Question

How to enable ssh on ASA 5505

Asked by: AXISHK

Have idea the minimize command to enable the ssh on ASA 5505 box ? I need to enable ping command and ssh so that I could remotely put the configuratoin on the box again.

In PIX, i use "ca gen rsa key 1024" but it no more support anymore. And the new command crypto key don't ask for any key size for me to fill in.

In addition, what interface / VLAN should I need to confgure in order to avoid the minimze purpose.

Thanks

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-03-04 at 19:19:41ID23214895
Tags

Cisco PIX

Topics

Cisco PIX Firewall

,

IPSec Security Protocol

Participating Experts
3
Points
500
Comments
14

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. SSH not success to access PIX/ASA firewall
    Dear , greeting ,,, In our enterprise, we are going to apply SSH instead of TELNET for all CISCO equipments. The procedure success for router , switches, and IPS. But unfortunately failed for PIX and ASA. When execute PUTTY, a window appears with question : “The first cip...
  2. SSH access to ASA 5510
    I have probelm access my ASA 5510 through ssh occasionally. Using ssh with putty, it pop up a message at once "Server unexpectedly closed network connection. The problem will be solved when I reboot the box. However, after few days, it come up with error again. Have a...
  3. PIX to ASA
    I am trying to convert a pix 515 to an ASA5510 with SSM 10 module. I have used the conversion tool Cisco provides for this to make the config for the ASA. I can ping outside from the ASA but cannot get out from my inside network. I have both configs below as well as our 18...
  4. SSH Access to Cisco ASA 5505
    I'm trying to configure SSH access to our ASA 5505 and ultimately disable telnet. I've gone into the ASDM and configured it to allow SSH. However it doesn't work. Any suggestions? Show running shows: ssh 192.168.10.0 255.255.255.0 inside ssh 192.168.20.0 255.255.255.0 in...
  5. Cisco ASA 5505 Cannot SSH into ASA
    I recently was making some config changes to my asa 5505. I added anyconnect. I now have anyconnect removed but my password get denied when I try to login via ssh. Works fine using the asdm? My account is priv 15 with full access.
  6. Configure SSH on Cisco ASA 5505
    Hi, I have a CISCO ASA 5505, and would like to configure SSH on it so that I can us Fireplotter to monitor the bandwidth to the internet. Now I followed some info on how to setup it and it recommend to use putty.exe to try to connect to see if SSH indeed works. Now when I r...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: batry_boyPosted on 2008-03-05 at 04:31:31ID: 21049682

On the ASA, the command is:

crypto key generate rsa 1024

If you leave off the "1024" in the above command, it will use 1024 by default.

>>what interface / VLAN should I need to confgure in order to avoid the minimze purpose.

I'm not sure what you mean by "to avoide the minimize purpose".  Please clarify.

 

by: AXISHKPosted on 2008-03-05 at 08:35:03ID: 21051799

I want to access the box through internet and allow it to ping. So what additional command should I put ?


Thanks.

 

by: bdeterdingPosted on 2008-03-05 at 09:08:52ID: 21052131

ssh <ip> <mask> <interface>

I also recommend:
ssh timeout 10
ssh version 2

the syntax for ping is much the same:
icmp permit <ip> <mask> <interface>

 

by: batry_boyPosted on 2008-03-05 at 10:00:23ID: 21052713

The ASA outside interface should respond to pings by default.  You should not have to issue the "icmp permit" command.

See bdeterding's command syntax above.  I would HIGHLY recommend that you restrict SSH access from the outside to specific IP addresses and not use the "0.0.0.0 0.0.0.0" for the <ip> and <mask> parameters of that command.  For example, if you wanted IP address 1.1.1.1 only to be allowed to access the ASA from the outside, then you would put in:

ssh 1.1.1.1 255.255.255.255 outside

 

by: AXISHKPosted on 2008-03-05 at 17:27:31ID: 21056512

Thanks everyone for the valuable idea.
Below is the command that I will schedule to perform remotely.  Is there anything missing. Few concerns
- Should I need to bind VLAN1 to the inside E0/1 by default (as I couldn't see any binding for VLAN to Ethernet interface in factory default setting)

- "ca save all" couldn't work anymore on ASA. So, use "write mem" could save the certificate, correct ?

- For the command below, I could at least ping the outside interface, correct ?

Frankly, I have put those commands in ASA box but couldn't work. Can anyone think of a potential reason for it not what ? Is it due to the binding of VLAN1, interface negotation, etc...

Many thanks.
 

- write erase
- reload
 
hostname xxxxxx
domain-name xxxxxx

interface Vlan1
 nameif inside
 security-level 100
 ip address xxxxx 255.255.255.0

interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxx 255.255.255.240

interface Ethernet0/0
 switchport access vlan 2

interface Ethernet0/1
no shut

interface Ethernet0/2
no shut

route outside 0.0.0.0 0.0.0.0 xxxxx 1

ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5

crypto key generate rsa 1024
wr mem

 

by: batry_boyPosted on 2008-03-05 at 17:35:46ID: 21056543

>>Should I need to bind VLAN1 to the inside E0/1 by default (as I couldn't see any binding for VLAN to Ethernet interface in factory default setting)

No, VLAN1 is bound to ports E0/1 - E0/7 by default.

>>"ca save all" couldn't work anymore on ASA. So, use "write mem" could save the certificate, correct ?

That is correct.

>>For the command below, I could at least ping the outside interface, correct ?

That is correct.

Are you trying to SSH to the outside interface?  If so, it should work from any source IP address with the commands above.

Also, rather than a "wr erase" which removes the entire ASA configuration, there is a special command "configure factory-default" that will reset the entire ASA configuration to the factory default settings.  You can try that if you wish and then enter the rest of the commands and see if that helps...

 

by: AXISHKPosted on 2008-03-05 at 18:39:05ID: 21056776

Thanks.

I access the remote ASA box through my home ADSL router tonight. This is a dynamic IP address from ISP. I know the public IP address going outside. Is there any way to find out the subnet used by my provider based on the public IP address so that I could restrict the subnet used by ssh.

Thanks again.

 

by: batry_boyPosted on 2008-03-05 at 19:05:08ID: 21056898

I would use the netmask "255.255.255.255" which would restrict it to just your single IP address from your ISP.  This way, you're not allowing any of the ISP's other customers to access your firewall.

 

by: AXISHKPosted on 2008-03-05 at 21:20:43ID: 21057591

Thanks. Will give another try tonight and let you know the results later. Tks.

 

by: AXISHKPosted on 2008-03-06 at 16:17:45ID: 21066107

Hi

The BT ADSL router is connecting to a min-switch. From min-switch, it attach to our existing firewall (Netgear) and our new ASA 5505. Both public interface of these two boxes are configured with pubilc IP provided by ISP. And I have a laptop that plug into the mini-switch but it obtain a private IP, believe from the ADSL router. (The IP is totally different from public IP as it is a private subnet range).

Try to ping from laptop and ssh to ASA 5505 is perfect. However, I try to access the box remote from another world and it doesn't work. Does it mean BT router has blocked some kinds of access ? Why does it happen like that ??

Thanks
Simon

 

by: batry_boyPosted on 2008-03-06 at 17:54:29ID: 21066619

>>However, I try to access the box remote from another world and it doesn't work. Does it mean BT router has blocked some kinds of access ?

I thought you said you could access it from your home last night...is this no longer working?  What do you mean by "from another world" that you can't access it?

 

by: AXISHKPosted on 2008-03-06 at 18:08:42ID: 21066691

I use Teamwork to connect to a laptop in remote office. The laptop is plug directly to the BT network as mentioned above. I would make ping and ssh to ASA, under same BT network.

However, if a ssh the ASA from my home laptop, it would work. To me, it seems that BT router has block access on this.... Am I correct ? Why it happen ?

Tks

 

by: batry_boyPosted on 2008-03-08 at 08:38:26ID: 21077642

I think that the BT router is probably blocking the traffic since it sounds like it is performing NAT, and if it is, you will need to have that router configured to allow traffic to pass through it via port forwarding or whatever method it supports for allowing external traffic to pass through it.

 

by: FikrPosted on 2009-10-27 at 16:03:39ID: 25678658

If this is the computer you want to check do a netstat -a
Look witch port is open.
and by the way, best pracis is not to allow icmp on a outside interface of a firewall.
if you like to drop this trafic do : icmp deny any outside, if you like to di icmp on lan or dmz, do icmp permit any inside, and so on.
one way to et you ip address, is to do : www.myip.dk that will work for you.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...