SSH Client and ASA.
We have started to introduce ASA instead of the PIX devices. When I try and SSH client Putty it gives 'server unexpectedly closed connection network '. Try customer lastest and defining SSH 1 and 2 but no joy.
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Everything that I do not forget to do?
Make sure that you have generated RSA keys.
Kind regards
Arul
Tags: Cisco Security
Similar Questions
-
Cisco VPN Client and Windows XP VPN Client IPSec to ASA
I configured ASA for IPSec VPN via Cisco VPN Client and XP VPN client communications. I can connect successfully with Cisco VPN Client, but I get an error when connecting with the XP client. Debugging said "misconfigured groups and transport/tunneling mode" I know, they use different methods of transport and tunneling, and I think that I have configured both. Take a look at the config.
PS a funny thing - when I connect with client VPN in Windows Server 2003, I have no error. The only difference is that client XP is behind an ADSL router and client server is directly connected to the Internet on one of its public IP of interfaces. NAT in the case of XP can cause problems?
Config is:
!
interface GigabitEthernet0/2.30
Description remote access
VLAN 30
nameif remote access
security-level 0
IP 85.*. *. 1 255.255.255.0
!
access-list 110 scope ip allow a whole
NAT list extended access permit tcp any host 10.254.17.10 eq ssh
NAT list extended access permit tcp any host 10.254.17.26 eq ssh
access-list extended ip allowed any one sheep
access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.121.0 255.255.255.0
flow-export destination inside-Bct 192.168.1.27 9996
IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0
ARP timeout 14400
global (outside-Baku) 1 interface
global (outside-Ganja) interface 2
NAT (inside-Bct) 0 access-list sheep-vpn
NAT (inside-Bct) 1 access list nat
NAT (inside-Bct) 2-nat-ganja access list
Access-group rdp on interface outside-Ganja
!
Access remote 0.0.0.0 0.0.0.0 85.*. *. 1 2
Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1
Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
dynamic-access-policy-registration DfltAccessPolicy
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set newset aes - esp esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac vpnclienttrans
Crypto ipsec transform-set vpnclienttrans transport mode
Crypto ipsec transform-set esp-3des esp-md5-hmac raccess
life crypto ipsec security association seconds 214748364
Crypto ipsec kilobytes of life security-association 214748364
raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1
card crypto interface for remote access vpnclientmap
crypto isakmp identity address
ISAKMP crypto enable vpntest
ISAKMP crypto enable outside-Baku
ISAKMP crypto enable outside-Ganja
crypto ISAKMP enable remote access
ISAKMP crypto enable Interior-Bct
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
No encryption isakmp nat-traversal
No vpn-addr-assign aaa
Telnet timeout 5
SSH 192.168.1.0 255.255.255.192 outside Baku
SSH 10.254.17.26 255.255.255.255 outside Baku
SSH 10.254.17.18 255.255.255.255 outside Baku
SSH 10.254.17.10 255.255.255.255 outside Baku
SSH 10.254.17.26 255.255.255.255 outside-Ganja
SSH 10.254.17.18 255.255.255.255 outside-Ganja
SSH 10.254.17.10 255.255.255.255 outside-Ganja
SSH 192.168.1.0 255.255.255.192 Interior-Bct
internal vpn group policy
attributes of vpn group policy
value of DNS-server 192.168.1.3
Protocol-tunnel-VPN IPSec l2tp ipsec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
BCT.AZ value by default-field
attributes global-tunnel-group DefaultRAGroup
raccess address pool
Group-RADIUS authentication server
Group Policy - by default-vpn
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
Hello
For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.
Please see configuration below:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml
or
Please see the section of tunnel-group config of the SAA.
There is a tunnel-group called "rtptacvpn" and a pre-shared key associated with it. This group name is used by the VPN Client Group name.
So, you would need a specific tunnel-group name configured with a pre-shared key and use it on the Cisco VPN Client.
Secondly, because you are behind a router ADSL, I'm sure that's configured for NAT. can you please activate NAT - T on your ASA.
"crypto isakmp nat-traversal.
Thirdly, change the transformation of the value
raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
Let me know the result.
Thank you
Gilbert
-
Looking for a SSH Client for Firefox OS
I am looking for a SSH Client for Firefox OS (1,3).
A FireSSH add-on is available for a 'normal' version of the firefox browser, but unfortunately it can not be installed in the mobile version.
Greetings
Michael
Hi Michael,
It's great! Thank you for your contribution to maintenance to the Mozilla (SUMO) forums and to push these code changes for Anyterm works well with Firefox OS.
I want Firefox OS users who are looking for a SSH client for this solution in the future.
Thank you
-Ralph
-
SSH failure for ASA 8.2 (3)
I have a pair of 5520 s 8.2 (3) running in active failover mode / standby, routed. I have a problem with SSH as it stops worked shortly after, less than 8 hours during the current network, telnet works fine as is https/AMPS.
I've recreated the encryption key and ssh access. When I try to connect, I just get a blinking cursor, telnet to the ip address and port 22 also works.
Thank you
Hi Patrick,
There were a handful of SSH bugs fixed since 8.2 (3). A couple of note are:
CSCti72411 - ASA 8.2.3 may not accept connections from management after failover
CSCtf01287 - SSH to the ASA may fail - ASA can send Reset
You should switch to 8.2 (5) to obtain the fix for these bugs, and your problem should be solved.
-Mike
-
Between the VPN Client and VPN from Site to Site
Looking for an example of ASA 8.0 configuration allowing traffic between a Cisco VPN client host and destination of remote access connected via LAN/Site-to-Site tunnel. The remote access client and the tunnel site-to-site terminate on the same device of the SAA.
Thanks in advance.
-Rey
Hi Rey,
Here is an example of a config for what you are looking for.
I hope this helps.
PS: This uses GANYMEDE + for authentication, you can replace it with your authentication method.
Kind regards
Assia
-
Question about authentication SDI on AnyConnct and ASA
Hi all
I would like to know about the flow of communication for the AnyConnect client authentication and ASA 5520 SDI.
My client wants to use RSA SecurID On-Demand authenticator (token RSA SecurID On-Demand) between ASA 5520 for SSL VPN and AnyConnect client.
I understand that ASA provides two modes to allow authentication SDI.
Native SDI - ASA communicates directly with the SDI server to manage authentication SDI
RADIUS SDI - ASA communicates to a RADUIS SDI (such as Cisco ACS) proxy and the proxy RADIUS SDI communicates with the SDI server, this means that the ASA does not communicate directly on the SDI server.I think that, in general (not consider ASA), the client (remote user) needs access to the web page on the server of the SDI for an SDI authentication token when it starts / SSL VPN connection configuration. However, I understand clearly that how SDI authentication works if I use ASA as secure gateway and configure ASA to allow authentication SDI.
So my question is how authentication SDI work on ASA when I use ASA as secure gateway and configure ASA to allow authentication SDI (in both modes).
The customer does not want the AnyConnect client to communicate with the server of SDI directly, but to communicate to ASA only because of their security problem. I don't know why the customer say...
I found the following information of CEC.
==========
When a remote user using authentication RADIUS SDI connects to the ASA with AnyConnect and attempts to authenticate using RSA SecurID token, the ASA communicates with the RADIUS server, which in turn, communicates with the SDI server for validation.
==========This means that the AnyConnect client does not communicate with the SDI server directly for authentication of SDI when it starts / SSL VPN connection configuration and the AnyConnect client must communicate with the SAA, because ASA communicates to the SDI server (instead of the AnyConnect client) as proxy?
Your information would be appreciated.
Best regards
Shinichi
Shinichi,
I had a quick glance at the data sheet
http://www.RSA.com/node.aspx?ID=3481
I couldn't find the authentication of SMS as code ' on demand ', IE. RSA will communicate somehow with network cellular provider to deliver SMS with part user token. (Phone number should uniquely identify a user)
Please note that it is a little suspicious if the device that you authenticate provide you authentication credentials :-)
Unless you mean a scenario where users connect through ASA to request a token (be it via NAT or perhaps via SSL Portal?) anyway, ASA is usually unconscious because the user has their authentication from the two parties.
Let me know if you meant different on the the request token. I'm curious to see what RSA has in store for us.
Marcin
-
tunnel from site to site between router IOS and ASA
I've combed through the configs on both sides of this tunnel 4 x now and the look of policies as they match. I applied the http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml note
My crypto lsits access are good and my nat on the side of IOS are provided with a map of the route and look good. On the SAA traffic side on the side of the remote tunnel ASA is exempt from NAT. Each side already has a site to another tunnel configuration, so I added the appropriate lines to the existing cryptographic cards which include peers, transform set and match address 'access-list. The polcies crypto isakmp on both ends are compatible. I have attached some configs and debugs (from router IOS), but essentially the newspaper on the SAA starts with the phase 1 is complete and then routing not received notification message, no proposal chosen readings and then it goes to IKE lost the connection to a remote peer, connection, drop table correlator counterpart has failed, no match, the deletion and finally disconnected session reason lost service.
Their other tunnel stay standing as well as the configuration of remote access vpn connection is good.
I found a note that recommends checking any access security-list, so I removed the, but no luck, and a Cisco associated with a hub, but had a healthy logic
Is displayed normally with the
Cisco VPN 3000 correspondent
message hub: no proposal
Chosen (14). This is a result of the
being host-to-host connections.
The configuration of the router has the
IPSec proposals ordered so that the
proposal selected for the router
with the access list, but not the
peer. The access list has a larger
network including the host that
a cutting traffic.
Make the router for this proposal
hub to router connection
first in line, so that it corresponds to the
specific to the host first.
but that didn't work either.
Thank you
Bill
Bill,
Take a look at this
000610: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): need XAUTH
000611: * 10:42:15.094 PCTime sep 27: ISAKMP: node set 920927400 to CONF_XAUTH
000612: * 27 sep 10:42:15.094 PCTime: ISAKMP/xauth: application XAUTH_USER_NAME_V2 attribute
000613: * 27 sep 10:42:15.094 PCTime: ISAKMP/xauth: application XAUTH_USER_PASSWORD_V2 attribute
000614: * 27 sep 10:42:15.094 PCTime: ISAKMP: (2039): launch peer 74.92.97.166 config. ID = 920927400
000615: * 27 sep 10:42:15.094 PCTime: ISAKMP: (2039): lot of 74.92.97.166 sending peer_port my_port 4500 4500 (R) CONF_XAUTH
-Other - 000616: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000617: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): former State = new State IKE_P1_COMPLETE = IKE_XAUTH_REQ_SENT
It should not go to extend the authentication. Since you have the client and the L2L on the same router and clients are configured for Extended authentication, the router will ask for XAUTH unless you configure the "No.-xauth" command after the pre-shared key
Please implement the command:
ISAKMP crypto keys in clear text address 74.92.97.166 No.-xauth
Thank you
Gilbert
-
VPN between 878 router and ASA 5505
Hello world
I struggled for a few days now to get a VPN connection works.
The situation
Two offices needs to be connected to eachother with a VPN. The two parties have a WAN connection.
The tunnel between locations rises very well but the communication fails in almost any way.
The host cannot ping each other and also the inside of the router and ASA pings fail.
The only ping works is from inside Site2 to the inside interface of the router side 1 (192.168.1.100 to 192.168.0.250)
NAT works very well on both sites behind the router / asa.
I think I'm doing something wrong with the roads or access lists but after 7 days, many refills, restores, driving from one end of the State to the other to reset stupid moves break and resolder my cable from the console and things completely with default start for 10 times, I'm through, I honestly don't know where to look for more...
Tech Specs:
Site1: has a cable modem that gives a WAN IP with DHCP address
This modem connects to the Cisco 878 (Fastethernet0) router
The router acts as a DHCP server and NAT gateway for the office and offers vpn connectivity to the other office
Site2: has a cable-modem/router (Cisco 3925), which made the NAT, this modem/router gives an IP private class-C (192.168.178.x)
This modem/router connects to a Cisco ASA 5505 (Fastethernet0)
The ASA also server as a DHCP server and NAT gateway for the office and offers vpn connectivity to the other office.
Online, it looks like this:
Office 1--> Cisco878--> WAN Cloud<---cablemodemrouter>---cablemodemrouter><--- asa5505="">---><--- office="">--->
IP address ranges:
Office 1
Network 192.168.0.0
Subnet mask 255.255.255.0
Gateway 192.168.0.250
IP WAN XXXX
Office 2
Network 192.168.1.0
Subnetmak 255.255.255.0
Gateway 192.168.1.1
IP WAN XXXX
On the location of office 2, there is a NAT between ASA and WAN router. between 192.168.178.x 255.255.255.0
The modemrouter is a Cisco 3925, on which IPSEC passthrough is enabled.
Configs:
Site 1:
CISCO 878 router
Site 2
ASA 5505
I hope someone has a chance to look through my config and tell me what I did wrong this week
Even if you can not help me but still read here: Thank YOU!
(As my problem has been resolved, I removed the configs of this post. If for any reason, you want to work for these devices configuration, please send me a PM)
Post edited by: taaa lijf - reason: problem solved, removed configs and stuff private for obvious reasons ;)
Hello
Ping client customer site 1 site2 and make sh crypto isakmp his and sh crypto ipsec his on the router.
If sh crypto isakmp gives QM_Idle and ping fails and you have no package in the HS cypto ipsec his and then do a debug crypto ipsec
If sh crypto isakmp gives MM_NoState can do a debug crypto isakmp
One note however, you should have ip addresses static at least on the side, initiating the tunnel, otherwise it will not work when ip address changes.
Kind regards.
Alain.
-
Trouble with SSH plugin and 5.0 ESXi hosts...
Hello
As I migrated my hosts to ESXi 4.1 to ESX5.0 Build 822926, I can't connect to these hosts using the SSH connection plugin.
I tried with a vCO device version a 4.2 and another with version 5.1, without success.
The error message is always the same: auth failed.
But with PuTTY or other SSH client, using the same credentials, it works fine...
I maybe missed something in the ESX 5.0 configuration?
Thank you for your help.
BZ.
Please check this.
-
I just using Thunderbird as my email client and I cannot log into my email
I just started using mozilla thunderbird as my email client and I was able to sign into my gmail account, but when I tried to connect to my school email I got an error that says "Thunderbird cannot find the value of the email from your account. And now do not know what to do.
Thank you very much, it worked.
-
Hi all
I can configure my two PCs, one as a client and a server very well. I am able to send commands from the server to the client. However, I am trying to determine how I can get feedback from the client to the server that something has changed, or a CQI that the command has been received. How I can do this in LabVIEW with the box to TCP/IP tools, or is there a better way to do it?
Thanks for your help!
Best regards
-Gmac
Once the connection is established, TCP does not care which end is the 'server' and the 'customer '. Data can be sent in both directions using the same read and write functions. So, if you are already able to send data to the client and read on the server, you should be able to do the same to send data from the server to the client, using the same TCP connection.
If this is not clear, please your postal code so that we can provide more specific advice.
-
Active Sync iPad ssl Client certificate
How do I configure the iPad2 to synchronize the iPad-Mailclient with Exchange 2010 via Active Sync using the certificate SSL client and name of user and password?
Hi Ewoki,
Your question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the TechNet Exchange forum. Please post your question in the Forums TechNet in Exchange Server.
-
I use Live Mail client and SSL, but I can't recover the messages in my subfolders in my Hotmail account, how can I do this? I can use a web browser to display, but Live Mail client only update the subfolders, only the Inbox.
View all Windows Live and Hotmail questions in the appropriate forum found here:
http://windowslivehelp.com/ -
Automatic configuration for routers, switches Catalyst and ASA backups
I am looking for a free solution to make monthly backups of my routers (2821), Catalyst (X 3650, 3750-X) switches and ASA (5510). I'm in a Windows environment and have you not mind doing a bit of coding.
I did some research looking at other popular solutions:
-SNMP and a combination of Bash scripts, but that does not support switches Catalyst from what I've read.
-Rance, on Linux & OS X, not something common in our environment
-Tools of Tao kiwi, not free
Is there something (or if applicable, somethings) that I am missing that will do this from a Windows environment for free?
Thanks in advance.
Kron seems to be supported on the routers only, ASA here is a good explanation on how to collect the backups regularly:
https://supportforums.Cisco.com/docs/doc-14958
If you are looking for a centralized solution and you machine to act as a collector, rancid is really the best option (if you can allow non-windows machines).
Kind regards
Ivan -
"There is a time difference between the client and the server"
Unit 4.0.3
Everything worked very well, and all of a sudden, I'm not able to connect to the server unit using any domain account. When I enter the domain/name username/password, I get this error message:
************************************************
The system is unable to log on due to the following error:
There is a time difference between the client and the server.
Try again or contact your system administrator.
**************************************************
I can use the same domain account (unityinstall) and the journal in other machines. I can connect the machine to the unit using a local account. There is no time difference between the DC server and unity.
Need help,
Thank you
Partha
Log on to your LOCAL computer using an account that has privileges
At the command prompt, type the following:
NET TIME ancien_mot_passe/set
Found this on the MS site:
Cannot open a session if the Date and time are not synchronized
http://support.Microsoft.com/default.aspx?scid=kb;en-us;232386&product=Win2000
Maybe you are looking for
-
Toshiba e-Studio 206 - I want to install local printing to Cent OS 6.4
I have Toshiba e Studio 206 and 207 and Cent OS 6.4. and I see in the building after command lsusb [root@m4-novnik ~] # lsusbBus 001 Device 002: ID 8087:0024 Intel Corp. integrated rate matching hubBus 002 Device 002: ID 8087:0024 Intel Corp. integra
-
I am relatively new to Labview and haven't found an example of this on these forums. Any help would be greatly appreciated! I read in a stream of characters from a series device, and I would like to convert a 4-byte string (or Byte array) to a float
-
Print scan the service of HP Pavilion dv6 finger does not
Not had problem until I installed updates on hp support assistant. Now, only time will Flash next to him is to reboot and when I try to scan it says Error preventing the use of fingerprint credentials. never lights up at any time. I dv6-6117dx, runni
-
Install XP Pro (32 bit) with 8 GB of RAM
I have a new machine and I put Windows 7 Home Premium 64 bit on it. But I have a few old programs that may not work in Windows 7, so I intend to install XP Pro x 86 on a separate drive (two clean installs), dual boot. I know that Win 7 Pro and Ultima
-
ORIGINAL TITLE: Product key How/where can I find the 25-digit product key requested by Microsoft when I try to open a file on a SanDisk?