• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 711
  • Last Modified:

Why the ASA firewall not accessible by ssh or telnet?

This is using ASA 5505 firewall, with both ssh and telnet configured to allow access from Internet. There is a router supporting in front of the firewall. This router is 1941, with both ssh and telnet are accessible from Internet. Currently, firewall can allow users to surf internet. The problem is my global support team can't ssh/telnet to the firewall from Internet, why?

Please see the config files
asa5505-config.txt
router1941-config.txt
0
MezzutOzil
Asked:
MezzutOzil
  • 7
  • 6
1 Solution
 
Ernie BeekCommented:
You'll need a user:
username test password test123
And tell the ASA to use local authentication:
aaa authentication ssh console LOCAL
Then a domain name:
domain-name mydomain.com
And create an RSA key:
crypto key generate rsa modulus 1024

Let's see how things go then.
0
 
MezzutOzilAuthor Commented:
Hi erniebeek,

still the same. This time round, when trying the ssh, I can see the ssh version, but not user name prompt...
0
 
Ernie BeekCommented:
Ok,
What if you try to set up an ssh from the router to the firewall?
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
MezzutOzilAuthor Commented:
hi erniebeek,

only see the SSH > SSH-1.99-Cisco-1.25
0
 
MezzutOzilAuthor Commented:
Hi erniebeek,

Any access list has to set on the router interface(s)?
0
 
Ernie BeekCommented:
No, it's just routing so it should pass everything through.
I'm curious about that response though. What command did you gave on the router to connect to the firewall? Could you show a screendump?
0
 
MezzutOzilAuthor Commented:
Please see the updated asa 5505 config file...
asa5505-config2.txt
0
 
MezzutOzilAuthor Commented:
Hi erniebeek,

I'm sorry, I don't really get you, can you tell in more details?
0
 
Ernie BeekCommented:
When you log on to the router and from there try to set up an SSH session to the firewall, like:

ssh -l ciscoadmin x.x.x.x with x.x.x.x being the public ip of the ASA

What do you see?
0
 
MezzutOzilAuthor Commented:
Hi erniebeek,

I can connect to the firewall ASA without problem...
0
 
Ernie BeekCommented:
Ok, so you can ssh from the router to the outside of the ASA. That means the ASA config is ok.

Looking at the router I can't see anything that might be blocking an ssh passthrough......
It might be a good idea to check with your provider (singnet/singtel, is it?) and check if they are blocking ssh traffic.
0
 
MezzutOzilAuthor Commented:
Excellence!
0
 
Ernie BeekCommented:
Ah so the ISP did it :)
Glad it's solved. Thx for the points.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now