Mesfer
asked on
SSH not success to access PIX/ASA firewall
Dear , greeting ,,,
In our enterprise, we are going to apply SSH instead of TELNET for all CISCO equipments.
The procedure success for router , switches, and IPS. But unfortunately failed for PIX and ASA.
When execute PUTTY, a window appears with question :
“The first cipher supported by the server is single-DEC, which is below the configured warning threshold.
Do you want to continue this connection ? “
When select YES button , the SSH shell opens and the prompt to login , but no proceeds and reply me : ” Access denied” as below :
==========================
login as: admin
Sent username "admin"
admin@xxx.xxx.xxx.xxx's password:
Access denied
==========================
In our enterprise, we are going to apply SSH instead of TELNET for all CISCO equipments.
The procedure success for router , switches, and IPS. But unfortunately failed for PIX and ASA.
When execute PUTTY, a window appears with question :
“The first cipher supported by the server is single-DEC, which is below the configured warning threshold.
Do you want to continue this connection ? “
When select YES button , the SSH shell opens and the prompt to login , but no proceeds and reply me : ” Access denied” as below :
==========================
login as: admin
Sent username "admin"
admin@xxx.xxx.xxx.xxx's password:
Access denied
==========================
out of the box username= pix and password is the TELNET password
set with the
passwd aardvarkbanana
command
set with the
passwd aardvarkbanana
command
You may have corrupt rsa keys - to remove and reset them depending on your OS do the following:
On PIX7.x/ASA
crypto key zeroize rsa
crypto key generate rsa modulus 1024
On PIX 6.3x
ca zeroize rsa
ca gen rsa key 1024
cheers
On PIX7.x/ASA
crypto key zeroize rsa
crypto key generate rsa modulus 1024
On PIX 6.3x
ca zeroize rsa
ca gen rsa key 1024
cheers
ASKER
Dear Expert,
Thanks for assistance, but unfortunately I applied your direction and problem still.
FYI :
- I tried to open SSH session to PIX535 and ASA5520 (both have software ASA 7.2).
- I reload firewalls and no success.
- I tried two different SSH software : Putty and SSH Secure Shell
Could you suggest more troubleshooting ,,,
Thanx ,,,
Thanks for assistance, but unfortunately I applied your direction and problem still.
FYI :
- I tried to open SSH session to PIX535 and ASA5520 (both have software ASA 7.2).
- I reload firewalls and no success.
- I tried two different SSH software : Putty and SSH Secure Shell
Could you suggest more troubleshooting ,,,
Thanx ,,,
hi - can you post a copy of a sanitized config?
ASKER
Sorry for late progress, I was in vacation ,,,,
The following is part of ASA configuration :
==========================
ASA Version 7.2(2)
!
hostname HO-FP-Internet-3
domain-name sfda.gov
enable password 3jsr0FBkbqUIuz42 encrypted
names
!
interface GigabitEthernet0/0
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.16.0.254 255.255.255.0 standby 10.16.0.253
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 10.16.1.254 255.255.255.0 standby 10.16.1.253
!
interface GigabitEthernet0/2
duplex full
nameif outside
security-level 0
ip address 10.16.15.252 255.255.255.0 standby 10.16.15.251
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
passwd 1C8Yey4npLzopCN1 encrypted
.......
......
ssh 10.2.1.160 255.255.255.255 inside
ssh timeout 60
==========================
If you need full configuration, how can I post it ? I'm concern to solve this issue ASAP.
Thnkfull ,,,
The following is part of ASA configuration :
==========================
ASA Version 7.2(2)
!
hostname HO-FP-Internet-3
domain-name sfda.gov
enable password 3jsr0FBkbqUIuz42 encrypted
names
!
interface GigabitEthernet0/0
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.16.0.254 255.255.255.0 standby 10.16.0.253
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 10.16.1.254 255.255.255.0 standby 10.16.1.253
!
interface GigabitEthernet0/2
duplex full
nameif outside
security-level 0
ip address 10.16.15.252 255.255.255.0 standby 10.16.15.251
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
passwd 1C8Yey4npLzopCN1 encrypted
.......
......
ssh 10.2.1.160 255.255.255.255 inside
ssh timeout 60
==========================
If you need full configuration, how can I post it ? I'm concern to solve this issue ASAP.
Thnkfull ,,,
Hi
I see your inside network is 10.16.0.254/24 but you are only allowing ssh to one particular host on your inside:
ssh 10.2.1.160 255.255.255.255 inside
Can the PIX reach this ip - is their a route for it? If not then that would be your issue. If you want to verify if ssh restriction causes the problem - remove it momentarily, test and then re-add a working version.
e.g.
conf t
no ssh 10.2.1.160 255.255.255.255 inside
##TEST NOW##
ssh 10.16.0.0 255.255.255.0 inside
hth
I see your inside network is 10.16.0.254/24 but you are only allowing ssh to one particular host on your inside:
ssh 10.2.1.160 255.255.255.255 inside
Can the PIX reach this ip - is their a route for it? If not then that would be your issue. If you want to verify if ssh restriction causes the problem - remove it momentarily, test and then re-add a working version.
e.g.
conf t
no ssh 10.2.1.160 255.255.255.255 inside
##TEST NOW##
ssh 10.16.0.0 255.255.255.0 inside
hth
ASKER
Dear ,
At first thanks for assistance ,,,
But I can't understand the meaning of " Can the PIX reach this ip - is their a route for it?" How can I check ?
For your direction I did the following :
1- Remove SSH configuration, as : CISCO-ASA(config)# no ssh 10.2.1.160 255.255.255.255 inside
2- Tried connect using Putty, there is no response or prompt for login user.
3- Reconfigure SSH as : CISCO-ASA(config)#ssh 10.2.1.160 255.255.255.255 inside
There is prompt for login user, but unfortunately the problem still and access denied.
Regards ,,,
At first thanks for assistance ,,,
But I can't understand the meaning of " Can the PIX reach this ip - is their a route for it?" How can I check ?
For your direction I did the following :
1- Remove SSH configuration, as : CISCO-ASA(config)# no ssh 10.2.1.160 255.255.255.255 inside
2- Tried connect using Putty, there is no response or prompt for login user.
3- Reconfigure SSH as : CISCO-ASA(config)#ssh 10.2.1.160 255.255.255.255 inside
There is prompt for login user, but unfortunately the problem still and access denied.
Regards ,,,
ASKER
Dear,,,
Could you comment and aupdate please ,,,
Thanks ,,,
Could you comment and aupdate please ,,,
Thanks ,,,
It seems your ssh is working correctly if you are being requested a login - do you have any RADIUS/TACACS+ settings configured that the device may be try ing to connect to - this would ignore the local user database.
If not -
Can you remove the ssh username and re add it -
no username admin
username admin password ########
And try again?
If not -
Can you remove the ssh username and re add it -
no username admin
username admin password ########
And try again?
ASKER
Unfortunately not succeeded ,,,
Anything else ,,,
Thanks for cooperation ...
Sorry - I just noticed an error in troubleshooting earlier
Try this
no ssh 10.2.1.160 255.255.255.255 inside
ssh 0.0.0.0 0.0.0.0 inside
And then try it
If it works - we will isolate where its going astray and configure it properly
Try this
no ssh 10.2.1.160 255.255.255.255 inside
ssh 0.0.0.0 0.0.0.0 inside
And then try it
If it works - we will isolate where its going astray and configure it properly
ASKER
I tried it sir, but unfortunately not succeeded ,,,
What next ?
Thanks for patient ,,,
What next ?
Thanks for patient ,,,
ASKER
Expert, Have you any comment ? ,,,
hi Mesfer - if you have already tried opening ssh to all inside hosts, ensuring the username is correct and removing and regenerating the keys there is not a lot else i can see that could be wrong.
Is the host you are trying this from on the same ip range as the inside interface:
ip address 10.16.0.254 255.255.255.0 standby 10.16.0.253
And are you using ssh version 1 or 2?
Is the host you are trying this from on the same ip range as the inside interface:
ip address 10.16.0.254 255.255.255.0 standby 10.16.0.253
And are you using ssh version 1 or 2?
ASKER
Hi ,
Yes it in the same range, and the ssh version is both .
Thanks for cooporate with me ...
Yes it in the same range, and the ssh version is both .
Thanks for cooporate with me ...
ASKER
Hi experts ,,,
Any update ?
Any update ?
hi Mesfer
I have posted everything i can think of - gonna call in some help on it
cheers
I have posted everything i can think of - gonna call in some help on it
cheers
ASKER
Thanks dear ,,,
Try:
clear configure ssh
crypto key generate rsa
Then in conf t:
ssh 10.2.1.160 255.255.255.255 inside
ssh version 2
ssh timeout 60
wri mem
while attempting to ssh view the debug with
debug ssh
clear configure ssh
crypto key generate rsa
Then in conf t:
ssh 10.2.1.160 255.255.255.255 inside
ssh version 2
ssh timeout 60
wri mem
while attempting to ssh view the debug with
debug ssh
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dear Fryguy, thanks for assist me, I did your direction, but unfortunately didn't success.
The configuration and debugging as follow :
==========================
HO-FP-Internet-3(config)# clear configure ssh
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)# cry
HO-FP-Internet-3(config)# crypto k
HO-FP-Internet-3(config)# crypto key g
HO-FP-Internet-3(config)# crypto key generate r
HO-FP-Internet-3(config)# crypto key generate rsa
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.
Do you really want to replace them? [yes/no]: y
Keypair generation process begin. Please wait...
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)# ssh 10.2.1.160 255.255.255.255 ins
HO-FP-Internet-3(config)# ssh 10.2.1.160 255.255.255.255 inside
HO-FP-Internet-3(config)# ssh v
HO-FP-Internet-3(config)# ssh version 2
ERROR: SSH version 2 requires a VPN-3DES-AES activation key.
HO-FP-Internet-3(config)# ssh version 1
HO-FP-Internet-3(config)# ssh
HO-FP-Internet-3(config)# ssh ti
HO-FP-Internet-3(config)# ssh timeout 60
HO-FP-Internet-3(config)# wri mem
Building configuration...
Cryptochecksum: 441214e5 97e9b8bf ebd786ee 8d9f273e
8741 bytes copied in 3.520 secs (2913 bytes/sec)
[OK]
HO-FP-Internet-3(config)# deb
HO-FP-Internet-3(config)# debug ssh
debug ssh enabled at level 1
HO-FP-Internet-3(config)# Device ssh opened successfully.
SSH0: SSH client: IP = '10.2.1.160' interface # = 1
SSH: host key initialised
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.5-Cisco-1.25
SSH0: send SSH message: outdata is NULL
server version string:SSH-1.5-Cisco-1.25S
SSH0: client version is - SSH-1.5-PuTTY_Release_0.60
client version string:SSH-1.5-PuTTY_Relea
SSH0: complete server key generation, elapsed time = 570 ms
SSH0: declare what cipher(s) we support:
00 0x00 0x00 0x04 0xSSH0: send SSH message: SSH_SMSG_PUBLIC_KEY (2)
SSH0: SSH_SMSG_PUBLIC_KEY message sent
SSH0: receive SSH message: SSH_CMSG_SESSION_KEY (3)
SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 144
SSH0: client requests DES cipher: 2
SSH: scb created 0x3fe5d90, size 104
SSH0: send SSH message: SSH_SMSG_SUCCESS (14)
SSH0: keys exchanged and encryption on
SSH0: receive SSH message: SSH_CMSG_USER (4)
SSH0: authentication request for userid mesfer
SSH(mesfer): user authen method is 'no AAA', aaa server group ID = 0
SSH0: invalid userid mesfer
SSH0: send SSH message: SSH_SMSG_FAILURE (15)
SSH0: receive SSH message: SSH_CMSG_AUTH_PASSWORD (9)
SSH0: send SSH message: SSH_SMSG_FAILURE (15)
SSH0: receive SSH message: SSH_MSG_DISCONNECT (1)
SSH0: session terminated by client - reason "Unable to authenticate"
SSH0: authentication failed for mesfer
SSH0: Session disconnected by SSH server - error 0x36 "Reset by client"
==========================
Then I tried to login using SSH :
=========================
login as: mesfer
Sent username "mesfer"
mesfer@10.16.0.254's password:
Access denied
mesfer@10.16.0.254's password:
==========================
The configuration and debugging as follow :
==========================
HO-FP-Internet-3(config)# clear configure ssh
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)# cry
HO-FP-Internet-3(config)# crypto k
HO-FP-Internet-3(config)# crypto key g
HO-FP-Internet-3(config)# crypto key generate r
HO-FP-Internet-3(config)# crypto key generate rsa
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.
Do you really want to replace them? [yes/no]: y
Keypair generation process begin. Please wait...
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)#
HO-FP-Internet-3(config)# ssh 10.2.1.160 255.255.255.255 ins
HO-FP-Internet-3(config)# ssh 10.2.1.160 255.255.255.255 inside
HO-FP-Internet-3(config)# ssh v
HO-FP-Internet-3(config)# ssh version 2
ERROR: SSH version 2 requires a VPN-3DES-AES activation key.
HO-FP-Internet-3(config)# ssh version 1
HO-FP-Internet-3(config)# ssh
HO-FP-Internet-3(config)# ssh ti
HO-FP-Internet-3(config)# ssh timeout 60
HO-FP-Internet-3(config)# wri mem
Building configuration...
Cryptochecksum: 441214e5 97e9b8bf ebd786ee 8d9f273e
8741 bytes copied in 3.520 secs (2913 bytes/sec)
[OK]
HO-FP-Internet-3(config)# deb
HO-FP-Internet-3(config)# debug ssh
debug ssh enabled at level 1
HO-FP-Internet-3(config)# Device ssh opened successfully.
SSH0: SSH client: IP = '10.2.1.160' interface # = 1
SSH: host key initialised
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.5-Cisco-1.25
SSH0: send SSH message: outdata is NULL
server version string:SSH-1.5-Cisco-1.25S
SSH0: client version is - SSH-1.5-PuTTY_Release_0.60
client version string:SSH-1.5-PuTTY_Relea
SSH0: complete server key generation, elapsed time = 570 ms
SSH0: declare what cipher(s) we support:
00 0x00 0x00 0x04 0xSSH0: send SSH message: SSH_SMSG_PUBLIC_KEY (2)
SSH0: SSH_SMSG_PUBLIC_KEY message sent
SSH0: receive SSH message: SSH_CMSG_SESSION_KEY (3)
SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 144
SSH0: client requests DES cipher: 2
SSH: scb created 0x3fe5d90, size 104
SSH0: send SSH message: SSH_SMSG_SUCCESS (14)
SSH0: keys exchanged and encryption on
SSH0: receive SSH message: SSH_CMSG_USER (4)
SSH0: authentication request for userid mesfer
SSH(mesfer): user authen method is 'no AAA', aaa server group ID = 0
SSH0: invalid userid mesfer
SSH0: send SSH message: SSH_SMSG_FAILURE (15)
SSH0: receive SSH message: SSH_CMSG_AUTH_PASSWORD (9)
SSH0: send SSH message: SSH_SMSG_FAILURE (15)
SSH0: receive SSH message: SSH_MSG_DISCONNECT (1)
SSH0: session terminated by client - reason "Unable to authenticate"
SSH0: authentication failed for mesfer
SSH0: Session disconnected by SSH server - error 0x36 "Reset by client"
==========================
Then I tried to login using SSH :
=========================
login as: mesfer
Sent username "mesfer"
mesfer@10.16.0.254's password:
Access denied
mesfer@10.16.0.254's password:
==========================
ASKER
Dear lrmoore, Thanks a lot for you direction,
Actually, you are write and finally I could access our firewalls through SSH session.
So the secret founded in the following command :
HO-FP-Internet-3(config)# aaa authentication ssh console LOCAL
I don't know how I missed this necessary configuration, also I didn't notice emphasis on this configuration of "aaa authentication ssh console LOCAL" from dears experts during this long story , nor also ensuring on this command at references and manuals that I read.
At all, my pleasure and bundle of thanks for expert Imoore, and for all experts who cooperate with me.
Thankful for https://www.experts-exchange.com
Actually, you are write and finally I could access our firewalls through SSH session.
So the secret founded in the following command :
HO-FP-Internet-3(config)# aaa authentication ssh console LOCAL
I don't know how I missed this necessary configuration, also I didn't notice emphasis on this configuration of "aaa authentication ssh console LOCAL" from dears experts during this long story , nor also ensuring on this command at references and manuals that I read.
At all, my pleasure and bundle of thanks for expert Imoore, and for all experts who cooperate with me.
Thankful for https://www.experts-exchange.com
Glad you are working. Don't forget to select an answer and grade accordingly to close out this question.
*Do you have a username called Admin with xxxx password in pix? If not, add following
username admin password xxxx priv 15
Regards