Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
493
Views
0
Helpful
1
Replies

Unable to SSH into remote ASA5505

BrianChernish
Level 1
Level 1

‎11-17-2015 07:02 AM - edited ‎02-21-2020 05:36 AM

I have an ASA 5505 located remotely (actually on a mountain top) and I am unable to SSH into that device. I have a different ASA 5505 on a different mountain top which I CAN SSH into and as far as I can tell they are configured identically, with the exception of the LAN & WAN IP Addresses.

I feel like I am missing something stupid, or I just blind after looking at these configs for hours.  Any assistance is appreciated.

Here is the config (public IPs masked for security reasons) in the one I CANNOT connect to:

blue-asa# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname blue-asa
domain-name lc
enable password gpeZipNOC4hmamWI encrypted
passwd q/Sxg9222NJ9X1pj encrypted
multicast-routing
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!            
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.160.49 255.255.255.248
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.248
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name lc
object-group network internal-lan
access-list inside_out extended permit ip any any
access-list 101 extended permit ip 192.168.160.48 255.255.255.248 192.168.160.40 255.255.255.252
access-list 102 extended permit ip 192.168.160.48 255.255.255.248 192.168.160.40 255.255.255.252
access-list 110 extended permit ip host 192.168.160.50 any
access-list 110 extended permit ip any host 192.168.160.50
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 inside
http 10.101.13.0 255.255.255.0 inside
http 172.16.215.0 255.255.255.0 outside
snmp-server location Pinkham
snmp-server contact Brian Chernish
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN 10 match address 101
crypto map VPN 10 set peer xxx.xxx.xxx.xxx
crypto map VPN 10 set transform-set ESP-3DES-MD5
crypto map VPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 33
telnet 10.10.10.0 255.255.255.0 inside
telnet 10.101.13.0 255.255.255.0 inside
telnet 172.16.215.0 255.255.255.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
management-access outside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username brian.chernish password 6F5dPP25uT5drqJy encrypted
username bchernish password yuo1IROQ5LIDwcyO encrypted privilege 15
username admin password G9lUqcuvYe7MJhD. encrypted privilege 15
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key xxxxxxx
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!            
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:cdf01d5a5354f221a6741afd855842f1
: end
blue-asa#
blue-asa#

AND here is the one I CAN connect to:

BlackButte# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname BlackButte
domain-name BBute.local
enable password gpeZipocn4hmamWI encrypted
passwd gpeZippwr4hmamWI encrypted
multicast-routing
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!            
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.160.17 255.255.255.248
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.128
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name BBute.local
object-group network internal-lan
access-list inside_out extended permit ip any any
access-list 101 extended permit ip 192.168.160.16 255.255.255.248 192.168.160.8 255.255.255.252
access-list 102 extended permit ip 192.168.160.16 255.255.255.248 192.168.160.8 255.255.255.252
access-list 110 extended permit ip host 192.168.160.18 any
access-list 110 extended permit ip any host 192.168.160.18
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 162.244.174.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 inside
http 10.101.48.0 255.255.255.0 inside
http 172.16.215.0 255.255.255.0 outside
snmp-server location Black Butte
snmp-server contact Brian Chernish
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN 10 match address 101
crypto map VPN 10 set peer xxx.xxx.xxx.xxx
crypto map VPN 10 set transform-set ESP-3DES-MD5
crypto map VPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 33
telnet 10.10.10.0 255.255.255.0 inside
telnet 10.101.48.0 255.255.255.0 inside
telnet 172.16.215.0 255.255.255.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
management-access outside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username brian.chernish password y5IvA0kHNneSE7Gt encrypted
username bchernish password yuo1IROQ5LIDwcyO encrypted privilege 15
username admin password lQ8UrH1fkQnWsqvw encrypted privilege 15
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!            
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
BlackButte#
BlackButte#

THANKS,

Brian Chernish

0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎11-17-2015 10:14 AM

Has it ever worked to SSH into the ASA? If not, it could be a missing RSA keypair. Then do a 

crypto key generate rsa mod 2048

If it worked before, there have been bugs that cause SSH to fail. Sometimes it helps to remove and reapply the ssh access-control:

no ssh 0.0.0.0 0.0.0.0 inside
no ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside

If that helps, then you should update the ASAs to the latest interims-release of your preffered release.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card