• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 512
  • Last Modified:

enable ssh problem in asa 5505

I have a ASA5505, i was trying to enable ssh in this firewall, when i type "crypto key

generate rsa 1024", the following error message appear  -  ERROR: % Invalid input detected

 at '^' marker  , anyone know what went wrong ?  i,m using version 8.2(1)



below is the configuration steps


interface Vlan1
 nameif inside
 security-level 100
 ip address xxxxx 255.255.255.0

interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxx 255.255.255.240

interface Ethernet0/0
 switchport access vlan 2

interface Ethernet0/1
no shut

interface Ethernet0/2
no shut

route outside 0.0.0.0 0.0.0.0 xxxxx 1

ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5

12.jpg
0
piaakit
Asked:
piaakit
  • 3
  • 2
  • 2
5 Solutions
 
Pete LongTechnical ConsultantCommented:
what if you just

cry key gen rsa

instead?
0
 
Pete LongTechnical ConsultantCommented:
what is the up arrow '^' pointing to as the error?

Does it do the same in enable mode?
0
 
Marius GunnerudSenior Systems EngineerCommented:
you are missing the modulus keyword.

crypto key generate rsa modulus 1024

You also need to add a domain name and username and password.

domain-name DOMAIN.com

username USERNAME password PASSWORD

and then tell SSH to use the locally configure user (unless you are using RADIUS or TACACS+):

aaa authentication ssh console LOCAL

Keep in mind that LOCAL is case-sensitive.
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
piaakitAuthor Commented:
Hi

        I have followed above, but i see below error, any idea ? and below is the setting of my ASA ,


asa

ciscoasa# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name it2u.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.11.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 218.189.179.234 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
dns server-group DefaultDNS
 domain-name it2u.com
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 218.188.179.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username CISCO password TYX7NfYD.Yf733Bn encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d1f93c0d4adb93705c351aa1c5bb0d8f
: end
0
 
Marius GunnerudSenior Systems EngineerCommented:
does your PC have connectivity with the ASA?
0
 
piaakitAuthor Commented:
i have fixed above problem

what do i do if u want to do mapping below


210.1.1.2  map to internal ip  10.0.0.1   and want to open 80 port ,
0
 
Marius GunnerudSenior Systems EngineerCommented:
That is a completely different question as to what you originally asked, but I will answer anyway.

Are there any other ports mapped to the 10.0.0.1 server?

If not you can do the following. Create a NAT statement and then create an ACL on the outside interface (or the interface where this IP is configured).

nat (inside,outside) 210.1.1.2 10.0.0.1

access-list outside-to-inside extended permit tcp any host 210.1.1.2 eq 80
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now