cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3953
Views
0
Helpful
7
Replies

SSH on Outside interface on ASA 5510

catalystexpress
Level 1
Level 1

Hi All,

I need the ssh access on my ASA outside interface and have added

ssh ipremoved 255.255.255.255 outside

access-list acl_outside extended permit tcp host ipremoved any eq 22

but this is the log i get from ASA

Oct 06 2012 16:10:04: %ASA-3-710003: TCP access denied by ACL from ipremoved/39884 to outside:ipremoved/22

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.4(5)

can someone please help me

many thanks

cheers..

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

You don't need to configure access-list on the outside interface to allow ssh if you are trying to ssh to the ASA itself.

All you need is to make sure that the time on the ASA is correct, generate key-pair, and configure the ssh to allow the access from the ip address where you are connecting from (as you've configured above).

Also, make sure that you don't have any static PAT for TCP/22 using the ASA outside interface IP Address.

many thanks for the quick reply

my connection is something like below

       Site A                                                                                   Site B

PC--10.6.40.148 ---- ASA public IP -------------cloud --------------------public IP ASA

Site to Site IPsec VPN

Am able to ssh to the ASA on the private ip management interface, now i need to ssh to the site B public IP to manage

I have allowed the acl on site A ASA for the PC to go i can see the hit count on it

The  reason being i need to manage the Site B ASA on public because on Site A am changing the internet provider and so if i have the acces to site B  ASA i can change the peer IP to new IP and reestablish the VPN

many thanks for the help

cheers

Ah OK, make sense.

I assume that since you are accesing Site B public IP address (outside), then the SSH traffic does not go through the VPN tunnel. If that is the case, then you would need to check what is the NATed public ip address of site A and add that public IP on to Site B SSH command.

Thanks again

I have already done that on Site B

ssh ipremoved 255.255.255.255 outside

access-list acl_outside extended permit tcp host ipremoved any eq 22

but still does not go through, the log from Site B

Oct 06 2012 16:10:04: %ASA-3-710003: TCP access denied by ACL from ipremoved/39884 to outside:ipremoved/22

do you have any static PAT on port 22 configured on site B using site B outside interface ?

sorry it was a mistake from my end, i had the wrong IP configured in the Site B ssh commad instead of x.x.x.243 i had x.x.x.43

many thanks

No problem, great to hear it's all good now.

Review Cisco Networking for a $25 gift card