• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4075
  • Last Modified:

Outside SSH to ASA 5505 does not work

ASA Version 8.2(1)
!
hostname ciscoasa
enable password gPmtuWCfb8uToFuQ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.17.x.x 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
<--- More --->
              
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT 0
access-list outside_access_in extended permit tcp any interface outside eq 3389 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.104 3389 netmask 255.255.255.255 

access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.17.112.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.110-192.168.1.140 inside
dhcpd dns 64.81.45.2 216.231.41.2 interface inside
 
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username XXXX password Rv97LZTaW7hwMJ6z encrypted privilege 15
!
!
prompt hostname context 
Cryptochecksum:855b1ffb640e3b0d5e99f1bfc42ff878

Open in new window

0
dhuff2012
Asked:
dhuff2012
  • 9
  • 6
  • 4
  • +4
13 Solutions
 
Ken BooneNetwork ConsultantCommented:
Did you generate a crypto key?

crypto key generate rsa modulus 1024

?
0
 
dhuff2012Author Commented:
yes, however when I enter the username asa and the login password I can't login.
0
 
Ken BooneNetwork ConsultantCommented:
Add this:

aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
dhuff2012Author Commented:
Still doesn't work.  This is the current config:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.08.29 13:31:30 =~=~=~=~=~=~=~=~=~=~=~=
w    wr t
: Saved
:
ASA Version 8.2(1) 
!
hostname ciscoasa
enable password gPmtuWCfb8uToFuQ encrypted
passwd gPmtuWCfb8uToFuQ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.17.x.x 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
<--- More --->
              
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT 0
access-list outside_access_in extended permit tcp any interface outside eq 3389 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.104 3389 netmask 255.255.255.255 
<--- More --->
              
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.110-192.168.1.140 inside
<--- More --->
              
dhcpd dns 64.81.45.2 216.231.41.2 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username xxxx password Rv97LZTaW7hwMJ6z encrypted privilege 15
!
!
prompt hostname context 
Cryptochecksum:e94b1855f93f6b4ec3d23e04fa76ed74
: end
[OK]

ciscoasa#

Open in new window

0
 
Ken BooneNetwork ConsultantCommented:
I don't see:
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
in the current config.

Are you actually outside the ASA when you try to connect to it via ssh?
0
 
Jan SpringerCommented:
Try putting in a specific IP and/or subnet instead of 0.0.0.0.

A typical ssh setup

1) generate the crypto key
2) configure aaa
3) add the username
4) permit the remote ssh connection
0
 
Ken BooneNetwork ConsultantCommented:
Add ssh 0.0.0.0.0 0.0.0.0 inside and make sure you can access it via the inside first..
How are you accessing the box now?  console?
0
 
dhuff2012Author Commented:
Yes, console.  I just tried ssh from the inside and I get the same message.  "Access Denied".
0
 
Ken BooneNetwork ConsultantCommented:
add telnet 0.0.0.0 0.0.0.0 inside and make sure you can telnet from the inside.

also save the config and reboot the box.
0
 
Ken BooneNetwork ConsultantCommented:
So wait a second you don't have to enter a username / password on the console.  You probably got a typo in the password.  

Enter a new username of test with a password of test with a priv level of 15 and try  that.

Something simple just to make sure you don't have a typo.  If that works then delete it and redo the original username.
0
 
dhuff2012Author Commented:
I have removed and recreated the following

generate the crypto key
configure aaa
add the username test password test priv 15
permit the remote ssh connection

I can't telnet or ssh from inside.  Nor can I ssh from the Internet.  I am currently connected by console.  I will schedule a reboot.  I will post my results.

Thanks for your help.  

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.08.29 14:27:24 =~=~=~=~=~=~=~=~=~=~=~=
wr t
: Saved
:
ASA Version 8.2(1) 
!
hostname ciscoasa
enable password gPmtuWCfb8uToFuQ encrypted
passwd gPmtuWCfb8uToFuQ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.17.x.x 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
<--- More --->
              
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT 0
access-list outside_access_in extended permit tcp any interface outside eq 3389 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.104 3389 netmask 255.255.255.255 
<--- More --->
              
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.17.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd auto_config outside
<--- More --->
              
!
dhcpd address 192.168.1.110-192.168.1.140 inside
dhcpd dns 64.81.45.2 216.231.41.2 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username test password P4ttSyrm33SV8TYp encrypted privilege 15

!
!
prompt hostname context 
Cryptochecksum:92482dcba0de7b61ee98b055cae26f70
: end
[OK]

ciscoasa#

Open in new window

0
 
Jan SpringerCommented:
Have you tried to ssh permit an explicit IP instead of 0.0.0.0?
0
 
fgasimzadeCommented:
Enable debug with

debug ssh

and see what is going on when you connect
0
 
fgasimzadeCommented:
I would also suggest reloading, it helped in the same issue couple of times
0
 
Ernie BeekExpertCommented:
Also, create a domain name in the ASA and try to generate a crypto key again.

domain-name blah.local or similar.
0
 
Pete LongTechnical ConsultantCommented:
0
 
dhuff2012Author Commented:
I have performed all of the above solutions and it still doesn't work.  It is interesting to note that when I attempt an ssh connection I am connecting to DSL modem that is in bridge mode; not the ASA.  I have opened a case with the isp.  I will post my findings.

Thank you all very much for sticking in there with me.
0
 
SepistCommented:
No one seems to have mentioned this one:

aaa-server LOCAL protocol local

and

aaa authorization command LOCAL
0
 
dhuff2012Author Commented:
I tried the first command and got:
ERROR: This command is no longer needed.  The LOCAL user database is always enabled.

It took the second command but ssh still does not work.  I have rebooted the FW and still no go.  I called the ISP and there is a bridging modem in front of the firewall.  They can't remotely do anything so they will dispatch a tech to the site to see how it is configured.  They indicate that "IT MAY BE BLOCKING".  We will see.  I'll update the results.  Stay tuned.
0
 
Jan SpringerCommented:
You said:

"Yes, console.  I just tried ssh from the inside and I get the same message.  'Access Denied'".

This means that you are not being filtered -- the ASA is blocking.

What do the logs say and have you tried to update the 'ssh outside' command with an IP or subnet instead of 0.0.0.0?
0
 
SepistCommented:
You could rule out it being an access issue or a user database issue by trying to log in using the default credentials.

From the inside try ssh'ing as username "pix" and the password you have encrypted here: `passwd gPmtuWCfb8uToFuQ encrypted`


You should get in if it's an authentication issue.
0
 
dhuff2012Author Commented:
I have tried that.  I can't login.  Strangely enough I can see the dsl modem from inside the network.
0
 
dhuff2012Author Commented:
here is the ssh log:


=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.08.30 11:56:37 =~=~=~=~=~=~=~=~=~=~=~=
Device ssh opened successfully.
SSH0: SSH client: IP = '70.173.x.x'  interface # = 2
SSH: host key initialised
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-2.0-Cisco-1.25

SSH0: send SSH message: outdata is NULL

server version string:SSH-2.0-Cisco-1.25SSH0: receive SSH message: 83 (83)
SSH0: client version is - SSH-2.0-PuTTY_Release_0.61

client version string:SSH-2.0-PuTTY_Release_0.61SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 1850 ms

SSH2 0: send: len 280 (includes padlen 4)
SSH2 0: SSH2_MSG_KEXINIT sent
SSH2 0: ssh_receive: 512 bytes received
SSH2 0: input: packet len 640
SSH2 0: partial packet 8, need 632, maclen 0
SSH2 0: ssh_receive: 128 bytes received
SSH2 0: partial packet 8, need 632, maclen 0
SSH2 0: input: padlen 6
SSH2 0: received packet type 20

SSH2 0: SSH2_MSG_KEXINIT received
SSH2 0: 
kex_parse_kexinit: diffie-hellman-group1-sha1
SSH2 0: 
kex_parse_kexinit: ssh-rsa
SSH2 0: 
kex_parse_kexinit: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
SSH2 0: 
kex_parse_kexinit: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
SSH2 0: 
kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
SSH2 0: 
kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
SSH2 0: 
kex_parse_kexinit: none
SSH2 0: 
kex_parse_kexinit: none
SSH2 0: 
kex_parse_kexinit: 
SSH2 0: 
kex_parse_kexinit: 
SSH2 0: 
kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,
SSH2 0: 
kex_parse_kexinit: ssh-rsa,ssh-dss
SSH2 0: 
kex_parse_kexinit: aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfi
SSH2 0: 
kex_parse_kexinit: aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfi
SSH2 0: 
kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5
SSH2 0: 
kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5
SSH2 0: 
kex_parse_kexinit: none,zlib
SSH2 0: 
kex_parse_kexinit: none,zlib
SSH2 0: 
kex_parse_kexinit: 
SSH2 0: 
kex_parse_kexinit: 
SSH2: kex: client->server aes256-cbc hmac-sha1 none
SSH2: kex: server->client aes256-cbc hmac-sha1 none
SSH2 0: expecting SSH2_MSG_KEXDH_INIT
SSH2 0: ssh_receive: 144 bytes received
SSH2 0: input: packet len 144
SSH2 0: partial packet 8, need 136, maclen 0
SSH2 0: input: padlen 5
SSH2 0: received packet type 30

SSH2 0: SSH2_MSG_KEXDH_INIT received
dh_client_pub= 
cff548107afd7b7b ccf54b1589af5bae e155d01a6b82fba9 d6f96597f6c15c51 
e82a01cfaa0b9a27 c262b7c6dfdbb10e 0f44dcb00241fb63 5d3748fee882c104 
e9285fffb9fab974 646a6ffb68fd0200 be87999b6c7ad0b9 9c85979907058d2a 
5a34da8d9b3a25ba 9b0c999941bce53e fc5bf06bb5344a31 1181dc906efe8a38 
 

my_dh_pub= 
e88097f49204419a 6ce7f67312db6793 78c8d0a37956835f 7ff42ef19ef7475c 
52b42c696f046652 4b75e446f0fb79b9 9c5ecd82ef00325b 7f8ffad2c2ad2c8c 
c171951eef7331fc 0a8e035314e1211c 8fba8210e9aaf7b6 897a6459dcd4c891 
07b8b42f81c0f932 a5ca6821cdafc471 7d10d47d89cca127 fa0bab12622bc0ce 
 

shared secret
da4bad599b46cd87 532b1cc390390224 38b3e41cc7d037d7 769e93168b15a1fd 
9a6f88a3cd3d1f9d 34902b06af59ecf3 65a8914d01f52545 a629c8280e8fd37c 
2e81316b4627187b 7d269700ba20ada0 aaa49261e37d0bce ae74ecff792be485 
ca1bc30a318ffb69 b6b8b509a5b4195a 6f81d56ac98ae5d8 b0cc78afa557cd15 
 

hash
cb1f4f40c767d685 33ecb32b73be6b78 8a3a008f 

SSH2 0: signature length 143
signature

000000077373682d 7273610000008052 0f7f4cf29e5ec250 d8c73857b6985a51 
63df4af626a59040 0d0e0c0ad9b41090 b88ce40436ab5382 4ac7027145c9695c 
9737c145c712adae 4a6f86a0b08ba2ea da26d67e34d388ae e9e5bf6b23da71f5 
39df56a4846b71a5 e921bae34d90f68e 0e62ebaacbc766d9 0f0002e892a695bc 
a8fbaac60c5b6ba3 7225e14fe793d9 

SSH2 0: send: len 448 (includes padlen 7)
key
5ceb2d6cabda3434 1b85544c9e15099f 466f0af215988d21 2e5010c2f4baec9a 
 

key = A
5ceb2d6cabda3434 1b85544c9e15099f 466f0af215988d21 2e5010c2f4baec9a 
 

key
5664a5b5427b6eee fc4949bb249f3a34 2a0ec1be50ec7080 627de9eea04d5e09 
 

key = B
5664a5b5427b6eee fc4949bb249f3a34 2a0ec1be50ec7080 627de9eea04d5e09 
 

key
76a752ad064d4a0c 219d9ed7d0459fe4 5f83c64087f956e7 f3054cd2b7885507 
 

key = C
76a752ad064d4a0c 219d9ed7d0459fe4 5f83c64087f956e7 f3054cd2b7885507 
 

key
f9fd6360c821cb6b 0cac2ba9b12049af 2c1193cf39c49634 3bb1e27d08b81b04 
 

key = D
f9fd6360c821cb6b 0cac2ba9b12049af 2c1193cf39c49634 3bb1e27d08b81b04 
 

key
c45ce3b6cc4afed7 3c968424721c9e3b 26d46ab5b1049134 2e9e475eb7d4cdf0 
 

key = E
c45ce3b6cc4afed7 3c968424721c9e3b 26d46ab5b1049134 2e9e475eb7d4cdf0 
 

key
7d10a6bba5a7a908 43515211a893f6fd 1c1c0acf674a62ce 6ba387c0a569a74b 
 

key = F
7d10a6bba5a7a908 43515211a893f6fd 1c1c0acf674a62ce 6ba387c0a569a74b 
 

SSH2: kex_derive_keys complete
SSH2 0: send: len 16 (includes padlen 10)
SSH2 0: newkeys: mode 1
SSH2 0: SSH2_MSG_NEWKEYS sent
SSH2 0: waiting for SSH2_MSG_NEWKEYS
SSH2 0: ssh_receive: 16 bytes received
SSH2 0: input: packet len 16
SSH2 0: partial packet 8, need 8, maclen 0
SSH2 0: input: padlen 10
SSH2 0: newkeys: mode 0
SSH2 0: received packet type 21

SSH2 0: SSH2_MSG_NEWKEYS received
SSH2 0: ssh_receive: 88 bytes received
SSH2 0: input: packet len 16
SSH2 0: partial packet 16, need 0, maclen 20
SSH2 0: MAC #3 ok
SSH2 0: input: padlen 6
SSH2 0: received packet type 2

SSH2 0: SSH2_MSG_IGNORE msg is ''

SSH2 0: input: packet len 32
SSH2 0: partial packet 16, need 16, maclen 20
SSH2 0: MAC #4 ok
SSH2 0: input: padlen 10
SSH2 0: received packet type 5

SSH2 0: send: len 32 (includes padlen 10)
SSH2 0: done calc MAC out #3
SSH2 0: ssh_receive: 104 bytes received
SSH2 0: input: packet len 16
SSH2 0: partial packet 16, need 0, maclen 20
SSH2 0: MAC #5 ok
SSH2 0: input: padlen 6
SSH2 0: received packet type 2

SSH2 0: SSH2_MSG_IGNORE msg is ''

SSH2 0: input: packet len 48
SSH2 0: partial packet 16, need 32, maclen 20
SSH2 0: MAC #6 ok
SSH2 0: input: padlen 8
SSH2 0: received packet type 50
SSH(test): user authen method is 'no AAA', aaa server group ID = 0

SSH2 0: send: len 32 (includes padlen 13)
SSH2 0: done calc MAC out #4
SSH2 0: ssh_receive: 300 bytes received
SSH2 0: input: packet len 16
SSH2 0: partial packet 16, need 0, maclen 20
SSH2 0: MAC #7 ok
SSH2 0: input: padlen 6
SSH2 0: received packet type 2

SSH2 0: SSH2_MSG_IGNORE msg is ''

SSH2 0: input: packet len 64
SSH2 0: partial packet 16, need 48, maclen 20
SSH2 0: MAC #8 ok
SSH2 0: input: padlen 11
SSH2 0: received packet type 50
SSH(test): user authen method is 'no AAA', aaa server group ID = 0

SSH2 0: send: len 32 (includes padlen 13)
SSH2 0: done calc MAC out #5
SSH2 0: authentication failed for test
SSH2 0: input: packet len 160
SSH2 0: partial packet 16, need 144, maclen 20
SSH2 0: MAC #9 ok
SSH2 0: input: padlen 6
SSH2 0: received packet type 2

SSH2 0: SSH2_MSG_IGNORE msg is ';ãô5sß4Å9-d4wÛ-«üòOìÜsGM+áozùGãÎß].2nä¯.?Äï¸ßß'kCÖ`ãJOqBp#
¶WdP©
SSH2 0: ssh_receive: 300 bytes received
SSH2 0: input: packet len 16
SSH2 0: partial packet 16, need 0, maclen 20
SSH2 0: MAC #10 ok
SSH2 0: input: padlen 6
SSH2 0: received packet type 2

SSH2 0: SSH2_MSG_IGNORE msg is ''

SSH2 0: input: packet len 64
SSH2 0: partial packet 16, need 48, maclen 20
SSH2 0: MAC #11 ok
SSH2 0: input: padlen 11
SSH2 0: received packet type 50
SSH(test): user authen method is 'no AAA', aaa server group ID = 0

SSH2 0: send: len 32 (includes padlen 13)
SSH2 0: done calc MAC out #6
SSH2 0: authentication failed for test
SSH2 0: input: packet len 160
SSH2 0: partial packet 16, need 144, maclen 20
SSH2 0: MAC #12 ok
SSH2 0: input: padlen 6
SSH2 0: received packet type 2

SSH2 0: SSH2_MSG_IGNORE msg is 'ÑÁCø=ñX×Ïö9# o*Ås/»£þ$Mþêj¦+>æõg2ßé¾õfu;±=­Ëø.tNã]cµz}@"`ý0°"PáIõÆb(Vnó{¡"Ç
SSH2 0: ssh_receive: 300 bytes received
SSH2 0: input: packet len 16
SSH2 0: partial packet 16, need 0, maclen 20
SSH2 0: MAC #13 ok
SSH2 0: input: padlen 6
SSH2 0: received packet type 2

SSH2 0: SSH2_MSG_IGNORE msg is ''

SSH2 0: input: packet len 64
SSH2 0: partial packet 16, need 48, maclen 20
SSH2 0: MAC #14 ok
SSH2 0: input: padlen 11
SSH2 0: received packet type 50
SSH(test): user authen method is 'no AAA', aaa server group ID = 0

SSH2 0: send: len 32 (includes padlen 13)
SSH2 0: done calc MAC out #7
SSH2 0: authentication failed for test
SSH2 0: authentication failed for test (code=1)SSH0: Session disconnected by SSH server - error 0x0d "Rejected by server"

Open in new window

0
 
fgasimzadeCommented:
Add these lines to your config

aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
0
 
Ernie BeekExpertCommented:
I masked the public IP in that log for you.

I did see however that it is a different IP than the one on you outside interface.....

?
0
 
Ernie BeekExpertCommented:
Or was it the source IP?

Anyway, if the modem really is bridging you shouldn't be able to SSH to it. You might want to check it.
0
 
dhuff2012Author Commented:
The ssh log shows that my username/password combinations are not authenticating for any of the usernames.  These are all new usernames with priv 15.  Is there a way to purge the user database?
0
 
Ernie BeekExpertCommented:
It looks like it's not clear if you're connecting to the ASA or the modem. Heard anything from the ISP yet?

Second, when you have a look at the logs on the ASA, does anything show there?
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 9
  • 6
  • 4
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now