cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1659
Views
0
Helpful
3
Replies

I can't access ASA SSH behind a router performing static NAT

isaac_ferreira
Level 1
Level 1

Hello Guys ,

 

I'm studying Firewall and I performing a NAT Lab to improve my skills. The ideia is be able to access ssh from "Remote_Router" to "Firewall", ISP will perform a static nat from 200.0.0.6 to 172.16.0.2 Outside on "Firewall".

I can ping from Remote_Router to Firewall, but I can't access SSH, I don't understand what is wrong.

On the asdm I can see the error, it is in ASDM_ERROR.

 

Follow ISP's config :

 

Enterprise_Internet#show running-config
Building configuration...


Current configuration : 3030 bytes
!
! Last configuration change at 03:18:51 UTC Thu Nov 8 2018
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Enterprise_Internet
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
ip domain-name www.teste.com.br
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/2
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0
no switchport
ip address 172.16.0.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1
no switchport
ip address 200.0.0.6 255.255.255.252
ip nat outside
negotiation auto
!
ip nat inside source static 172.16.0.2 200.0.0.6
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 200.0.0.5
!
!
access-list 1 permit any
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 5
login
!
!
end

 

Follow the Firewall's config

 

FIREWALL# show running-config
: Saved
:
: Serial Number: 123456789AB
: Hardware: ASA5520, 1024 MB RAM, CPU Pentium II 1000 MHz
:
ASA Version 9.1(5)16
!
hostname FIREWALL
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0
nameif Outside
security-level 50
ip address 172.16.0.2 255.255.255.0
!
interface Ethernet1
nameif Inside
security-level 100
ip address 172.17.0.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
nameif Management
security-level 0
ip address 192.168.0.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NAT_TO_INTERNET
subnet 172.17.0.0 255.255.255.0
object network INTERNET_POOL
host 201.201.201.201
object network VPN_POOL
host 200.0.0.6
access-list Outside_access_in extended permit ip any any
access-list CAPTURA extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-733.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 172.16.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Management
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:2e56245e65718e2cb24393203ccb0330
: end

 

 It is just for lab purpose, but I'd like to know what is my mistake :|

Thanks !!!

 

1 Accepted Solution

Accepted Solutions

Your capture shows that there is a connection on port tcp/22. So it is most likely not the network, but a misconfiguration between SSH-server and Client. Configure the firewall to only use ssh version 2 and tell your client to use SSH version 2. Also make sure that both client and server have public/private key pairs:

https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344

View solution in original post

3 Replies 3

Your capture shows that there is a connection on port tcp/22. So it is most likely not the network, but a misconfiguration between SSH-server and Client. Configure the firewall to only use ssh version 2 and tell your client to use SSH version 2. Also make sure that both client and server have public/private key pairs:

https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344

Hello Varsten.

 

I configured just like you said, but the same problem is going on.

I took a screen shoot from my ASDM, maybe it helps.

 

 

Hi Karsten,

 

I'm using EVE-NG to study, I just changed the image from VIOL to IOL and it worked.

Thank you so much for your help!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: