Solved

Cannot access ASA 5510 via SSH or Telnet | Syslog shows connection being rejected

Posted on 2009-05-04
5
1,908 Views
Last Modified: 2012-05-06
I am trying to access the ASA vis SSH or Telnet on interface Ethernet0/0; I cannot figure out why it is being denied as shown by the syslog:

Inbound TCP connection denied from 192.168.1.145/58456 to 192.168.1.9/22 flags SYN  on interface inside
Inbound TCP connection denied from 192.168.1.145/58310 to 192.168.1.9/23 flags SYN  on interface inside

Posted below is my config.
ASA Version 8.0(4)

!

hostname asa

domain-name domain.local

enable password XXXXX encrypted

passwd XXXXX encrypted

names

dns-guard

!

interface Ethernet0/0

 nameif inside

 security-level 0

 ip address 192.168.1.9 255.255.255.0

!

interface Ethernet0/1

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 shutdown

 nameif management

 security-level 100

 ip address 10.1.100.2 255.255.255.0

 management-only

!

ftp mode passive

dns server-group DefaultDNS

domain-name domain.local

access-list inside_temp_in extended permit ip any any

access-list inside_temp_out extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

access-group inside_temp_in in interface inside

access-group inside_temp_out out interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

virtual telnet 192.168.1.9

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.9 255.255.255.255 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username admin password XXXXX encrypted

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum: XXXXX

Open in new window

0
Comment
Question by:Tercestisi
  • 3
  • 2
5 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
Comment Utility
Only 192.168.1.9 can SSH inside ?
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
And no one can telnet?
Add the following
telnet 192.168.1.0 255.255.255.0 inside
ssh192.168.1.0 255.255.255.0 inside
Also you might need to run
crypto key generate rsa
 
to generate the certificate before SSH will work.
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
^^^ this allows management from the entire inside network, to lock it to an individual IP give it the IP and a 32 bit mask
ie
telnet 192.168.1.1 255.255.255.255 inside
ssh192.168.1.1 255.255.255.255 inside  
0
 

Author Comment

by:Tercestisi
Comment Utility
Oh, I thought the ssh command was to define what port on the ASA would accept connections... silly me - thanks!
0
 

Author Comment

by:Tercestisi
Comment Utility
Hmm... I added the entire 192.168.1.0 network and rebuilt the key but I am getting the same response in my syslog.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now