10-06-2012 01:12 AM - edited 03-11-2019 05:05 PM
Hi All,
I need the ssh access on my ASA outside interface and have added
ssh ipremoved 255.255.255.255 outside
access-list acl_outside extended permit tcp host ipremoved any eq 22
but this is the log i get from ASA
Oct 06 2012 16:10:04: %ASA-3-710003: TCP access denied by ACL from ipremoved/39884 to outside:ipremoved/22
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
can someone please help me
many thanks
cheers..
10-06-2012 01:16 AM
You don't need to configure access-list on the outside interface to allow ssh if you are trying to ssh to the ASA itself.
All you need is to make sure that the time on the ASA is correct, generate key-pair, and configure the ssh to allow the access from the ip address where you are connecting from (as you've configured above).
Also, make sure that you don't have any static PAT for TCP/22 using the ASA outside interface IP Address.
10-06-2012 01:21 AM
many thanks for the quick reply
my connection is something like below
Site A Site B
PC--10.6.40.148 ---- ASA public IP -------------cloud --------------------public IP ASA
Site to Site IPsec VPN
Am able to ssh to the ASA on the private ip management interface, now i need to ssh to the site B public IP to manage
I have allowed the acl on site A ASA for the PC to go i can see the hit count on it
The reason being i need to manage the Site B ASA on public because on Site A am changing the internet provider and so if i have the acces to site B ASA i can change the peer IP to new IP and reestablish the VPN
many thanks for the help
cheers
10-06-2012 01:26 AM
Ah OK, make sense.
I assume that since you are accesing Site B public IP address (outside), then the SSH traffic does not go through the VPN tunnel. If that is the case, then you would need to check what is the NATed public ip address of site A and add that public IP on to Site B SSH command.
10-06-2012 01:38 AM
Thanks again
I have already done that on Site B
ssh ipremoved 255.255.255.255 outside
access-list acl_outside extended permit tcp host ipremoved any eq 22
but still does not go through, the log from Site B
Oct 06 2012 16:10:04: %ASA-3-710003: TCP access denied by ACL from ipremoved/39884 to outside:ipremoved/22
10-06-2012 01:44 AM
do you have any static PAT on port 22 configured on site B using site B outside interface ?
10-06-2012 11:14 PM
sorry it was a mistake from my end, i had the wrong IP configured in the Site B ssh commad instead of x.x.x.243 i had x.x.x.43
many thanks
10-07-2012 12:55 PM
No problem, great to hear it's all good now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide