Unable to SSH
We configure the NLB (active/active) on two of the ASA. After connecting to the Cisco VPN client, we can just SSH to the ASA that connect us to and we can't SSH to the other ASA. For example, if we connect to ASA1, we can just SSH to ASA1 and we can't SSH to ASA2. The same is true if we connect with the ASA2, we can only SSH with the ASA2 and we can't SSH to ASA1. Is it possible to put in place so that we can SSH to any ASA regardless of what ASA that connect us to?
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 5
SSH version 2
inside access management
Thank you.
Diane
Diane,
The difference, you see, is that the ASA is a firewall first and a second VPN product. Concentrators VPN just makes VPN and not worry about routing, switching, or firewalls. According to estimates to many people this is not a good thing, because increased the attack surface of the ASA. However, Cisco has allowed ASA management, you are doing a reverse tunnel hairpin hair Management ASA. It adapts well to the other ASA and wasn't really intend to do. From a security point of view, the best solution is a management server.
To configure the administration server, you just need a Windows/Linux/Apple (whatever you are comfortable with) machine, configured to allow remote sessions. You can do it in the platform Windows with VNC or remote desktop, if you use Linux or Apple, both have solutions. Once you have your platform, just install one of the PuTTY Terminal emulator or SecureCRT and you will have access to your systems. If you use the SMDA to configure your ASA you just need a supported web browser on the management server, and then open a connection to your ASAs.
Doing this method gives you the following:
1.) limited access because people will need to have an account on the management server to access administration tools.
2.) accountability since your event opens a session on the administration server will show who logged in and when. You can even go so far as to controls being installed on what a person can access.
3.) limits surface of piracy. Once you have configured your management workstation, configure an ACL on your ASAs that limit any SSH, HTTPS, etc. connection to the management station. With that done, you have to worry only who has access to this workstation.
I hope this helps. I didn't want to flood you, but wanted to give you the reason behind going in this direction over the method used by the VPN concentrators. Let me know if you have any other questions.
Tags: Cisco Security
Similar Questions
-
Unable to ssh on alternative port
Mini Mac OS X Server 10.11.6, CommuniGate Pro, no and almost no other stock OS X Server services.
The server owner recently found on a network that has blocked ports for VPN and SSH connections, so we try to set up the server to allow a SSH tunnel through SOCKS proxy port 443, which is almost always open. (We have no plans on execution of web services via this port on this area.)
Research indicates that this should be a two-step process: 1) Edit /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf to remove the web listening on ports 80 and 443 ports; (2) edit/etc/ssh/ssh_config for add a SSH listener on port 443. then restart.
After that, HTTP services are off on 80 and 443, but I can't connect to SSH on port 443. Works very well over 22 yet. Nmapping the server indicates that there is nothing open on port 443. Is there anything else I need to do for this open?
A user on the stack Exchange responded to this question. Works a charm.
http://Apple.StackExchange.com/questions/253332/unable-to-SSH-to-OS-x-server-Ove r-replacement-port
-
Unable to SSH cisco CSM server
Unable to SSH to the server of cisco CSM
Hello world
Trying to SSH new server Cisco CSM.
ACL is which allows ssh I see suddenly increment account, but when I try to ssh it gives connection refused error.
I have to open the port on csm ssh server?
If so can someone please let me know hot to do?
Concerning
MAhesh
As mentioned in the forum of firewall...
The CSM itself server doesn't have ssh daemon top to meet these demands, unless you added some other 3rd party software. It's just a Windows Server that runs an application (CSM).
CSM uses https for the client software (Java applications) to communicate with her.
-
Unable to SSH to the server of cisco CSM
Hello world
Trying to SSH new server Cisco CSM.
ACL is which allows ssh I see suddenly increment account, but when I try to ssh it gives connection refused error.
Concerning
MAhesh
The CSM itself server doesn't have ssh daemon top to meet these demands, unless you added some other 3rd party software. It's just a Windows Server that runs an application (CSM).
CSM uses https for the client software (Java applications) to communicate with her.
-
Users unable to SSH to UCS Manager
I have the LDAP users who are not able to ssh in the UCS Manager even though they can connect through the GUI. But locally defined users are able to get through the GUI and ssh.
Users who authenticate to UCS Manager via LDAP are able to connect via SSH as well?
Thank you.
Hello Bruce,.
Are you adding "ucs -" domain name?
For example, for access via SSH.
# Linux terminal.
SSH ucs-------@.
SSH-l ucs-------.
# Of putty client
Connect as: ucs-------.
And the domain name is case-sensitive.
HTH
Padma
-
Unable to SSH/telnet through the remote access VPN to ASA interface
Hi all - im trying to SSH/telnet to my ASA in my remote access VPN tunnel but
can't get this to work. what Miss me?
remote access VPN subnet: 192.168.25.0
LAN subnet: 192.168.1.0
config is attached. THX-
Please enter the command
Private access Managament
and you will be able to telnet/ssh to the asa on this ip 192.168.1.253
-
Unable to SSH for outside the router No. 2851
Hello
I want to SSH to the external interface of our router No. 2851.
SSH works fine on the internal interfaces.
I have install the ACL is access (1 applied to the vty line and one to the external interface).
The configuration looks like the following:
line vty 0 4
access-class 102 in
30 logout-WARNING
length 0
entry ssh transport
access list 102 permit tcp any gt 1024 any eq 22
Outside_ACL extended IP access list
permitted tcp and gt 1024 no matter what eq 22 log
Is there anything else that I should consider when setting up SSH on the external interface?
TIA,
Michael
Michael
I notice that there is a card encryption on the interface (I have would have supposed of your previous comment that you access the router via VPN) and I wonder if it is possible that SSH entering your remote address is considered to be entering the card encryption VPN traffic. Could you try the external address of some other address source SSH and see if that changes things?
Or can you provide details on what is in the card encryption - and perhaps think about putting something in the map encryption that would exclude SSH to the external interface.
HTH
Rick
-
Unable to SSH to the source machine
I get an error "ssh connection refused" as he tried to perform a P2V Linux with the SDK. I checked that SSH is running on the source machine and the root is in the AllowUsers to SSHD. I'm starting to believe that this error maybe with something other than SSH? Any ideas would be wonderful.
Thank you!
C:\_cd\sdk\samples\DotNet\cs\SubmitWinP2VJob\bin\Debug > ConverterSamples.exe crai
g vm.properties
SoapException taken-
Actor:
Code: ServerFaultCode
Retail XML: <>< InvalidArgumentFault xmlns = "urn: Converter ' xsi: type ="vim2 ".
"" 5:InvalidArgument "xmlns:vim25 =" urn: vim25 "xmlns: xsi =" http://www.w3.org/2001/XML
The instance of the pattern' > < vim25:faultCause > < vim25:fault xsi: type = "ConverterSysinfoQueryC".
onnRefusedFault' > < description > [converter Agent SysinfoQuery] ssh connection was
has refused< / description > < / vim25:fault > < vim25:localizedMessage >Impossible of SSH for the
machine source. Make sure that the SSH daemon is running on the source machine. <
/vim25:localizedMessage > < / vim25:faultCause > < / InvalidArgumentFault > < / details >
ERROR: Impossible to present the work of P2V Conversion.
Yes, if the UI works, while the environment is OK. There is something wrong in the source computer rental structure that you created.
-
Hi all
I've been setting up of vSphere 5 in my test environment and I ran into a problem with the "vSphere Management Assistant (vMA) - 5.0.0.0 build 472630. I have set up with a static IP address, and I can connect to the console very well. When I try to SSH to the IP using PuTTY, I get an error 'server unexpectedly closed connection network '. Worked out of the box with the vMA SSH 4.x series. I tried a little, the same redeloying the VA but SSH still doesn't. All other functions, I've tried work fine in the vMA, i.e. adding servers and hosts, join the areas etc.
I'm at a bit of a loser as to why it does not just work. I can SSH to the old vMA 4.0 very well, so I don't think that it's a network problem, and the SSHD service is running.
Thank you
Matt Nichols
I have the same problem. But I find the reason. Need to fix the /etc/hosts.allow file to add the line
sshd: ALL: ALLOW
-
Unable to ssh to the host after 4.1 update
Since we improved our guests to 4.1 the local user that had been created with the permissions "To grant access to the shell" if we do not have
to enable ssh root access stopped working.
Anyone know what could cause this?
Take a look at this thread:
http://communities.VMware.com/thread/275973
André
-
I've updated my Mac OS to 10.11 of 10.9, and now I find that I am unable to ssh using the SSH Secure Shell on a PC application. When I try to do and tell it to authenticate with a password, it is back with "the server replied"Algorithm negotiation failed"" and a few words about the failure of key exchange. I did not look at the keys! Using PuTTY, I get just, after he gets my password. While it is with SSH Secure Shell? This used to work properly. I'll just dump SSH Secure Shell on my PC and use PuTTY, but I would like to know why I have to do. What is different about ssh in El Capitan?
You just need to use a newer version of secure shell.
Recent versions of ssh have the older is not-that-secure algorithms removed, because they are simply not sure more.
Ssh program you are trying to use is just outdated, that on the mac is more current, that's all.
-
SSH for indoor or outdoor IP de ASA over anyconnect vpn
Hello world
I have ssl anyconnect vpn for my lab at home.
When I connect via anyconnect SSL I am unable to ssh to ASA inside and outside IP is this default behavior?
I have access to administration config inside configured on the SAA.
VPN IP 10.10.10.10 pool
SSH 10.10.10.0 255.255.255.0 outside
Concerning
Mahesh
Try adding a line like:
nat (outside,any) source static vpn_pool_ip vpn_pool_ip destination static inside inside no-proxy-arp
-
This is my first post on this site. Hi all!
I have not really set up ASAs or VPN on Cisco devices before. Currently, I'm trying to configure a dial-up VPN between ASA devices, a 5505 and a 5510. The 5510 is supposed to be the server and the 5505 is supposed to be the easyvpn customer. The reason why I'm opting for remote access instead of site to site is that I much 5505 s on the remote I need to set up in the future, and they will be moving around a bit (I prefer not to have to follow the configs to site to site). The 5510 is not mobile. The ASA devices are able to ping to 8.8.8.8 as ping each other in the face of public IP address.
Neither SAA can ping IP private of other ASA (this part makes sense), and I am unable to SSH from a client on the side 5510 for internal interface (192) of the 5505. I wonder if someone more experienced in the remote VPN ASA than me is able to see something wrong with my setup? I glued sterilized configs of two ASAs below.
Thanks a lot for any assistance!
ASA 5510 (server)
ASA Version 8.0 (4)
!
hostname ASA5510
domain name
activate the
password encrypted passwd
encrypted names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 48.110.3.220 255.255.255.192
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.191.252 255.255.252.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
passive FTP mode
DNS server-group DefaultDNS
domain name
permit same-security-traffic intra-interface
permit NONAT_VPN to access extended list ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
VPN_REMOTE_IPS note EZ VPN REMOTE IP access-list VARIES
permit VPN_REMOTE_IPS to access extended list ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 613.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside) 0-list of access NONAT_VPN
Route outside 0.0.0.0 0.0.0.0 48.110.3.193 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.0.0 255.255.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-aes-192 TestVPN, esp-sha-hmac
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map DYNAMIC - map 5 game of transformation-TestVPN
86400 seconds, crypto dynamic-card DYNAMIC-map 5 the duration value of security-association
cryptographic kilobytes 4608000 life of the set - the association of the DYNAMICS-Dynamics-card card 5 security
outside_map card crypto 86400 seconds, 1 lifetime of security association set
card crypto outside_map 1 set security-association life kilobytes 4608000
card crypto S2S - VPN 100 set security-association second life 86400
card crypto S2S - VPN 100 set security-association kilobytes of life 4608000
card crypto OUTSIDE_MAP 65530-isakmp ipsec DYNAMIC-map Dynamics
OUTSIDE_MAP interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 1
SSH 192.168.0.0 255.255.0.0 inside
SSH timeout 15
Console timeout 30
management-access inside
priority-queue outdoors
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal EZVPN_GP group policy
EZVPN_GP group policy attributes
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_REMOTE_IPS
allow to NEM
username
password encrypted privilege 3 username
password encrypted privilege 15 type tunnel-group EZVPN_TUNNEL remote access
attributes global-tunnel-group EZVPN_TUNNEL
Group Policy - by default-EZVPN_GP
IPSec-attributes tunnel-group EZVPN_TUNNEL
pre-shared key
!
class-map inspection_default
match default-inspection-traffic
VOICE-CLASS class-map
match dscp ef
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map PRIORITY_POLICY
class CLASS VOICE
priority
matches of the QOS-TRAFFIC-OUT strategies
class class by default
average of form 154088000
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:10156ad7ab988ae7ed66c4b6d0b4712e
: end
ASA 5505 (Client)
ASA Version 8.2 (5)
!
ASA5505 hostname
activate the
password encrypted passwd
encrypted names of
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.19.1 255.255.255.192
!
interface Vlan2
nameif outside
security-level 0
IP 174.161.76.217 255.255.255.248
!
passive FTP mode
pager lines 24
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Route outside 0.0.0.0 0.0.0.0 174.161.76.222 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.0.0 255.255.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet timeout 5
SSH 192.168.0.0 255.255.0.0 inside
SSH 48.110.3.220 255.255.255.255 outside
SSH timeout 5
Console timeout 0
management-access inside
vpnclient Server 48.110.3.220
vpnclient mode network-extension-mode
vpnclient EZVPN_TUNNEL vpngroup password
vpnclient username
password a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
username
password encrypted privilege 15 !
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
destination http address
https://Tools.Cisco.com/its/service/odd... DCEService
email address of destination
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:bd465cea07c060a409a2eade03b487dc
: end
Please follow this link to create a dynamic L2L Remote Server on ASA5510.
Here is a link for you to create the Site to Site vpn tunnel and the tunnel can be customer above tunnel dynamic L2L Server.
http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml
Hope that helps.
If you have any questions, please ask.
Thank you
Rizwan James
-
cannot scp vSphere Management Assistant
I just installed, web ui work flawless but winscp or ssh error while trying to connect with vi-admin. What Miss me?
Error of WinSCP and putty is: server unexpectedly closed connection network
Since the vMA console, you can try the fix mentioned in the thread below. Just open the console of your guest vMA and press Alt - F2 to open a session
-
1841 = >; unable to connect via SSH
I am able to connect to the router via a tunnel of crypto isakmp using telnet. However, I'm unable to configure SSH on this thing. Can someone help me please in what I may be missing. I'm now at an impasse. I posted the router info and entered similar below.
Software Cisco IOS, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4 (3), SOFT VERSION
WARE (fc2)
======================================
domain IP CISCO$ .COM
property intellectual ssh time 60
property intellectual ssh port 2222 Rotary 1
property intellectual ssh source interface FastEthernet0/0
property intellectual ssh version 2
======================================
scope of CISCO IP access list
permit tcp x.x.x.x where x.x.x.x any eq 2222
deny ip any any newspaper
access-list 101 permit tcp x.x.x.x where x.x.x.x any eq telnet
access-list 101 tcp refuse any any eq telnet log
==========================================
line vty 0 4
access class 101 in
exec-timeout 3 0
password XXXXXX
transport of entry all
transportation out all
line vty 5 15
CISCO access class in
password: xxxxxxxx
transport input telnet ssh
exit telnet ssh transport
=====================================
which seems good...
What happens when you do a sh ip ssh?
Is there any firewall or ACL blocking port 22?
Maybe you are looking for
-
I try to print my reading list for a case. What is the paper size in the page layout?
-
Facebook does not. States that my browser is not enabled for Javascript
I tried to fix this for hours. My Firefox is configured to allow Java and only on Facebook, I'm having this problem. Is there an easy way to solve what Facebook is indicating that I need to change browsers.
-
C: complete disc (149 GB) drive D: almost empty
Hello Not a computer specialist, so please, be gentle. I can't find an answer to this on the forum that I can make sense! My Satellite hard drive is full! C: WIndows = 4.94 GB free of 149 GBData d = 138 free GB GB 148 So, a few questions: How to free
-
I use Garage Band to Yosemite 10.1.0 and cannot find a way to "split" a song. A few years ago, I used the old version of Garage Band to create my own ringtones and change what must I liked (removal of long intros, repeat the chorus). I did my 'split
-
Drivers Windows 8 x 64 for the series PSC
Hi, reading the forum I understand that HP will publish Win8 drivers as soon as RTM. Windows 8 went RTM in August, is available for download for a week and will be out in a month or two. The odds that we'll see updated drivers? Thank you