24-2012 01:19 PM
ip ssh dh min size 2048
I added the first 3 commands
on 4th one , there is no option for dh after #ip ssh ?
authentication-retries Specify number of authentication retries
break-string break-string
logging Configure logging for SSH
maxstartups Maximum concurrent sessions allowed
port Starting (or only) Port number to listen on
rsa Configure RSA keypair name for SSH
source-interface Specify interface for source address in SSH
connections
time-out Specify SSH time-out interval
version Specify protocol version to be supported
08-24-2012 01:40 PM
That command is not mandatory. It just makes sure that stronger cryptograhy has to be used. But it's only available in very new IOS-versions. SSH will work without that.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-27-2012 05:58 AM
I am still not able to ssh from outside using the public ip. It is a cisco 2800 router
when, I issue the command, it sows the following
(config)#$generate rsa general-keys modulus 2048 label SSH-KEYS
% You already have RSA keys defined named SSH-KEYS.
% They will be replaced.
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
08-27-2012 06:02 AM
Well, then you already have the keys ...
What is your actual config? Any Log-messages while you try to connect?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-27-2012 06:22 AM
we have recently installed ASA 5525 firewall.
Router1 ------MPLS------Router2-------ASA
|
Router3
Is the ASA blocking ssh for Router 1 and Router 3 ? I am able to ssh with private ips but not with public ips
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide