Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2770
Views
0
Helpful
6
Replies

I can't SSH to ASA 5506-X, Just got a device and setting it up

Go to solution
Kashifer7920
Level 1
Level 1

‎03-15-2021 07:49 AM - edited ‎03-15-2021 07:50 AM

I am new for firewall, bought this ASA 5505-X and doing some initial setup. So far i defined management int which is UP/UP http server enabled, ssh and Http all required IPs to management but seems like i am missing something and all these settings can't let me SSH to 10.10.10.4 (management IP) Below is the script running. I would appreciate if anyone can help me in pin pointing what exactly is happening.

 

ASAFW(config)# sh run
: Saved

:
: Serial Number: 
: Hardware: ASA5506W, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.9(2)36
!
hostname ASAFW
domain-name ASAFW.lab
enable password $sha512$5000$rMFI119EfVJGjbmZ0mSbVA==$LWzQbGq3GVp+fQp35kQcdw== pbkdf2
names

banner motd Login Unauthorized Access Is Prohibited
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ASAFW.lab
pager lines 24
logging enable
logging buffered debugging
logging trap informational
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication login-history
http server enable
http 10.0.0.0 255.0.0.0 management
http 192.168.0.0 255.255.0.0 management
http 10.10.10.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
no snmp-server enable
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 management
ssh 192.168.0.0 255.255.255.0 management
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.1
dynamic-access-policy-record DfltAccessPolicy
username asdm password $sha512$5000$j++g/kXjFSLIF3Oo9tZcNg==$z3+hhMT+yJ4veeFdrQXEZQ== pbkdf2
username kmuhammad password $sha512$5000$sX54YA1RLh5ptUZb8242vg==$tlGup/8Q+RH/BO9+hlo1wg== pbkdf2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:45df069b832e4820b785d6a0bd3f53b6
: end
ASAFW(config)#

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-15-2021 08:56 AM

If you haven't setup a route on the ASA it won't know how to reach the 192.168.1.0/24 network. Either define a static route on the ASA and route on the PC or change the PCs IP address to 10.10.10.44

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎03-15-2021 07:55 AM

@Kashifer7920 

The output above doesnt have the interface configuration, please upload the full configuration.

Are you directly connected to the management interface?

What is your source IP address of the device you are connecting from?

If you are on a different network you don't appear to have any routes defined.

0 Helpful

Go to solution
Kashifer7920
Level 1
Level 1
In response to Rob Ingram

‎03-15-2021 08:13 AM

I am connected to ASA through PC. My PC IP is 192.168.1.7 255.255.255.0 and is on WIFI.

 

 

****INT configuration m1/1****

 

Interface Management1/1 "management", is up, line protocol is up
Hardware is en_vtun rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 500f.8019.f1d8, MTU 1500
IP address 10.10.10.4, subnet mask 255.255.255.0
3985 packets input, 246247 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
1 packets output, 42 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 2 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)
Traffic Statistics for "management":
3981 packets input, 190273 bytes
1 packets output, 28 bytes
165 packets dropped
1 minute input rate 0 pkts/sec, 10 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 33 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Management-only interface. Blocked 0 through-the-device packets

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎03-15-2021 08:30 AM

You've not answered all my questions. Are there routes on the ASA to the 192.168.1.0/24 network via the management interface?

Is 192.168.1.0/24 connected to the inside or management network? If it's the inside you've need to manage via the inside interface.

0 Helpful

Go to solution
Kashifer7920
Level 1
Level 1
In response to Rob Ingram

‎03-15-2021 08:35 AM

i didn't set up any route to 192/24 network via the management int.

Though 192 network connected directly to the mangement int.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎03-15-2021 08:56 AM

If you haven't setup a route on the ASA it won't know how to reach the 192.168.1.0/24 network. Either define a static route on the ASA and route on the PC or change the PCs IP address to 10.10.10.44

0 Helpful

Go to solution
Kashifer7920
Level 1
Level 1
In response to Rob Ingram

‎03-15-2021 05:58 PM

Thanks i missed this part. Thank you so much. Hope to come back soon with more issues. Love this community already!!!. Stay blessed Rob

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card