08-16-2012 12:59 PM - edited 03-11-2019 04:43 PM
May I know how to configure for remote accessing ASA 5525 via ssh
I have issued the following commands
ssh 10.60.0.0 255.255.0.0 outside
ssh 10.60.0.0 255.255.0.0 dmz
ssh 10.60.0.0 255.255.0.0 inside
ssh timeout 5
but I am not able to access ASA via ssh. Do I need to add any other command
Solved! Go to Solution.
08-27-2012 06:26 AM
The Routers have separate DSL connections
08-27-2012 06:38 AM
If the SSH goes through the ASA it has to be allowed. Where is your client when you try to SSH and into which router do you want to login?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-27-2012 06:48 AM
Router1 (10.30.0.1 public IP 67.*.*.*) Router 3 (172.16.0.1 public ip 212. *.*.*)
From 172.16.*.* network , I am able to ssh into Router1 using private ip but not using public IP. Outside the company network also I am not able to ssh using public IP. But from the same network (10.30.0.0), I am able to ssh using public ip. Same for Router 3
08-28-2012 06:20 AM
Router1 ------MPLS------Router2-------ASA
|
Router3
Router1 (10.30.0.1 public IP 67.*.*.*) Router 3 (172.16.0.1 public ip 212. *.*.*)
From 172.16.*.* network , I am able to ssh into Router1 using private ip but not using public IP. Outside the company network also I am not able to ssh using public IP. But from the same network (10.30.0.0), I am able to ssh using public ip. Same for Router 3
08-28-2012 06:25 AM
So what doesn't work is the following:
PC in 172.16.x.x connects via R3-DSL to R1-DSL? But the PC can reach other ressources in the internet?
What's the NAT, ACL and SSH-config from R1?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-28-2012 07:25 AM
ip nat inside source route-map dsl-nat interface FastEthernet0/2/0 overload
!
!
ip access-list extended dsl-in
permit icmp any host 67.*.*.*
permit tcp any eq 22 host 67.*.*.*
permit tcp any host 67.*.*.* eq 22
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
snmp-server community s3cur3 RO snmp
no cdp run
!
!
!
route-map dsl-nat permit 10
match interface FastEthernet0/2/0
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
privilege level 15
login authentication local_auth
transport input telnet ssh
line vty 5 15
login authentication local_auth
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect tcp finwait-time 60
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect SDM_LOW out
ip inspect SDM_LOW out
Should I allow inspect for ssh?
08-28-2012 07:38 AM
ip access-list extended dsl-in
permit tcp any eq 22 host 67.*.*.*
That one is not needed if you apply your inspection-rule outgoing on your external interface.
Should I allow inspect for ssh?
No, as SSH is single-channel, you don't need that to make SSH work.
Your NAT-rule is to broad. Change it that way (I assume your internal networks are all in the RFC1918-range; you can also change the object-group to something that only matches your networks):
object-group network RFC1918
10.0.0.0 255.0.0.0
172.16.0.0 255.240.0.0
192.168.0.0 255.255.0.0
ip access-list extended NAT
deny ip object-group RFC1918 object-group RFC1918
permit ip object-group RFC1918 any
route-map dsl-nat permit 10
match ip address NAT
match interface FastEthernet0/2/0
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
06-06-2015 09:29 PM
You should remove the extra SSH entries. Your subnet 10.60.0.0/16 could not be available from all three interfaces. Consult your routing table and only keep the entry where this route exists.
Here is a list of steps for enabling SSH on Cisco ASA:
http://www.networksolutions.guru/blog/switching/how-to-enable-ssh-on-cisco-devices-asa-router-switch-asr/
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide