Problem SSH into ASA 5505

[North323]

this ASA is passing traffic through the tunnel with no issue. i can even ssh to a host beyond the ASA. i am NOT able to SSH into the ASA itself. when i debug ssh i get:

SSH2: TCP read failed, error code = 0x86300003 "TCP connection closed"
SSH2: receive SSH message: [no message ID: variable *data is NULL]
SSH2: receive unsuccessful - status 0x03
SSH2: Session disconnected by SSH server - error 0x03 "TCP connection closed"
Device ssh opened successfully.
SSH2: SSH client: IP = '172.x.x.x' interface # = 1
SSH: host key initialised
SSH2: starting SSH control process
SSH2: Exchanging versions - SSH-2.0-Cisco-1.25

SSH2: send SSH message: outdata is NULL

server version string:SSH-2.0-Cisco-1.25SSH2: TCP read failed, error code = 0x86300000 "TCP connection timeout"
SSH2: receive SSH message: [no message ID: variable *data is NULL]
SSH2: receive unsuccessful - status 0x00
SSH2: Session disconnected by SSH server - error 0x00 "TCP connection timeout"

 

[unclerico]

Can you post your scrubbed config?? It's probably got to do with the lack of permitted IP's that can SSH into the unit.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[North323]

ASA Version 7.2(4)
hostname XXXX0101025505
enable password encrypted
passwd encrypted
names
name X.X.67.0 Somecity_VLAN67
name X.X.2.0 Somecity_VLAN2
name X.X.7.0 Somecity_VLAN7
name X.X.6.0 Somecity_VLAN6
name X.X.8.0 Somecity_VLAN8
name X.X.5.0 Somecity_VLAN5
name X.X.1.0 Somecity_VLAN1
name X.X.4.0 Somecity_VLAN4
name X.X.32.0 UpperArlington_Subnet32
!
interface Vlan64
nameif XXXXNetwork
security-level 100
ip address X.X.64.251 255.255.255.0

interface Vlan1201
nameif Internet
security-level 0
ip address x.x.x.130 255.0.0.0
!
interface Vlan1204
nameif XXXX
security-level 0
ip address X.X.X.251 255.255.255.0
!
interface Ethernet0/0
switchport trunk allowed vlan 1200-1204
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 64
!
interface Ethernet0/2
switchport access vlan 64
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

ftp mode passive
clock timezone UTC -4
object-group network XXXXLocal
description YYYY XXXX Office
network-object X.X.64.0 255.255.255.0
object-group network XxxxRemote
description Remote network list for the YYYY Xxxxstown office.
network-object Somecity_VLAN2 255.255.255.0
network-object Somecity_VLAN67 255.255.255.0
network-object Somecity_VLAN7 255.255.255.0
network-object Somecity_VLAN1 255.255.255.0
network-object Somecity_VLAN5 255.255.255.0
network-object Somecity_VLAN6 255.255.255.0
network-object Somecity_VLAN8 255.255.255.0
network-object Somecity_VLAN4 255.255.255.0
network-object Upper_Subnet32 255.255.255.0

access-list crypto10 extended permit ip object-group XXXXLocal any
access-list inside_outbound_nat0_acl extended permit ip object-group XXXXLocal any
access-list YYYY extended permit tcp host X.X.99.3 any eq 50 log
access-list YYYY extended permit tcp host X.X.99.3 any eq 51 log
access-list YYYY extended permit udp host X.X.99.3 any eq isakmp log
access-list YYYY extended permit ip host X.X.99.0 any log
access-list YYYY extended permit icmp X.X.0.0 255.255.255.0 any
access-list YYYY extended deny ip 14.2.6.0 255.255.255.0 any log
access-list YYYY extended deny ip 127.0.0.0 255.255.255.0 any log
access-list YYYY extended deny ip 10.0.0.0 255.255.255.0 any log
access-list YYYY extended deny ip 0.0.0.0 255.0.0.0 any log
access-list YYYY extended deny ip 192.168.0.0 255.255.0.0 any log
access-list YYYY extended deny ip 192.0.2.0 255.255.255.0 any log
access-list YYYY extended deny ip 169.254.0.0 255.255.0.0 any log
access-list YYYY extended deny ip 224.0.0.0 224.0.0.0 any log
access-list YYYY extended deny ip host 255.255.255.255 any log
access-list YYYY extended deny icmp any any echo log
access-list YYYY extended deny icmp any any redirect log
access-list YYYY extended deny icmp any any mask-request log
pager lines 24
logging console critical
logging asdm informational
mtu XXXXNetwork 1500
mtu Internet 1500
mtu XXXX 1500
ip verify reverse-path interface XXXX
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (XXXXNetwork) 0 access-list inside_outbound_nat0_acl
access-group YYYY in interface XXXX
route XXXX 0.0.0.0 0.0.0.0 X.X.99.251 1
timeout xlate 0:30:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
no snmp-server enable
crypto ipsec transform-set YYYYXXXX
crypto map XXXX 10 match address crypto10
crypto map XXXX 10 set peer X.X.99.3
crypto map XXXX 10 set transform-set YYYYXXXX
crypto map XXXX interface XXXX
crypto isakmp enable XXXX
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 1
ssh X.X.75.0 255.255.255.0 XXXXNetwork
ssh X.X.64.0 255.255.255.0 XXXXNetwork
ssh timeout 5
console timeout 5
management-access XXXXNetwork
username mmmmm password eeeeeeee encrypted
tunnel-group X.X.99.3 type ipsec-l2l
tunnel-group X.X.99.3 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:
: end
XXXX0101025505#

 

[unclerico]

SSH2: SSH client: IP = '172.x.x.x'  interface # = 1

Add whatever IP address is above to the SSH config just to see if it connects:

ssh 172.x.x.x 255.255.255.255 XXXXNetwork

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[North323]

its here in the config:
ssh X.X.75.0 255.255.255.0 XXXXNetwork

 

[Supergrrover]

Have you created the certificate for the ASA? Are you using the the right version of SSH from your client? - (you need to be using SSHv2 not SSHv1.)

To clear an old or bad key -
crypto key zeroize rsa

To recreate one -
crypto key generate rsa modulus [modulus_size]




Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[North323]

i am using ssh v2 and did clear the certs with those commands above.

still no luck

 

[Supergrrover]

Are you hitting the inside or the outside interface?

Use the outside interface.

If you are going over the vpn and hitting the inside interface you need to add it your allowed SSH networks.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[North323]

i am trying to hit the inside interface. add it to my allowed ssh networks? where do i do that? i tried hitting it over the outside int also with no luck.

 

[Supergrrover]

When you go over the VPN you need to allow the IP scheme that you get from the ASA to connect to the SSH server from the inside.

ssh [IP_adress] [SubnetMask] [Interface]

You need to allow the IP you are connecting from to the SSH service.

Start with
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside

See if that works and then narrow the scope from there.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[North323]

that is IN the configuration
ssh X.X.75.0 255.255.255.0 XXXXNetwork

here is my question:
Based on the configuration, we are using:

nat (XXXXNetwork) 0 access-list inside_outbound_nat0_acl

access-list crypto10 line 1 extended permit ip X.X.64.0 255.255.255.0 any (hitcnt=46) 0x5d661420

which basically does no natting from the local side, however, the interface that we want to ssh to is X.X.64.251 which is in this subnet. Should we create a pool of IP’s that the local lan can use and NOT NAT thus taking the interface X.X.64.251 out of that access-list?

Or could we create a static NAT like:

static (YXXX,

http://WWWWNetwork)

tcp X.X.99.251 ssh X.X.64.251 ssh netmask 255.255.255.255

 

[Supergrrover]

Ok, just to test if ssh is up and working on the ASA. Let's eliminate the VPN from the equation for now.

allow ssh from anywhere on the outside interface and ssh to it from some external network that is not currently part of this vpn setup - a hotspot or from home.

Does this work?

From the error, packets are obviously hitting the ASA to start the process and something has to be exchanged for tcp handshake or that would never start. Got to find where it breaks.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[North323]

ssh is up and working because i can ssh into the ASA from the remote side with no issue. its over the tunnel that is giving me the head ache.

 

[North323]

no one has any other ideas here?

 

[North323]

problem resolved. i upgraded to version 8.04 and i am able to ssh into the ASA