Home
Certification Preparation
Cisco
CCNP
CCNP Security
SSH problem
impelse
OK.
I follow this instructions from Cisco's web site:
Hostname PixFirewall
domain-name mydomain.com
aaa authentication ssh console LOCAL
password xxxxxx
crypto key generate rsa modulus 1024
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
I can login using ssh from the inside network but I never login from the outside network, the software does not say anything, does not do anything eather.
What do you recommend.
I did a L2TP over IPSec configuration and is working now but this to control the firewall from remote satation did not work.
I tried to put specific ip address for the outside network and it's the same.
Sugestion please.
Find more posts tagged with
Comments
sprkymrk
Stupid question - Did you try to connect to the outside interface from an external host?
Otherwise it all looks about right for what little I know about a Pix.
Ahriakin
Just to rule it out you are connecting to the outside interface from a separate device that is external to the inside subnets? Mainly that you are not trying to SSH to the outside IP from the inside zone?
impelse
I can connect using vpn L2tp Ipsec from outside. This mean I have connection to the ASA, but it did not work with ssh from outside interface, only if I connect from a computer in the inside network to the inside interface the ssh works.
Ahriakin
Try telnet'ing to port 22 of the external interface and see if it states Cisco SSH, essentially you're checking the port availability from your station. Check your workstation's public IP and VPN in to make the SSH rule specific to your IP, drop the VPN and see if it works now.
dtlokee
"debug ip ssh" anyone?
mikej412
dtlokee
wrote:
"debug ip ssh" anyone?
Yes, please
If you don't get anything when you debug, is it a direct connect between the test PC and the outside interface? Any ACLs in the path that may be stopping the SSH traffic?
impelse
I think that it is something with one access-list of l2tp (I did not get anything with the debug)
I created a static access-list and works fine with the port that I wanted to open, but not with ssh.
Raul
Ahriakin
Okay so to be clear you've been VPN'ing in all the time? I thought you had just tried it after SSH failed. enabling SSH like that on the outside interface is meant for directly connecting outside of a VPN (and leaving it open to all IPs like that is not a good idea once you're done testing, SSH scans are fairly common and once found attackers know it is likely a key network device and worthy of effort)
If you want to use management tools/protocols on a PIX/ASA terminating the VPN you are using to connect you need to specify a management-access interface. The easiest and best way to do this is to use the inside interface, always using the inside interface when using a private subnet (as should be assigned by your VPN) avoids getting confused with actually SSH'ing to the outside without the VPN. So, if it is the case that you are trying to SSH after VPN'ing in then enter the following:
management-access inside
After this telnet/ssh/http/snmp/syslog etc. will all work to the inside interface when VPN'd in. One oddity is that if you are using SNMP and Syslog where you normally specify a host-server and local interface to use you need to specify the Inside interface even if they are technically over the VPN terminating on your Outside interface. Fun
Sorry if I have gotten your situation wrong but it's a wee bit confusing right now as the wording does not make it explicitly clear if you are trying to use the Outside interface from inside or outside your VPN Tunnel.
impelse
You went too far for my knowledge.
When I said I am vpning means that I can stablish connection with the ASA.
I tried to use ssh without vpn or anything in case I need to check something from my home or from another office. I used ssh with the Pix 501 (software v6.1) and still works, but when I installed in one office the ASA 5510 (software v7.2) and ssh works inside but not outside.
I really do not need to control the ASA from another site right now but I could need it in the future in case that I am out of the main office.
Raul
Ahriakin
Okey doke, just needed to clarify. Ignore my waffle and go with the debug goodness above
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
