07-18-2013 06:40 AM - edited 03-11-2019 07:13 PM
Hi,
I cant ssh to inside interface access of ASA5505 firewall wihile ASDM and telnet are working. I have opened SSH access along with telnet and ASDM.
I can ssh to outside interface. Its very wied problem that SSH on inside interface is not working.
Below is the oconfiguration of my ASA5505 firewall. Any solution please
ASA Version 8.3(2)4
hostname MEL-ASA-01
domain-name xxxxxxxxxxxxxx
interface Vlan1
nameif inside
security-level 100
ip address 10.0.16.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxxxxxxxxx 255.255.255.252
!
interface Vlan50
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.0.112.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 50
!
interface Ethernet0/7
switchport access vlan 50
!
boot system disk0:/asa832-4-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
access-list Inside_noNAT extended permit ip any object-group Edn_LAN
access-list Inside_noNAT extended permit ip any object VPN_Dialup
access-list Inside_noNAT extended permit ip object-group Edn_LAN interface inside
access-list Inside_OUT extended permit tcp object-group email_allowed_hosts object edn-exc-01 eq smtp
access-list Inside_OUT extended deny tcp any any eq smtp
access-list Inside_OUT extended permit ip any any
access-list Outside_IN extended permit icmp any any echo-reply
access-list Edinburgh_tun_acl extended permit ip object MEL_Lan object-group Edn_LAN
access-list Edinburgh_tun_acl extended permit ip object MEL_Lan object VPN_Dialup
pager lines 24
logging enable
logging trap critical
logging history critical
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static Edn_LAN Edn_LAN
nat (inside,any) source static any any destination static VPN_Dialup VPN_Dialup
!
object network obj_any
nat (inside,outside) dynamic interface
access-group Inside_OUT in interface inside
access-group Outside_IN in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http Edn_Svr 255.255.254.0 inside
http 10.0.16.0 255.255.255.0 inside
http xx.xx.xx.xx 255.255.255.224 outside
http Edn_Data 255.255.252.0 inside
snmp-server host inside 10.0.0.32 community ***** version 2c
snmp-server host inside 10.0.0.40 community ***** version 2c
snmp-server location Amsterdam
snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
telnet Edn_Data 255.255.252.0 inside
telnet 10.0.16.0 255.255.255.0 inside
telnet Edn_Svr 255.255.254.0 inside
telnet timeout 5
ssh Edn_Svr 255.255.254.0 inside
ssh 10.0.16.0 255.255.255.0 inside
ssh Edn_Data 255.255.252.0 inside
ssh 172.16.1.16 255.255.255.255 inside
ssh edn-pix2 255.255.255.255 outside
ssh 94.175.211.224 255.255.255.224 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd option 150 ip 172.17.0.10
!
dhcpd address 10.0.16.128-10.0.16.192 inside
dhcpd dns 10.0.16.11 10.0.0.11 interface inside
dhcpd wins 10.0.0.11 10.0.0.12 interface inside
dhcpd lease 86400 interface inside
dhcpd ping_timeout 750 interface inside
dhcpd domain axiossystems.com interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.0.0.1 source outside prefer
webvpn
username xxxxx password xxxxxxxxxx encrypted privilege 15
tunnel-group xxxxxxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxxx ipsec-attributes
pre-shared-key *****
peer-id-validate cert
tunnel-group xxx type ipsec-l2l
tunnel-group xxxxxxxxxxxxx ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6xxxxxxxxxxxxxxxxxxxxxxxxxx
: end
07-18-2013 06:52 AM
Hi,
Very strange that it would work from "outside" and not "inside".
You can use the command
show asp table socket
To confirm if the ASA is listening on port TCP/22 on the "inside" interface.
Otherwise I would probably suggest monitoring the SSH Connection attempt through the ASDM to determine what is the cause of the problem.
I assume you are trying to connect from the "inside" network?
- Jouni
07-18-2013 07:02 AM
Hi Jouni Fross
Yes I am trying to access on inside interface. Please find below the output of command. I am not sure how can I monitor via ASDM. can you please help
Thanks
mahmood
Protocol Socket Local Address Foreign Address State
SSL 0003de0f 10.0.16.1:443 0.0.0.0:* LISTEN
SSL 000507cf xxxxxxxxxx:443 0.0.0.0:* LISTEN
TCP 000934ff 10.0.16.1:22 0.0.0.0:* LISTEN
TCP 000c9daf xxxxxxxxxx.22:22 0.0.0.0:* LISTEN
TCP 01d755bf 10.0.16.1:23 0.0.0.0:* LISTEN
SSL 02e95178 10.0.16.1:443 172.16.1.16:50078 ESTAB
SSL 02ed4e28 10.0.16.1:443 172.16.1.16:50080 ESTAB
TCP 031061d8 10.0.16.1:23 172.16.1.16:51609 ESTAB
07-18-2013 07:17 AM
Hi,
Well first of I would look at the monitor logging section while attempting the SSH connection.
If that doesnt help then you always have the option to use "debug ssh" and monitor the output through ASDM or a Telnet management connection.
The above output would seem to indicate that the ASA is listening on the port TCP/22 on the "inside" interface.
Are you just getting timeout for the SSH connection or are you getting any prompts?
- Jouni
07-18-2013 07:36 AM
Hi
I have run SSH DEBUG command but I am not getting any output on prompt.
I am not getting any log on ASDM as well.
I am getting the following error when trying ssh to inside interface
The session used to hang up for 2-3 minutes and then returned the following error
"Putty fatal Error Network Error: Software caused connection abort "
07-18-2013 09:26 AM
Hi,
I understand that you are able to connect via outside, but try by regenerating the crypto key. Just a thought .
Thx
MS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide