SSH not success to access PIX/ASA firewall

Mesfer
Mesfer used Ask the Experts™
on
Dear , greeting ,,,

In our enterprise, we are going to apply SSH instead of TELNET for all CISCO equipments.
The procedure success for router ,  switches, and IPS. But unfortunately failed for PIX and ASA.
When execute PUTTY,  a window appears with question :
“The first cipher supported by the server is single-DEC, which is below the configured warning threshold.
Do you want to continue this connection ? “
When  select YES button , the SSH shell opens and the prompt to login , but no proceeds and reply  me :     ” Access denied” as below :
================================
login as: admin
Sent username "admin"
admin@xxx.xxx.xxx.xxx's password:
Access denied  
================================
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2007

Commented:
        Hi Mesfer
               *Do you have a username called Admin with xxxx password in pix? If not, add following
                 username admin password xxxx priv 15
       
Regards
Pete LongTechnical Consultant

Commented:
out of the box username=  pix and password is the TELNET password

set with the

passwd aardvarkbanana

command

Commented:
You may have corrupt rsa keys - to remove and reset them depending on your OS do the following:
On PIX7.x/ASA
crypto key zeroize rsa
crypto key generate rsa modulus 1024

On PIX 6.3x
ca zeroize rsa
ca gen rsa key 1024

cheers
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Dear Expert,
Thanks for assistance, but unfortunately I applied your direction and problem still.
FYI :
-  I tried to open SSH session  to PIX535 and ASA5520 (both have software ASA 7.2).
-  I reload firewalls and no success.
- I tried two different SSH software : Putty and SSH Secure Shell

Could you suggest more troubleshooting ,,,
Thanx ,,,

Commented:
hi  - can you post a copy of a sanitized config?

Author

Commented:
Sorry for late progress, I was in vacation ,,,,
The following is part of ASA configuration :
==============================================
ASA Version 7.2(2)
!
hostname HO-FP-Internet-3
domain-name sfda.gov
enable password 3jsr0FBkbqUIuz42 encrypted
names
!
interface GigabitEthernet0/0
 speed 1000
 duplex full
 nameif inside
 security-level 100
 ip address 10.16.0.254 255.255.255.0 standby 10.16.0.253
!
interface GigabitEthernet0/1
 nameif dmz
 security-level 50
 ip address 10.16.1.254 255.255.255.0 standby 10.16.1.253
!
interface GigabitEthernet0/2
 duplex full
 nameif outside
 security-level 0
 ip address 10.16.15.252 255.255.255.0 standby 10.16.15.251
!
interface GigabitEthernet0/3
 description LAN Failover Interface
!
interface Management0/0
 nameif management
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
passwd 1C8Yey4npLzopCN1 encrypted
.......
......
ssh 10.2.1.160 255.255.255.255 inside
ssh timeout 60
===================================================

If you need full configuration, how can I post it ? I'm concern to solve this issue ASAP.

Thnkfull ,,,

Commented:
Hi
I see your inside network is 10.16.0.254/24 but you are only allowing ssh to one particular host on your inside:
ssh 10.2.1.160 255.255.255.255 inside

Can the PIX reach this ip - is their a route for it?  If not then that would be your issue.  If you want to verify if ssh restriction causes the problem - remove it momentarily, test and then re-add a working version.

e.g.
conf t
no ssh 10.2.1.160 255.255.255.255 inside

##TEST NOW##
ssh 10.16.0.0 255.255.255.0 inside

hth

Author

Commented:
Dear ,
At first thanks for assistance ,,,

But I can't understand the meaning of " Can the PIX reach this ip - is their a route for it?" How can I check ?
For your direction I did the following :
1- Remove SSH configuration, as : CISCO-ASA(config)# no ssh 10.2.1.160 255.255.255.255 inside
2- Tried connect using Putty, there is no response or prompt for login user.
3- Reconfigure SSH as : CISCO-ASA(config)#ssh 10.2.1.160 255.255.255.255 inside
There is prompt  for login user, but unfortunately the problem still and access denied.  

Regards ,,,
 

Author

Commented:
Dear,,,

Could you comment and aupdate please ,,,

Thanks ,,,

Commented:
It seems your ssh is working correctly if you are being requested a login - do you have any RADIUS/TACACS+ settings configured that the device may be try ing to connect to - this would ignore the local user database.

If not -
Can you remove the ssh username and re add it -

no username admin
username admin password ########

And try again?

Author

Commented:

Unfortunately not succeeded ,,,
Anything else ,,,

Thanks for cooperation ...

Commented:
Sorry - I just noticed an error in troubleshooting earlier

Try this
no ssh 10.2.1.160 255.255.255.255 inside
ssh 0.0.0.0 0.0.0.0 inside

And then try it

If it works - we will isolate where its going astray and configure it properly

Author

Commented:
I tried it sir, but unfortunately not succeeded ,,,

What next ?
Thanks for patient ,,,

Author

Commented:
Expert,  Have you any comment ? ,,,

Commented:
hi Mesfer - if you have already tried opening ssh to all inside hosts, ensuring the username is correct and removing and regenerating the keys there is not a lot else i can see that could be wrong.  

Is the host you are trying this from on the same ip range as the inside interface:
ip address 10.16.0.254 255.255.255.0 standby 10.16.0.253

And are you using ssh version 1 or 2?

Author

Commented:
Hi ,

Yes it in the same range, and the ssh version is both .

Thanks for cooporate with me ...

Author

Commented:
Hi experts ,,,

Any update ?

Commented:
hi Mesfer
I have posted everything i can think of - gonna call in some help on it

cheers

Author

Commented:
Thanks dear ,,,
Ryan WeaverCyber Security Engineer

Commented:
Try:

clear configure ssh
crypto key generate rsa

Then in conf t:
ssh 10.2.1.160 255.255.255.255 inside
ssh version 2
ssh timeout 60

wri mem

while attempting to ssh view the debug with

debug ssh

Sr. Systems Engineer
Top Expert 2008
Commented:
Try this:

aaa authentication ssh console LOCAL
username admin password admin privilege 15
ssh 10.2.1.160 255.255.255.255 inside
ssh timeout 5

-----------------------------------------------
Using SSH Secure Shell 3.2.9
 Connection tab
   Host name: 10.16.0.254
   User name: admin
   Port number: 22
    <default> on all the rest
 Profile Properties (Edit Profile)
  Cipher list tab
    Make sure DES is checked
  Authentication tab
     Make sure Password method is moved to the top
    At the bottom, check enable for SSH2 and SSH1, but not agent forwarding

You should get a Password prompt
You  may get prompted "Remote host uses SS1 protocol" OK to accept
You may get another prompt, just accept it with Yes

 I have this setup working just fine on  PIX w/ 6.35, PIX with 7.0(6), ASA with 7.22 and ASA with 8.0

Author

Commented:
Dear Fryguy, thanks for assist me, I did your direction, but unfortunately didn't success.
The configuration and debugging as follow :
=======================================================================
HO-FP-Internet-3(config)# clear configure ssh
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)# cry
HO-FP-Internet-3(config)# crypto k
HO-FP-Internet-3(config)# crypto key g
HO-FP-Internet-3(config)# crypto key generate r
HO-FP-Internet-3(config)# crypto key generate rsa
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: y
Keypair generation process begin. Please wait...
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)# ssh 10.2.1.160 255.255.255.255 ins
HO-FP-Internet-3(config)# ssh 10.2.1.160 255.255.255.255 inside
HO-FP-Internet-3(config)# ssh v
HO-FP-Internet-3(config)# ssh version 2
ERROR: SSH version 2 requires a VPN-3DES-AES activation key.
HO-FP-Internet-3(config)# ssh version 1
HO-FP-Internet-3(config)# ssh
HO-FP-Internet-3(config)# ssh ti
HO-FP-Internet-3(config)# ssh timeout 60
HO-FP-Internet-3(config)# wri mem
Building configuration...
Cryptochecksum: 441214e5 97e9b8bf ebd786ee 8d9f273e

8741 bytes copied in 3.520 secs (2913 bytes/sec)
[OK]
HO-FP-Internet-3(config)# deb
HO-FP-Internet-3(config)# debug ssh
debug ssh  enabled at level 1
HO-FP-Internet-3(config)# Device ssh opened successfully.
SSH0: SSH client: IP = '10.2.1.160'  interface # = 1
SSH: host key initialised
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.5-Cisco-1.25

SSH0: send SSH message: outdata is NULL

server version string:SSH-1.5-Cisco-1.25SSH0: receive SSH message: 83 (83)
SSH0: client version is - SSH-1.5-PuTTY_Release_0.60

client version string:SSH-1.5-PuTTY_Release_0.60SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 570 ms
SSH0: declare what cipher(s) we support:
00  0x00  0x00  0x04  0xSSH0: send SSH message: SSH_SMSG_PUBLIC_KEY (2)
SSH0: SSH_SMSG_PUBLIC_KEY message sent
SSH0: receive SSH message: SSH_CMSG_SESSION_KEY (3)
SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 144
SSH0: client requests  DES cipher: 2
SSH: scb created 0x3fe5d90, size 104
SSH0: send SSH message: SSH_SMSG_SUCCESS (14)
SSH0: keys exchanged and encryption on
SSH0: receive SSH message: SSH_CMSG_USER (4)
SSH0: authentication request for userid mesfer
SSH(mesfer): user authen method is 'no AAA', aaa server group ID = 0
SSH0: invalid userid mesfer
SSH0: send SSH message: SSH_SMSG_FAILURE (15)
SSH0: receive SSH message: SSH_CMSG_AUTH_PASSWORD (9)
SSH0: send SSH message: SSH_SMSG_FAILURE (15)
SSH0: receive SSH message: SSH_MSG_DISCONNECT (1)
SSH0: session terminated by client - reason "Unable to authenticate"
SSH0: authentication failed for mesfer
SSH0: Session disconnected by SSH server - error 0x36 "Reset by client"
===================================================================

Then I tried to login using SSH :
=========================
login as: mesfer
Sent username "mesfer"
mesfer@10.16.0.254's password:
Access denied
mesfer@10.16.0.254's password:
==========================

Author

Commented:
Dear lrmoore, Thanks a lot for you direction,  
Actually, you are write and finally I could access our firewalls through SSH session.

So the secret founded in the following command :
HO-FP-Internet-3(config)# aaa authentication ssh console LOCAL

I don't know how I missed this necessary configuration, also I didn't notice emphasis on this configuration of "aaa authentication ssh console LOCAL" from dears experts during this long story , nor also ensuring on this command at references and manuals that I read.

At all, my pleasure and bundle of thanks for expert Imoore, and for all experts who cooperate with me.

Thankful for www.experts-exchange.com
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
Glad you are working. Don't forget to select an answer and grade accordingly to close out this question.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial