Options

SSH problem

impelseimpelse Member Posts: 1,237 ■■■■□□□□□□
in CCNP Security
OK.

I follow this instructions from Cisco's web site:

Hostname PixFirewall
domain-name mydomain.com

aaa authentication ssh console LOCAL
password xxxxxx

crypto key generate rsa modulus 1024

ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside

I can login using ssh from the inside network but I never login from the outside network, the software does not say anything, does not do anything eather.

What do you recommend.

I did a L2TP over IPSec configuration and is working now but this to control the firewall from remote satation did not work.

I tried to put specific ip address for the outside network and it's the same.

Sugestion please.
Stop RDP Brute Force Attack with our RDP Firewall : http://www.thehost1.com
It is your personal IPS to stop the attack.

· Share on FacebookShare on Twitter

Comments

  • Options
    sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Stupid question - Did you try to connect to the outside interface from an external host?

    Otherwise it all looks about right for what little I know about a Pix.
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • Options
    AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Just to rule it out you are connecting to the outside interface from a separate device that is external to the inside subnets? Mainly that you are not trying to SSH to the outside IP from the inside zone?
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
  • Options
    impelseimpelse Member Posts: 1,237 ■■■■□□□□□□
    I can connect using vpn L2tp Ipsec from outside. This mean I have connection to the ASA, but it did not work with ssh from outside interface, only if I connect from a computer in the inside network to the inside interface the ssh works.
    Stop RDP Brute Force Attack with our RDP Firewall : http://www.thehost1.com
    It is your personal IPS to stop the attack.

    · Share on FacebookShare on Twitter
  • Options
    AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Try telnet'ing to port 22 of the external interface and see if it states Cisco SSH, essentially you're checking the port availability from your station. Check your workstation's public IP and VPN in to make the SSH rule specific to your IP, drop the VPN and see if it works now.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    "debug ip ssh" anyone?
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    dtlokee wrote:
    "debug ip ssh" anyone?
    Yes, please :D

    If you don't get anything when you debug, is it a direct connect between the test PC and the outside interface? Any ACLs in the path that may be stopping the SSH traffic?
    :mike: Cisco Certifications -- Collect the Entire Set!
    · Share on FacebookShare on Twitter
  • Options
    impelseimpelse Member Posts: 1,237 ■■■■□□□□□□
    I think that it is something with one access-list of l2tp (I did not get anything with the debug)

    I created a static access-list and works fine with the port that I wanted to open, but not with ssh.

    Raul
    Stop RDP Brute Force Attack with our RDP Firewall : http://www.thehost1.com
    It is your personal IPS to stop the attack.

    · Share on FacebookShare on Twitter
  • Options
    AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Okay so to be clear you've been VPN'ing in all the time? I thought you had just tried it after SSH failed. enabling SSH like that on the outside interface is meant for directly connecting outside of a VPN (and leaving it open to all IPs like that is not a good idea once you're done testing, SSH scans are fairly common and once found attackers know it is likely a key network device and worthy of effort)
    If you want to use management tools/protocols on a PIX/ASA terminating the VPN you are using to connect you need to specify a management-access interface. The easiest and best way to do this is to use the inside interface, always using the inside interface when using a private subnet (as should be assigned by your VPN) avoids getting confused with actually SSH'ing to the outside without the VPN. So, if it is the case that you are trying to SSH after VPN'ing in then enter the following:
    management-access inside

    After this telnet/ssh/http/snmp/syslog etc. will all work to the inside interface when VPN'd in. One oddity is that if you are using SNMP and Syslog where you normally specify a host-server and local interface to use you need to specify the Inside interface even if they are technically over the VPN terminating on your Outside interface. Fun :)

    Sorry if I have gotten your situation wrong but it's a wee bit confusing right now as the wording does not make it explicitly clear if you are trying to use the Outside interface from inside or outside your VPN Tunnel.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
  • Options
    impelseimpelse Member Posts: 1,237 ■■■■□□□□□□
    You went too far for my knowledge.

    When I said I am vpning means that I can stablish connection with the ASA.

    I tried to use ssh without vpn or anything in case I need to check something from my home or from another office. I used ssh with the Pix 501 (software v6.1) and still works, but when I installed in one office the ASA 5510 (software v7.2) and ssh works inside but not outside.

    I really do not need to control the ASA from another site right now but I could need it in the future in case that I am out of the main office.

    Raul
    Stop RDP Brute Force Attack with our RDP Firewall : http://www.thehost1.com
    It is your personal IPS to stop the attack.

    · Share on FacebookShare on Twitter
  • Options
    AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Okey doke, just needed to clarify. Ignore my waffle and go with the debug goodness above :)
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
Sign In or Register to comment.