SSH not success to access PIX/ASA firewall

Mesfer used Ask the Experts™
Dear , greeting ,,,

In our enterprise, we are going to apply SSH instead of TELNET for all CISCO equipments.
The procedure success for router ,  switches, and IPS. But unfortunately failed for PIX and ASA.
When execute PUTTY,  a window appears with question :
“The first cipher supported by the server is single-DEC, which is below the configured warning threshold.
Do you want to continue this connection ? “
When  select YES button , the SSH shell opens and the prompt to login , but no proceeds and reply  me :     ” Access denied” as below :
login as: admin
Sent username "admin"'s password:
Access denied  
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2007

        Hi Mesfer
               *Do you have a username called Admin with xxxx password in pix? If not, add following
                 username admin password xxxx priv 15
Pete LongTechnical Consultant

out of the box username=  pix and password is the TELNET password

set with the

passwd aardvarkbanana


You may have corrupt rsa keys - to remove and reset them depending on your OS do the following:
crypto key zeroize rsa
crypto key generate rsa modulus 1024

On PIX 6.3x
ca zeroize rsa
ca gen rsa key 1024

Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


Dear Expert,
Thanks for assistance, but unfortunately I applied your direction and problem still.
-  I tried to open SSH session  to PIX535 and ASA5520 (both have software ASA 7.2).
-  I reload firewalls and no success.
- I tried two different SSH software : Putty and SSH Secure Shell

Could you suggest more troubleshooting ,,,
Thanx ,,,

hi  - can you post a copy of a sanitized config?


Sorry for late progress, I was in vacation ,,,,
The following is part of ASA configuration :
ASA Version 7.2(2)
hostname HO-FP-Internet-3
enable password 3jsr0FBkbqUIuz42 encrypted
interface GigabitEthernet0/0
 speed 1000
 duplex full
 nameif inside
 security-level 100
 ip address standby
interface GigabitEthernet0/1
 nameif dmz
 security-level 50
 ip address standby
interface GigabitEthernet0/2
 duplex full
 nameif outside
 security-level 0
 ip address standby
interface GigabitEthernet0/3
 description LAN Failover Interface
interface Management0/0
 nameif management
 security-level 0
 ip address
passwd 1C8Yey4npLzopCN1 encrypted
ssh inside
ssh timeout 60

If you need full configuration, how can I post it ? I'm concern to solve this issue ASAP.

Thnkfull ,,,

I see your inside network is but you are only allowing ssh to one particular host on your inside:
ssh inside

Can the PIX reach this ip - is their a route for it?  If not then that would be your issue.  If you want to verify if ssh restriction causes the problem - remove it momentarily, test and then re-add a working version.

conf t
no ssh inside

ssh inside



Dear ,
At first thanks for assistance ,,,

But I can't understand the meaning of " Can the PIX reach this ip - is their a route for it?" How can I check ?
For your direction I did the following :
1- Remove SSH configuration, as : CISCO-ASA(config)# no ssh inside
2- Tried connect using Putty, there is no response or prompt for login user.
3- Reconfigure SSH as : CISCO-ASA(config)#ssh inside
There is prompt  for login user, but unfortunately the problem still and access denied.  

Regards ,,,



Could you comment and aupdate please ,,,

Thanks ,,,

It seems your ssh is working correctly if you are being requested a login - do you have any RADIUS/TACACS+ settings configured that the device may be try ing to connect to - this would ignore the local user database.

If not -
Can you remove the ssh username and re add it -

no username admin
username admin password ########

And try again?



Unfortunately not succeeded ,,,
Anything else ,,,

Thanks for cooperation ...

Sorry - I just noticed an error in troubleshooting earlier

Try this
no ssh inside
ssh inside

And then try it

If it works - we will isolate where its going astray and configure it properly


I tried it sir, but unfortunately not succeeded ,,,

What next ?
Thanks for patient ,,,


Expert,  Have you any comment ? ,,,

hi Mesfer - if you have already tried opening ssh to all inside hosts, ensuring the username is correct and removing and regenerating the keys there is not a lot else i can see that could be wrong.  

Is the host you are trying this from on the same ip range as the inside interface:
ip address standby

And are you using ssh version 1 or 2?


Hi ,

Yes it in the same range, and the ssh version is both .

Thanks for cooporate with me ...


Hi experts ,,,

Any update ?

hi Mesfer
I have posted everything i can think of - gonna call in some help on it



Thanks dear ,,,
Ryan WeaverCyber Security Engineer


clear configure ssh
crypto key generate rsa

Then in conf t:
ssh inside
ssh version 2
ssh timeout 60

wri mem

while attempting to ssh view the debug with

debug ssh

Sr. Systems Engineer
Top Expert 2008
Try this:

aaa authentication ssh console LOCAL
username admin password admin privilege 15
ssh inside
ssh timeout 5

Using SSH Secure Shell 3.2.9
 Connection tab
   Host name:
   User name: admin
   Port number: 22
    <default> on all the rest
 Profile Properties (Edit Profile)
  Cipher list tab
    Make sure DES is checked
  Authentication tab
     Make sure Password method is moved to the top
    At the bottom, check enable for SSH2 and SSH1, but not agent forwarding

You should get a Password prompt
You  may get prompted "Remote host uses SS1 protocol" OK to accept
You may get another prompt, just accept it with Yes

 I have this setup working just fine on  PIX w/ 6.35, PIX with 7.0(6), ASA with 7.22 and ASA with 8.0


Dear Fryguy, thanks for assist me, I did your direction, but unfortunately didn't success.
The configuration and debugging as follow :
HO-FP-Internet-3(config)# clear configure ssh
HO-FP-Internet-3(config)# cry
HO-FP-Internet-3(config)# crypto k
HO-FP-Internet-3(config)# crypto key g
HO-FP-Internet-3(config)# crypto key generate r
HO-FP-Internet-3(config)# crypto key generate rsa
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: y
Keypair generation process begin. Please wait...
HO-FP-Internet-3(config)# ssh ins
HO-FP-Internet-3(config)# ssh inside
HO-FP-Internet-3(config)# ssh v
HO-FP-Internet-3(config)# ssh version 2
ERROR: SSH version 2 requires a VPN-3DES-AES activation key.
HO-FP-Internet-3(config)# ssh version 1
HO-FP-Internet-3(config)# ssh
HO-FP-Internet-3(config)# ssh ti
HO-FP-Internet-3(config)# ssh timeout 60
HO-FP-Internet-3(config)# wri mem
Building configuration...
Cryptochecksum: 441214e5 97e9b8bf ebd786ee 8d9f273e

8741 bytes copied in 3.520 secs (2913 bytes/sec)
HO-FP-Internet-3(config)# deb
HO-FP-Internet-3(config)# debug ssh
debug ssh  enabled at level 1
HO-FP-Internet-3(config)# Device ssh opened successfully.
SSH0: SSH client: IP = ''  interface # = 1
SSH: host key initialised
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.5-Cisco-1.25

SSH0: send SSH message: outdata is NULL

server version string:SSH-1.5-Cisco-1.25SSH0: receive SSH message: 83 (83)
SSH0: client version is - SSH-1.5-PuTTY_Release_0.60

client version string:SSH-1.5-PuTTY_Release_0.60SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 570 ms
SSH0: declare what cipher(s) we support:
00  0x00  0x00  0x04  0xSSH0: send SSH message: SSH_SMSG_PUBLIC_KEY (2)
SSH0: SSH_SMSG_PUBLIC_KEY message sent
SSH0: receive SSH message: SSH_CMSG_SESSION_KEY (3)
SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 144
SSH0: client requests  DES cipher: 2
SSH: scb created 0x3fe5d90, size 104
SSH0: send SSH message: SSH_SMSG_SUCCESS (14)
SSH0: keys exchanged and encryption on
SSH0: receive SSH message: SSH_CMSG_USER (4)
SSH0: authentication request for userid mesfer
SSH(mesfer): user authen method is 'no AAA', aaa server group ID = 0
SSH0: invalid userid mesfer
SSH0: send SSH message: SSH_SMSG_FAILURE (15)
SSH0: receive SSH message: SSH_CMSG_AUTH_PASSWORD (9)
SSH0: send SSH message: SSH_SMSG_FAILURE (15)
SSH0: receive SSH message: SSH_MSG_DISCONNECT (1)
SSH0: session terminated by client - reason "Unable to authenticate"
SSH0: authentication failed for mesfer
SSH0: Session disconnected by SSH server - error 0x36 "Reset by client"

Then I tried to login using SSH :
login as: mesfer
Sent username "mesfer"
mesfer@'s password:
Access denied
mesfer@'s password:


Dear lrmoore, Thanks a lot for you direction,  
Actually, you are write and finally I could access our firewalls through SSH session.

So the secret founded in the following command :
HO-FP-Internet-3(config)# aaa authentication ssh console LOCAL

I don't know how I missed this necessary configuration, also I didn't notice emphasis on this configuration of "aaa authentication ssh console LOCAL" from dears experts during this long story , nor also ensuring on this command at references and manuals that I read.

At all, my pleasure and bundle of thanks for expert Imoore, and for all experts who cooperate with me.

Thankful for
Les MooreSr. Systems Engineer
Top Expert 2008

Glad you are working. Don't forget to select an answer and grade accordingly to close out this question.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial