SSH on ASA 5525

Mirzo · ‎12-20-2018

Dear All

I have issue with ssh from asa 5525. I can't to connect my asa via SSH from other network 172.16.1.1.

But I can to connect my asa from Lan Network 172.30.1.1

Could you help me How i can to configure my Asa for connect to asa from other network 172.16.1.1

I need some configure my asa directly by SSH from other network 172.16.1.1

Thank you !

interface GigabitEthernet0/0
channel-group 2 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
description LAN Failover Interface
!
interface GigabitEthernet0/2
channel-group 2 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
channel-group 2 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
channel-group 2 mode on
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
interface Port-channel1
lacp max-bundle 8
no nameif
security-level 100
no ip address
!
interface Port-channel1.10
vlan 10
nameif MGMT
security-level 100
ip address 172.30.1.254 255.255.255.0 standby 172.30.1.253
!
interface Port-channel1.20
vlan 20
nameif
security-level 100
ip address 172.30.2.254 255.255.255.0 standby 172.30.2.253
!
interface Port-channel1.30
vlan 30
nameif
security-level 100
ip address 172.30.3.254 255.255.255.0 standby 172.30.3.253
!
interface Port-channel1.40
vlan 40
nameif
security-level 100
ip address 172.30.4.254 255.255.255.0 standby 172.30.4.253
!
interface Port-channel1.50
vlan 50
nameif
security-level 100
ip address 172.18.5.254 255.255.255.0 standby 172.18.5.253
!
interface Port-channel1.60
vlan 60
nameif
security-level 100
ip address 172.30.6.254 255.255.255.0 standby 172.30.6.253
!
interface Port-channel1.70
vlan 70
nameif
security-level 100
ip address 172.30.7.254 255.255.255.0 standby 172.30.7.253
!
interface Port-channel1.80
vlan 80
nameif
security-level 100
ip address 172.30.8.254 255.255.255.0 standby 172.30.8.253
!
interface Port-channel1.90
vlan 90
nameif
security-level 100
ip address 172.30.9.254 255.255.255.0 standby 172.30.9.253
!
interface Port-channel1.151
vlan 151
nameif
security-level 100
ip address 172.30.151.254 255.255.255.0 standby 172.30.151.253
!
interface Port-channel2
lacp max-bundle 8
nameif DMZ
security-level 100
ip address 10.60.60.1 255.255.255.0 standby 10.60.60.3
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/1
failover key *****
failover interface ip failover 10.50.50.1 255.255.255.252 standby 10.50.50.2

route DMZ 0.0.0.0 0.0.0.0 10.60.60.2 1
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact

ssh stricthostkeycheck
ssh 172.16.1.1 255.255.255.255 DMZ
ssh 172.30.1.1 255.255.255.255 MGMT
ssh timeout 5
ssh version 2

Abheesh Kumar · ‎12-21-2018

hi,
are you able to ping the IP from ASA. As per your configuration you have already allowed 172.16.1.1 to access via ssh.

HTH

Abheesh

Mirzo · ‎12-21-2018

HI
I try to ping ip from asa but ping show it me time out

Abheesh Kumar · ‎12-21-2018

Hi,
Try to check the reachability from 172.16.1.1 to 10.60.60.2 & 10.60.60.1

As per you configuration 172.16.1.1 is behind DMZ is that correct...?

HTH

Abheesh