12-10-2012 12:53 AM - edited 03-11-2019 05:35 PM
Hi,
I want to ssh to my asa from internet.
for it iahve done some configuration, but my asa is not pinging from internet.
Below is my ASA's show run
Please help me..
Regards,
Milan Verma
-------------------------------------------------------------
RBN-ASA-01# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname RBN-ASA-01
domain-name rcad.net
enable password WRY7HuZ63V3/F0YH encrypted
passwd WRY7HuZ63V3/F0YH encrypted
names
!
interface Ethernet0/0
description Internet Interface
switchport access vlan 61
!
interface Ethernet0/1
description office Internet
switchport access vlan 50
!
interface Ethernet0/2
description LAN Failover Interface
switchport access vlan 999
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan50
nameif office
security-level 100
ip address 10.54.5.1 255.255.255.192
!
interface Vlan61
nameif Internet
security-level 0
ip address 182.73.131.90 255.255.255.248
!
interface Vlan999
description LAN Failover Interface
!
ftp mode passive
dns server-group DefaultDNS
domain-name rcad.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list office_access_in extended permit ip 10.54.5.0 255.255.255.192 any log
access-list office_access_in extended permit icmp 10.54.5.0 255.255.255.192 any log
access-list Internet_access_in extended permit ip 83.206.102.64 255.255.255.224 any log
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu office 1500
mtu Internet 1500
no failover
failover lan unit primary
failover lan interface FAILOVER Vlan999
failover key *****
failover interface ip FAILOVER 172.16.255.1 255.255.255.0 standby 172.16.255.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any office
icmp permit any Internet
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (Internet) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (office) 1 0.0.0.0 0.0.0.0
access-group office_access_in in interface office
access-group Internet_access_in in interface Internet
route outside 0.0.0.0 0.0.0.0 182.73.131.90 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable 8443
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 Internet
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh scopy enable
ssh 83.206.102.64 255.255.255.224 outside
ssh 0.0.0.0 0.0.0.0 Internet
ssh timeout 60
ssh version 2
console timeout 0
management-access office
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username royal password NoaKp7DFzldhgZBl encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a81bd8fb22c791c3ad0018dc545df522
: end
RBN-ASA-01#
12-10-2012 12:59 AM
Hello Milan,
You can do the following to access your ASA from internet:
you need a public/private keypair:
asa(config)# crypto key generate rsa general-keys modulus 2048
a username:
asa(config)# username testuser password testpass
and the system should know where your useraccounts are:
asa(config)# aaa authentication ssh console LOCAL
permit ssh on the outside for everyone
asa(config)# ssh 0 0 outside
Edit: And only allowing SSHv2:
asa(config)# ssh version 2
Please rate helpful posts
Best Regards,
Eugene
12-10-2012 01:04 AM
but I am not able to ping my ASA from internet.
IP on 0/0 182.73.131.90
ISP router IP - 182.73.131.89
12-10-2012 01:06 AM
Hi,
Can you try adding the following
policy-map global_policy
class inspection_default
inspect icmp
And then try again
- Jouni
12-10-2012 01:08 AM
Hello,
It is not the same issue, of course if it is not a connectivity problem,
Try this:
icmp permit any outside
Also which interface are you using, Internet or outside?
you can check it with sh route command
Please rate helpful posts
Best Regards,
Eugene
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide