SSH on outside interface ASA 5520 v9.1.2 not working

kevin-walker@tpg.com.au · ‎04-11-2014

Hi, im seeing many posts about people having issues with SSH to outside interface, but none of the solutions seem to work!

Hoping that someone has SSH working on v9.1.2 and can shed some light.

I have ASDM working inside and outside.

SSH works fine inside, just not outside and want to make sure i have 'access redundancy' (as ASDM/Java is so unreliable!)

I found a good link for config and troubleshooting:

https://supportforums.cisco.com/document/49741/asa-pixfwsm-unable-manage-unit-sshtelnetasdm

But despite all checks looking well, when I show log | i 'external ip' i see it permitted but then denied!

Apr 12 2014 12:20:10: %ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:"external ip"/57044
Apr 12 2014 12:20:10: %ASA-6-725002: Device completed SSL handshake with client outside:"external ip"/57044
Apr 12 2014 12:20:10: %ASA-6-605005: Login permitted from "external ip"/57044 to outside:"firewall ext ip"/https for user "admin"
Apr 12 2014 12:20:10: %ASA-5-111007: Begin configuration: "external ip" reading from http [POST]
Apr 12 2014 12:20:10: %ASA-6-725007: SSL session with client outside:"external ip"/57044 terminated.
Apr 12 2014 12:20:10: %ASA-6-302014: Teardown TCP connection 17755 for outside:"external ip"/57044 to identity:"firewall ext ip"/443 duration 0:00:00 bytes 3289 TCP Reset-O
Apr 12 2014 12:20:10: %ASA-6-106015: Deny TCP (no connection) from "external ip"/57044 to "firewall ext ip"/443 flags FIN ACK on interface outside
Apr 12 2014 12:20:10: %ASA-7-710005: TCP request discarded from "external ip"/57044 to outside:"firewall ext ip"/443
Apr 12 2014 12:20:13: %ASA-6-302013: Built inbound TCP connection 17758 for outside:"external ip"/57045 ("external ip"/57045) to identity:"firewall ext ip"/443 ("firewall ext ip"/443)
Apr 12 2014 12:20:13: %ASA-6-302014: Teardown TCP connection 17758 for outside:"external ip"/57045 to identity:"firewall ext ip"/443 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
Apr 12 2014 12:20:13: %ASA-6-302013: Built inbound TCP connection 17759 for outside:"external ip"/57045 ("external ip"/57045) to identity:"firewall ext ip"/443 ("firewall ext ip"/443)
Apr 12 2014 12:20:13: %ASA-6-725001: Starting SSL handshake with client outside:"external ip"/57045 for TLSv1 session.
Apr 12 2014 12:20:13: %ASA-7-725008: SSL client outside:"external ip"/57045 proposes the following 8 cipher(s).
Apr 12 2014 12:20:13: %ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:"external ip"/57045
Apr 12 2014 12:20:13: %ASA-6-725002: Device completed SSL handshake with client outside:"external ip"/57045
Apr 12 2014 12:20:13: %ASA-6-605005: Login permitted from "external ip"/57045 to outside:"firewall ext ip"/https for user "admin"
Apr 12 2014 12:20:13: %ASA-5-111007: Begin configuration: "external ip" reading from http [POST]

Any advice is greatly appreciated.

Marvin Rhoads · ‎04-12-2014

The log messages you have above show denial of an https connection (tcp/443), not ssh (tcp/22).

Can you share the output of "show run ssh"?

kevin-walker@tpg.com.au · ‎04-12-2014

Thanks for the reply.

Yeah, I did notice the http but sh asp table says its listening on 22....

Result of the command: "sh asp table socket"

Protocol Socket    State      Local Address                              Foreign Address
SSL       00002b18 LISTEN     192.168.x.x:443                                0.0.0.0:*
SSL       00005798 LISTEN     outside interface:443                        0.0.0.0:*
SSL       00007d88 LISTEN     inside interface:443                         0.0.0.0:*
DTLS    00a528d8 LISTEN     outside interface:443                         0.0.0.0:*
TCP       01323c98 LISTEN     inside interface:22                             0.0.0.0:*
TCP       01324b18 LISTEN     outside interface:22                           0.0.0.0:*
SSL       01825718 ESTAB      outside interface:443                         My Ex IP:59970
SSL       0182f868 ESTAB      outside interface:443                          My Ex IP:59975
SSL       0184f9e8 ESTAB      outside interface:443                          My Ex IP:60034

Result of the command: "sh run"

: Saved
:
ASA Version 9.1(2)
!
hostname SYDDRFW01
domain-name xxxxx
enable password Xxxxxxxxx encrypted
passwd Xxxxxxxxxxx encrypted
names

ip local pool VPN_POOL 192.168.125.111-192.168.125.220 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description Link inside
nameif inside
security-level 100
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Management0/0
description Network Management
management-only
nameif management
security-level 100
ip address xxx.xxx.xxx.xxx 255.255.255.0
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.x.x
name-server 192.168.x.x
domain-name xxx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

protocol-object ip
protocol-object icmp
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit ip any object VPN_Network
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp host "my home ext access ip" interface outside eq ssh log
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object VPN_Network any log
access-list outside_access_in extended deny ip any any log
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging asdm informational
logging from-address SYDDRFW01
logging recipient-address xxx@xxx.com level errors
logging host management 192.168.x.x
flow-export destination management 192.168.x.x 2055
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo outside
icmp permit any inside
icmp permit any management
asdm image disk0:/asdm-716.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 "ISP IP" 1
route inside 192.168.0.0 255.255.0.0 xxx.xxx.xxx.xxx 1
route management MGMT 255.255.255.0 192.168.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server HGM protocol radius
aaa-server HGM (inside) host DC01
key *****
radius-common-pw *****
aaa-server HGM (inside) host DC02
key *****
radius-common-pw *****
no user-identity enable
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 30
http MGMT 255.255.255.0 management
http ICT 255.255.255.0 management
http MGMT 255.255.255.0 inside
http ICT 255.255.255.0 inside
http "My ext access ip" 255.255.255.255 outside
http "Secondary ext access ip" 7 255.255.255.255 outside
snmp-server host management 192.168.x.x community ***** version 2c udp-port 161
snmp-server location AU/Sydney
snmp-server contact BNE IT +61
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
6c2527b9 deb78458 c61f381e a4c4cb66
quit
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 121.0.0.42 source outside prefer
ntp server 202.158.218.239 source outside
ntp server 203.171.85.237 source outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 1
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2
anyconnect profiles AnyConnectVPN disk0:/anyconnectvpn.xml
anyconnect enable
group-policy SSLvpn-Anyconnect internal
group-policy SSLvpn-Anyconnect attributes
wins-server none
dns-server value 192.168.x.x 192.168.x.x
vpn-tunnel-protocol ssl-client
default-domain value hgm.local
webvpn
url-list none
anyconnect profiles value AnyConnectVPN type user
anyconnect ask none default anyconnect
group-policy DfltGrpPolicy attributes
dns-server value 192.168.x.x 192.168.x.x
vpn-tunnel-protocol l2tp-ipsec ssl-clientless
address-pools value VPN_POOL
username admin password xxxxxxxxxxxx encrypted privilege 15
username admin attributes
service-type admin

tunnel-group test_VPN type remote-access
tunnel-group test_VPN general-attributes
address-pool VPN_POOL
authentication-server-group HGM LOCAL
authentication-server-group (outside) HGM LOCAL
authorization-server-group HGM
default-group-policy SSLvpn-Anyconnect
tunnel-group test_VPN webvpn-attributes
group-alias vpn-dr.test.com enable
group-url https://vpn-dr.test.com enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
smtp-server 192.168.x.x
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:v2d16d7fe7f9632b6da0e19fda3
: end

Marvin Rhoads · ‎04-12-2014

Your access-list:

access-list outside_access_in extended permit tcp host "my home ext access ip" interface outside eq ssh log

...will restrict allowed ssh users to the address you have there. This makes the line:

ssh 0.0.0.0 0.0.0.0 outside

a bit misleading as the access-list will take precedence.

ROHIT SHARMA · ‎08-24-2015

Marvin,

how can an ACL block an ssh connection to ASA?

ACL in ASA is only for through traffic.

isn't it?