cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
656
Views
0
Helpful
4
Replies

ssh from internet

milan_ver
Level 1
Level 1

Hi,

I want to ssh to my asa from internet.

for it iahve done some configuration, but my asa is not pinging from internet.

Below is my ASA's show run

Please help me..

Regards,

Milan Verma

-------------------------------------------------------------

RBN-ASA-01# sh run

: Saved

:

ASA Version 8.2(5)

!

hostname RBN-ASA-01

domain-name rcad.net

enable password WRY7HuZ63V3/F0YH encrypted

passwd WRY7HuZ63V3/F0YH encrypted

names

!

interface Ethernet0/0

description Internet Interface

switchport access vlan 61

!

interface Ethernet0/1

description office Internet

switchport access vlan 50

!

interface Ethernet0/2

description LAN Failover Interface

switchport access vlan 999

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan50

nameif office

security-level 100

ip address 10.54.5.1 255.255.255.192

!

interface Vlan61

nameif Internet

security-level 0

ip address 182.73.131.90 255.255.255.248

!

interface Vlan999

description LAN Failover Interface

!

ftp mode passive

dns server-group DefaultDNS

domain-name rcad.net

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list office_access_in extended permit ip 10.54.5.0 255.255.255.192 any log

access-list office_access_in extended permit icmp 10.54.5.0 255.255.255.192 any log

access-list Internet_access_in extended permit ip 83.206.102.64 255.255.255.224 any log

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu office 1500

mtu Internet 1500

no failover

failover lan unit primary

failover lan interface FAILOVER Vlan999

failover key *****

failover interface ip FAILOVER 172.16.255.1 255.255.255.0 standby 172.16.255.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any office

icmp permit any Internet

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (Internet) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (office) 1 0.0.0.0 0.0.0.0

access-group office_access_in in interface office

access-group Internet_access_in in interface Internet

route outside 0.0.0.0 0.0.0.0 182.73.131.90 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable 8443

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 Internet

http authentication-certificate outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh scopy enable

ssh 83.206.102.64 255.255.255.224 outside

ssh 0.0.0.0 0.0.0.0 Internet

ssh timeout 60

ssh version 2

console timeout 0

management-access office

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username royal password NoaKp7DFzldhgZBl encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:a81bd8fb22c791c3ad0018dc545df522

: end

RBN-ASA-01#

4 Replies 4

Eugene Korneychuk
Cisco Employee
Cisco Employee

Hello Milan,

You can do the following to access your ASA from internet:

you need a public/private keypair:

asa(config)# crypto key generate rsa general-keys modulus 2048

a username:

asa(config)# username testuser password testpass

and the system should know where your useraccounts are:

asa(config)# aaa authentication ssh console LOCAL

permit ssh on the outside for everyone

asa(config)# ssh 0 0 outside

Edit: And only allowing SSHv2:

asa(config)# ssh version 2

Please rate helpful posts

Best Regards,

Eugene

but I am not able to ping my ASA from internet.

IP on 0/0 182.73.131.90

ISP router IP - 182.73.131.89

Hi,

Can you try adding the following

policy-map global_policy

class inspection_default

  inspect icmp

And then try again

- Jouni

Hello,

It is not the same issue, of course if it is not a connectivity problem,

Try this:

icmp permit any outside

Also which interface are you using, Internet or outside?

you can check it with sh route command

Please rate helpful posts

Best Regards,

Eugene

Review Cisco Networking for a $25 gift card