Solved

Cannot access ASA 5510 via SSH or Telnet | Syslog shows connection being rejected

Posted on 2009-05-04
5
1,924 Views
Last Modified: 2012-05-06
I am trying to access the ASA vis SSH or Telnet on interface Ethernet0/0; I cannot figure out why it is being denied as shown by the syslog:

Inbound TCP connection denied from 192.168.1.145/58456 to 192.168.1.9/22 flags SYN  on interface inside
Inbound TCP connection denied from 192.168.1.145/58310 to 192.168.1.9/23 flags SYN  on interface inside

Posted below is my config.
ASA Version 8.0(4)
!
hostname asa
domain-name domain.local
enable password XXXXX encrypted
passwd XXXXX encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif inside
 security-level 0
 ip address 192.168.1.9 255.255.255.0
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 10.1.100.2 255.255.255.0
 management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
access-list inside_temp_in extended permit ip any any
access-list inside_temp_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
access-group inside_temp_in in interface inside
access-group inside_temp_out out interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet 192.168.1.9
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.9 255.255.255.255 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password XXXXX encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum: XXXXX

Open in new window

0
Comment
Question by:Tercestisi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 24302597
Only 192.168.1.9 can SSH inside ?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 24302617
And no one can telnet?
Add the following
telnet 192.168.1.0 255.255.255.0 inside
ssh192.168.1.0 255.255.255.0 inside
Also you might need to run
crypto key generate rsa
 
to generate the certificate before SSH will work.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 24302623
^^^ this allows management from the entire inside network, to lock it to an individual IP give it the IP and a 32 bit mask
ie
telnet 192.168.1.1 255.255.255.255 inside
ssh192.168.1.1 255.255.255.255 inside  
0
 

Author Comment

by:Tercestisi
ID: 24306206
Oh, I thought the ssh command was to define what port on the ASA would accept connections... silly me - thanks!
0
 

Author Comment

by:Tercestisi
ID: 24307265
Hmm... I added the entire 192.168.1.0 network and rebuilt the key but I am getting the same response in my syslog.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question