Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
238148
Views
55
Helpful
22
Replies

how to enable ssh on ASA 5525

Go to solution
purpletech
Level 1
Level 1

‎08-16-2012 12:59 PM - edited ‎03-11-2019 04:43 PM

                   May I know how to configure for remote accessing ASA 5525 via ssh

I have issued the following commands

ssh 10.60.0.0 255.255.0.0 outside

ssh 10.60.0.0 255.255.0.0 dmz

ssh 10.60.0.0 255.255.0.0 inside

ssh timeout 5

but I am not able to access ASA via ssh. Do I need to add any other command

1 person had this problem
Labels:
22 Replies 22

Go to solution
purpletech
Level 1
Level 1
In response to purpletech

‎08-27-2012 06:26 AM

The Routers have separate DSL connections

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to purpletech

‎08-27-2012 06:38 AM

If the SSH goes through the ASA it has to be allowed. Where is your client when you try to SSH and into which router do you want to login?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
purpletech
Level 1
Level 1
In response to Karsten Iwen

‎08-27-2012 06:48 AM

Router1 (10.30.0.1 public IP 67.*.*.*)  Router 3 (172.16.0.1 public ip 212. *.*.*) 

From 172.16.*.* network , I am able to ssh into Router1 using private ip but not using public IP. Outside the company network also I am not able to ssh using public IP. But from the same network (10.30.0.0), I am able to ssh using public ip. Same for Router 3

0 Helpful

Go to solution
purpletech
Level 1
Level 1
In response to purpletech

‎08-28-2012 06:20 AM

Router1 ------MPLS------Router2-------ASA

                    |

               Router3

Router1 (10.30.0.1 public IP 67.*.*.*) Router 3 (172.16.0.1 public ip 212. *.*.*)

From 172.16.*.* network , I am able to ssh into Router1 using private ip but not using public IP. Outside the company network also I am not able to ssh using public IP. But from the same network (10.30.0.0), I am able to ssh using public ip. Same for Router 3

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to purpletech

‎08-28-2012 06:25 AM

So what doesn't work is the following:

PC in 172.16.x.x connects via R3-DSL to R1-DSL? But the PC can reach other ressources in the internet?

What's the NAT, ACL and SSH-config from R1?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
purpletech
Level 1
Level 1
In response to Karsten Iwen

‎08-28-2012 07:25 AM

ip nat inside source route-map dsl-nat interface FastEthernet0/2/0 overload
!

!

ip access-list extended dsl-in
permit icmp any host 67.*.*.*
permit tcp any eq 22 host 67.*.*.*
permit tcp any host 67.*.*.* eq 22

!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
snmp-server community s3cur3 RO snmp
no cdp run
!
!
!
route-map dsl-nat permit 10
match interface FastEthernet0/2/0
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
privilege level 15
login authentication local_auth
transport input telnet ssh
line vty 5 15
login authentication local_auth
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

ip inspect udp idle-time 1800

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect tcp finwait-time 60

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip inspect SDM_LOW out

ip inspect SDM_LOW out

Should I allow inspect for ssh?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to purpletech

‎08-28-2012 07:38 AM 

ip access-list extended dsl-in
  permit tcp any eq 22 host 67.*.*.*

That one is not needed if you apply your inspection-rule outgoing on your external interface.

Should I allow inspect for ssh?

No, as SSH is single-channel, you don't need that to make SSH work.

Your NAT-rule is to broad. Change it that way (I assume your internal networks are all in the RFC1918-range; you can also change the object-group to something that only matches your networks):

object-group network RFC1918

  10.0.0.0 255.0.0.0

  172.16.0.0 255.240.0.0

  192.168.0.0 255.255.0.0

ip access-list extended NAT

  deny   ip object-group RFC1918 object-group RFC1918

  permit ip object-group RFC1918 any

route-map dsl-nat permit 10

  match ip address NAT

  match interface FastEthernet0/2/0

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
pahuja
Level 1
Level 1

‎06-06-2015 09:29 PM

You should remove the extra SSH entries. Your subnet 10.60.0.0/16 could not be available from all three interfaces. Consult your routing table and only keep the entry where this route exists.

Here is a list of steps for enabling SSH on Cisco ASA:

 

http://www.networksolutions.guru/blog/switching/how-to-enable-ssh-on-cisco-devices-asa-router-switch-asr/

 

HTH

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card