SSH/Telnet remote access issue Cisco ASA 5505

I have a Cisco ASA 5505, and Im trying to be able to access it from externally using either telnet or SSH (preferred). Currently I can only login using Telnet, locally. SSH fails over both interfaces as well. Here's my config:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name domain.local

enable password 3EeJwoNfH.jz3rkT encrypted

passwd 3EeJwoNfH.jz3rkT encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 50.40.30.20 255.255.255.248

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

 shutdown

!

interface Ethernet0/3

 shutdown

!

interface Ethernet0/4

 shutdown

!

interface Ethernet0/5

 shutdown

!

interface Ethernet0/6

 shutdown

!

interface Ethernet0/7

 shutdown

!

ftp mode passive

dns server-group DefaultDNS

 domain-name domain.local

access-list outside_access_in extended permit tcp any host 50.40.30.20 eq telnet

no pager

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 50.40.30.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.1.0 255.255.255.0 inside

telnet 50.40.30.170 255.255.255.255 outside

telnet timeout 120

ssh 50.40.30.168 255.255.255.248 outside

ssh 50.40.30.170 255.255.255.255 outside

ssh timeout 5

console timeout 0


username admin password z0IzJ4hcCD/r6IqT encrypted

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:17d131ec89517df6786fb7a2fcfda6e2

: end
QuietBotAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John MeggersNetwork ArchitectCommented:
So for SSH, did you generate a crypto key?  Your current SSH config will only let you come in from the outside subnet.  Seems like you probably want to expand that.  You might also add the inside subnet as valid.

If you've generated a key and it still doesn't work, try rebooting the ASA.  If it still doesn't work, I would remove the commands, zeroize the key and start over.  There are only four things required for SSH: host name, domain name, where it's permitted from, and a generated key.  It should work otherwise, but I've seen situations where it failed because of a certificate problem, and we cleared everything out, started over and it worked the second time.
0
QuietBotAuthor Commented:
ciscoasa(config)# username admin password password

ciscoasa(config)# Passwd password

ciscoasa(config)# crypto key generate rsa modulus 1024

ciscoasa(config)# ssh 192.168.1.0 255.255.255.0 inside

ciscoasa(config)# ssh 50.40.30.170 255.255.255.0 outside

ciscoasa(config)# aaa authentication ssh console LOCAL

Thats what I ran

How would you suggest I clear everything? Is that just running a zeroize?
0
QuietBotAuthor Commented:
I now can access SSH over the internal interface, noticed that I didnt have it in my config, so added it and now I can get in, so I can get to SSH and telnet locally, however, cannot connect to either remotely still
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

MikeKaneCommented:
>>ciscoasa(config)# ssh 50.40.30.170 255.255.255.0 outside
Looks like a typo here.   If its your host then change the mask to 255.255.255.255.  

Also, I think you need to add the SSH port to you ACL on the outside interface for this host.  
0
QuietBotAuthor Commented:
That was just a typo on here, the config has the right subnet mask

I was wondering if maybe I have to forward the port, but figured if it was coming directly into the firewall I wouldn't have to, plus none of the sites google have me said anything about enabling port forwarding for either telnet or ssh, also I have another firewall that's working and I didn't see any acls for it in that one
0
MikeKaneCommented:
You don't need port forwarding, you might still need to allow the traffic.  

access-list outside_access_in extended permit tcp host 50.40.30.170 host 50.40.30.20 eq 22


 
0
QuietBotAuthor Commented:
access-list outside_access_in extended permit tcp any host 50.40.30.20 eq telnet

Shouldn't this do the trick with telnet t least though?
0
MikeKaneCommented:
This shouldn't be this difficult.  

As a sanity check,
access-list outside_access_in extented permit tcp any any eq telnet
telnet 0.0.0.0 0.0.0.0 outside

Those open up everything.   If that fails, then SHOW LOGGING to look in the log.  Something else must be happening.


Reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml
0
max_the_kingCommented:
Hi,
with Cisco ASA you will never be allowed to telnet its interface from outside.
Your configuration should work fine.
If you are sure that from inside you can ssh the ASA, then you might have set the wrong IP in the command
ssh <your ip> <your mask> outside

to be sure that the problem resides there, just temporarily you can try to open up every IP to SSH

ssh 0 0 outside

Besides, you do not need any access-list for doing ssh to ASA

hope this helps
max
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ajaparihCommented:
max is right....u don't need to define any acl for it.., u are using allowing a host with a network as a subnet..., just use 255.255.255.255 or define a network in place of host.
0
QuietBotAuthor Commented:
I can still access SSH internally, but after adding "ssh 0 0 outside" I still cant ssh into the ASA. I removed the old entries so the only entry is "ssh 0 0 outside" and "ssh 192.168.1.0 255.255.255.0 inside"

0
max_the_kingCommented:
Hi,
if by any chance you have changed the hostname of ASA you need to recreate the RSA key:
ciscoasa(config)# crypto key generate rsa modulus 1024
ciscoasa#wr m

either way you will have to reload the ASA and try again.
Your configuration is ok.
Then you should be sure that you are allowed to get access to port 22 when trying to ssh ASA from outside (e.g.: you should have free internet access, not filtered by a proxy)

max
0
QuietBotAuthor Commented:
I tried rekeying with no luck, but wasnt too optimistic since the keys authenticate locally.

Not sure if this is related, but I can ping the internal interface just fine, but when behind another ISP I cant ping the external. also debug ssh/telnet doesnt show any connection when I try to connect remotely, so it appears as if it isnt even making it to the firewall

as of ISP - the ASA sits behind a comcast cable modem, which shouldnt be proxied, right?
0
max_the_kingCommented:
It is normal behaviour that you can't ping asa from outside, that is not an issue.
ASA is not proxied of course ... I asked about ISP from your PC when you connect from outside.
No use in debugging ssh connection.
I do not know if it applies, but please note that you can ssh ASA's public IP only from outside (e.g. from an ISP different from the one connected to ASA): in other words, when you're on the inside LAN you will only be able to ssh Inside IP interface.
hope this clarify
max
0
QuietBotAuthor Commented:
I thought you cant ping by default, Myself or someone else mustve enabled it on the outside interface of my other ASA.

I know you cant access the outside interface while on the inside. I'm wired in to this ASA and on WIFI behind our other ASA in production, and I unplug when doing tests to make sure I'm not trying to access the outside through the inside.

So to clarify, even when I'm on a separate network (even over 3g, I tried to SSH over my iPhone with wifi off), and still no dice.

I appreciate all the help guys, anything else this could be?
0
max_the_kingCommented:
well, if you have checked all of the above, we can be sure enough that the problem does not rely neither on your way of connecting nor in the configuration.
When I had this type of problem in the ASA, I solved by recreating the RSA key and reloading the ASA: it worked fine for me.
max
0
shareditCommented:
Is the cable modem truely just a cable modem, or does it do some sort of "routing"?

All devices like that should be transparently bridged.  But I think I may have seen some modem/routers that blocked some things like that even when bridged.  I'm recalling sending back a modem that wouldnt work for a business network earlier this year, for some inability to bridge it.

I am a little confused about this ASA, you mention another ASA in production.  Is this ASA in place on your network, or in some sort of test environment?  Is it always on the internet?

I agree with Max that a problem like this is usually resolved by re genereating the key.  I would make use of the ASDM, and check for connections in logging on the outside interface, you say you are not seeing any connections, which is concerning.

we are positive the only ssh command on the outside interface is  ssh 0.0.0.0 0.0.0.0 outside ?
0
QuietBotAuthor Commented:
I believe comcast is the culprit here, looks like they (against what several of them told me), were blocking several ports and this was one of them. I had to call them about a forwarding issue with port 80 and when they resolved that, it fixed this as well.

Thanks everybody for your help, appreciate it!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.