QuietBot
asked on
SSH/Telnet remote access issue Cisco ASA 5505
I have a Cisco ASA 5505, and Im trying to be able to access it from externally using either telnet or SSH (preferred). Currently I can only login using Telnet, locally. SSH fails over both interfaces as well. Here's my config:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name domain.local
enable password 3EeJwoNfH.jz3rkT encrypted
passwd 3EeJwoNfH.jz3rkT encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 50.40.30.20 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
access-list outside_access_in extended permit tcp any host 50.40.30.20 eq telnet
no pager
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.40.30.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet 50.40.30.170 255.255.255.255 outside
telnet timeout 120
ssh 50.40.30.168 255.255.255.248 outside
ssh 50.40.30.170 255.255.255.255 outside
ssh timeout 5
console timeout 0
username admin password z0IzJ4hcCD/r6IqT encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:17d131ec895 17df6786fb 7a2fcfda6e 2
: end
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name domain.local
enable password 3EeJwoNfH.jz3rkT encrypted
passwd 3EeJwoNfH.jz3rkT encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 50.40.30.20 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
access-list outside_access_in extended permit tcp any host 50.40.30.20 eq telnet
no pager
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.40.30.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet 50.40.30.170 255.255.255.255 outside
telnet timeout 120
ssh 50.40.30.168 255.255.255.248 outside
ssh 50.40.30.170 255.255.255.255 outside
ssh timeout 5
console timeout 0
username admin password z0IzJ4hcCD/r6IqT encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:17d131ec895
: end
ASKER
ciscoasa(config)# username admin password password
ciscoasa(config)# Passwd password
ciscoasa(config)# crypto key generate rsa modulus 1024
ciscoasa(config)# ssh 192.168.1.0 255.255.255.0 inside
ciscoasa(config)# ssh 50.40.30.170 255.255.255.0 outside
ciscoasa(config)# aaa authentication ssh console LOCAL
Thats what I ran
How would you suggest I clear everything? Is that just running a zeroize?
ciscoasa(config)# Passwd password
ciscoasa(config)# crypto key generate rsa modulus 1024
ciscoasa(config)# ssh 192.168.1.0 255.255.255.0 inside
ciscoasa(config)# ssh 50.40.30.170 255.255.255.0 outside
ciscoasa(config)# aaa authentication ssh console LOCAL
Thats what I ran
How would you suggest I clear everything? Is that just running a zeroize?
ASKER
I now can access SSH over the internal interface, noticed that I didnt have it in my config, so added it and now I can get in, so I can get to SSH and telnet locally, however, cannot connect to either remotely still
>>ciscoasa(config)# ssh 50.40.30.170 255.255.255.0 outside
Looks like a typo here. If its your host then change the mask to 255.255.255.255.
Also, I think you need to add the SSH port to you ACL on the outside interface for this host.
Looks like a typo here. If its your host then change the mask to 255.255.255.255.
Also, I think you need to add the SSH port to you ACL on the outside interface for this host.
ASKER
That was just a typo on here, the config has the right subnet mask
I was wondering if maybe I have to forward the port, but figured if it was coming directly into the firewall I wouldn't have to, plus none of the sites google have me said anything about enabling port forwarding for either telnet or ssh, also I have another firewall that's working and I didn't see any acls for it in that one
I was wondering if maybe I have to forward the port, but figured if it was coming directly into the firewall I wouldn't have to, plus none of the sites google have me said anything about enabling port forwarding for either telnet or ssh, also I have another firewall that's working and I didn't see any acls for it in that one
You don't need port forwarding, you might still need to allow the traffic.
access-list outside_access_in extended permit tcp host 50.40.30.170 host 50.40.30.20 eq 22
access-list outside_access_in extended permit tcp host 50.40.30.170 host 50.40.30.20 eq 22
ASKER
access-list outside_access_in extended permit tcp any host 50.40.30.20 eq telnet
Shouldn't this do the trick with telnet t least though?
Shouldn't this do the trick with telnet t least though?
This shouldn't be this difficult.
As a sanity check,
access-list outside_access_in extented permit tcp any any eq telnet
telnet 0.0.0.0 0.0.0.0 outside
Those open up everything. If that fails, then SHOW LOGGING to look in the log. Something else must be happening.
Reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml
As a sanity check,
access-list outside_access_in extented permit tcp any any eq telnet
telnet 0.0.0.0 0.0.0.0 outside
Those open up everything. If that fails, then SHOW LOGGING to look in the log. Something else must be happening.
Reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I can still access SSH internally, but after adding "ssh 0 0 outside" I still cant ssh into the ASA. I removed the old entries so the only entry is "ssh 0 0 outside" and "ssh 192.168.1.0 255.255.255.0 inside"
Hi,
if by any chance you have changed the hostname of ASA you need to recreate the RSA key:
ciscoasa(config)# crypto key generate rsa modulus 1024
ciscoasa#wr m
either way you will have to reload the ASA and try again.
Your configuration is ok.
Then you should be sure that you are allowed to get access to port 22 when trying to ssh ASA from outside (e.g.: you should have free internet access, not filtered by a proxy)
max
if by any chance you have changed the hostname of ASA you need to recreate the RSA key:
ciscoasa(config)# crypto key generate rsa modulus 1024
ciscoasa#wr m
either way you will have to reload the ASA and try again.
Your configuration is ok.
Then you should be sure that you are allowed to get access to port 22 when trying to ssh ASA from outside (e.g.: you should have free internet access, not filtered by a proxy)
max
ASKER
I tried rekeying with no luck, but wasnt too optimistic since the keys authenticate locally.
Not sure if this is related, but I can ping the internal interface just fine, but when behind another ISP I cant ping the external. also debug ssh/telnet doesnt show any connection when I try to connect remotely, so it appears as if it isnt even making it to the firewall
as of ISP - the ASA sits behind a comcast cable modem, which shouldnt be proxied, right?
Not sure if this is related, but I can ping the internal interface just fine, but when behind another ISP I cant ping the external. also debug ssh/telnet doesnt show any connection when I try to connect remotely, so it appears as if it isnt even making it to the firewall
as of ISP - the ASA sits behind a comcast cable modem, which shouldnt be proxied, right?
It is normal behaviour that you can't ping asa from outside, that is not an issue.
ASA is not proxied of course ... I asked about ISP from your PC when you connect from outside.
No use in debugging ssh connection.
I do not know if it applies, but please note that you can ssh ASA's public IP only from outside (e.g. from an ISP different from the one connected to ASA): in other words, when you're on the inside LAN you will only be able to ssh Inside IP interface.
hope this clarify
max
ASA is not proxied of course ... I asked about ISP from your PC when you connect from outside.
No use in debugging ssh connection.
I do not know if it applies, but please note that you can ssh ASA's public IP only from outside (e.g. from an ISP different from the one connected to ASA): in other words, when you're on the inside LAN you will only be able to ssh Inside IP interface.
hope this clarify
max
ASKER
I thought you cant ping by default, Myself or someone else mustve enabled it on the outside interface of my other ASA.
I know you cant access the outside interface while on the inside. I'm wired in to this ASA and on WIFI behind our other ASA in production, and I unplug when doing tests to make sure I'm not trying to access the outside through the inside.
So to clarify, even when I'm on a separate network (even over 3g, I tried to SSH over my iPhone with wifi off), and still no dice.
I appreciate all the help guys, anything else this could be?
I know you cant access the outside interface while on the inside. I'm wired in to this ASA and on WIFI behind our other ASA in production, and I unplug when doing tests to make sure I'm not trying to access the outside through the inside.
So to clarify, even when I'm on a separate network (even over 3g, I tried to SSH over my iPhone with wifi off), and still no dice.
I appreciate all the help guys, anything else this could be?
well, if you have checked all of the above, we can be sure enough that the problem does not rely neither on your way of connecting nor in the configuration.
When I had this type of problem in the ASA, I solved by recreating the RSA key and reloading the ASA: it worked fine for me.
max
When I had this type of problem in the ASA, I solved by recreating the RSA key and reloading the ASA: it worked fine for me.
max
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I believe comcast is the culprit here, looks like they (against what several of them told me), were blocking several ports and this was one of them. I had to call them about a forwarding issue with port 80 and when they resolved that, it fixed this as well.
Thanks everybody for your help, appreciate it!
Thanks everybody for your help, appreciate it!
If you've generated a key and it still doesn't work, try rebooting the ASA. If it still doesn't work, I would remove the commands, zeroize the key and start over. There are only four things required for SSH: host name, domain name, where it's permitted from, and a generated key. It should work otherwise, but I've seen situations where it failed because of a certificate problem, and we cleared everything out, started over and it worked the second time.