VPN and SSH key phenomena
Hi all
I was in possession of a rather strange problem.
Description of the problem
I can't SSH in my ASA box within my network private and the Internet when it is not connected to the VPN without problem
If I SSH to my ASA box of in a remote access VPN session, I get the error "ssh_exchange_identification: Connection closed by remote host".
REMOTE_VPN_POOL = 192.168.250.1 - 192.168.250.5/24
LOCAL_LAN = 192.168.2.0/24
The strange thing here is that I can't SSH to my device without wire (192.168.2.2), then to my ASA (192.168.2.1) - see the text in bold below.
The below and paste the job gives a good example of what is happening. Apart from this, the ASA works very well in terms of RA VPN. Any help on how to solve this problem would be greatly appreciated.
See you soon,.
Conor
VPNC: A Linux Cisco VPN Client. Works like a charm most of the time.
[[email protected] / * / ~] # vpnc - port-local 501 /etc/vpnc/home.conf
VPNC launched in the background (pid: 15830)...
[[email protected] / * / ~] # ping 192.168.2.1 (private IP of my firewall)
PING 192.168.2.1 (192.168.2.1) 56 (84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq = 1 ttl = 255 time = 8.33 ms
64 bytes from 192.168.2.1: icmp_seq = 2 ttl = 255 time = 8.09 ms
^ C
-ping 192.168.2.1 - statistics
2 packets transmitted, 2 received, 0% packet loss, time 1310ms
RTT min/avg/max/leg = 8.091/8.211/8.331/0.120 ms
[[email protected] / * / ~] # ping 192.168.2.2 (my IP's private wireless device)
PING 192.168.2.2 (192.168.2.2) 56 (84) bytes of data.
64 bytes of 192.168.2.2: icmp_seq = 1 ttl = 255 time = 9,34 ms
64 bytes of 192.168.2.2: icmp_seq = 2 ttl = 255 time = 8.90 ms
^ C
-ping 192.168.2.2 - statistics
2 packets transmitted, 2 received, 0% packet loss, time 1248ms
RTT min/avg/max/leg = 8.902/9.122/9.343/0.240 ms
[[email protected] / * / ~] # ^ C
[[email protected] / * / ~] # ssh [email protected]/ * /.
ssh_exchange_identification: Connection closed by remote host
[[email protected] / * / ~] # ssh [email protected]/ * /.
Password:
Wireless #.
Wireless #ssh-l conor 192.168.2.1
Password:
************************************************
* Private system. No unauthorized entry or use *.
************************************************
Type help or '?' for a list of available commands.
Firewall >
Hey Conor,
Could you please paste the output of ' run HS | SSH"below.
Kind regards
Anisha
Tags: Cisco Security
Similar Questions
-
Issue of Telnet and SSH on Cisco 3750.
I turn on Cisco 3750 and everything so I wasn't able to connect in the area. I even changed the source interface and update transport under the VTY lines input method, no luck.
Can I choose to disable SSH by removing the corresponding lines of configs and RSA keys. And I changed the entry to transport back to Telnet. After the reboot of the switch, I'm still not able to connect despite the fact that the box is accessible.
Any help?
Thank you
Jean-Marie
Hello
This should help to confirm the configuration and troubleshooting SSH on your device: -.
http://www.Cisco.com/c/en/us/support/docs/security-VPN/Secure-Shell-SSH/4145-SSH.html
I hope this helps.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
remote VPN and vpn site to site vpn remote users unable to access the local network
As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config
The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.
ASA Version 8.2 (2)
!
host name
domain kunchevrolet
activate r8xwsBuKsSP7kABz encrypted password
r8xwsBuKsSP7kABz encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group dataone
IP address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
IP 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
IP address dhcp setroute
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
passive FTP mode
clock timezone IST 5 30
DNS server-group DefaultDNS
domain kunchevrolet
permit same-security-traffic intra-interface
object-group network GM-DC-VPN-Gateway
object-group, net-LAN
access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 Internet
IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
x.x.x.x 255.255.255.252 out http
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 65500 transform-set RIGHT
card crypto 10 VPN ipsec-isakmp dynamic dynmap
card crypto VPN outside interface
card crypto 10 ASA-01 set peer 221.135.138.130
card crypto 10 ASA - 01 the transform-set RIGHT value
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
Telnet 192.168.215.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
management-access inside
VPDN group dataone request dialout pppoe
VPDN group dataone localname bb4027654187_scdrid
VPDN group dataone ppp authentication chap
VPDN username bb4027654187_scdrid password * local store
interface for identifying DHCP-client Internet customer
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11 - 192.168.215.254 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Des-sha1 encryption SSL
WebVPN
allow outside
tunnel-group-list activate
internal kun group policy
kun group policy attributes
VPN - connections 8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
kunchevrolet value by default-field
test P4ttSyrm33SV8TYp encrypted password username
username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
username kunauto attributes
Strategy Group-VPN-kun
Protocol-tunnel-VPN IPSec
tunnel-group vpngroup type remote access
tunnel-group vpngroup General attributes
address pool VPN_Users
Group Policy - by default-kun
tunnel-group vpngroup webvpn-attributes
the vpngroup group alias activation
vpngroup group tunnel ipsec-attributes
pre-shared key *.
type tunnel-group test remote access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto #.Hello
Looking at the configuration, there is an access list this nat exemption: -.
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
But it is not applied in the States of nat.
Send the following command to the nat exemption to apply: -.
NAT (inside) 0 access-list sheep
Kind regards
Dinesh Moudgil
P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community
-
SSH keys no longer work after macOS Sierra Update
Hello, I have a problem to connect my servers with my previously stored private ssh key in file .ssh with terminal commands or third-party applications. I should mention that I activated the filevault during the upgrade process. I see that my passphases are stored in the keychain, but I need to enter my password every time I want to connect to servers.
Hello Marshall,
Try to create a new ssh key. I think Sierra includes updated logic crypto and he doesn't like really old keys.
-
Import a public ssh key for a specific user of DRAC via racadm?
Is there a racadm command to download and install a public ssh key into account a specific drac of the user.
In the GUI, I see features to add 4 different keys per user access from remote devices with the key private without a password for ssh.
I have not found a command for it in the last iDRAC CLI PDF 7/8.
I don't see that installed public keys are exported with an export of the server profile which would mean that access would be lost when profile importing. Is this correct? If so is this remedied the iDRAC future releases?
You can use "racadm sshpkauth" to import or delete the public SSH key users to iDRAC. You can get more details on the use of race using command "racadm help sshpkauth" or the RACADM CLI guide (link below)
Importing server configuration file will not delete iDRAC SSH key
-
IronPort SSH Keys vulnerability patch
Hello
customer is running WSA 8.8.0 - 085. In the web pages of upgrades available, we show the file "vulnerability cisco-sa-20150625-ironport Fix SSH Keys." When you try to apply it, web pages and the CLI, such as suggested by RN, it shows the patch as it has already applied:
Check if "Vulnerability Cisco-Ironport SSH Keys" patch is required
Patch 'Vulnerability cisco-Ironport SSH Keys' is already applied
Facility upgrade is complete.I think it's BECAUSE WSA has been upgraded after June 25, a release already includes this patch.
Question:
-How can I be sure that SSH keys are ok?
-Why the patch stay in the upgrades available? Can I delete it?
Thanks in advance
Hello
Thanks for reaching out, here is the link that provide details around this:
https://supportforums.Cisco.com/blog/12543046/multiple-default-SSH-keys-...
and what is "why patch stay in available upgrades? Can I remove it? »
This patch will be deleted once you upgrade to version 9.0.x and now cannot be "off put into service.
Kind regards
Zack
-
I use a 506th PIX. I already have some ssh addresses, but I need to add a new ssh address. Do I need to generate a new key or should I use the existing key? In addition, if there is already a key genereated must cleared and a new generated when new ssh addresses are added?
skillsadmin wrote:
I am using a PIX 506e. I already have some ssh addresses, but I need to add a new ssh address. Do I need to generate a new key or does it use the existing key? Also, if there is already a key genereated does it need cleared and a new one generated when new ssh addresses are added?
If you add more IPS that are allowed to connect to the pix using ssh, then you do not generate a new key. The existing ssh key will be used.
Jon
-
I try to configure authentication using SSH on my ID I authorized keys generated my pair of keys using Puttygen.
When I go in configure my key allowed, I can't determine what my Public Exponent is supposed to be. Anyone can shed some light?
Thank you
Mike J.
PuTTY has been my favorite client SSH for nearly four years.
I am currently using a recent version of PuTTY (2 July 2004), and the following instructions have been written for this new version. However, build everything from a snapshot taken in recent years should work.
The main problem in establishing authorized SSH keys is that only the oldest RSA1 key format is acceptable. This means that you must indicate your key generator to create a RSA1 key, and you need to restrict the SSH client using the SSH1 protocol.
Here is how you do it with recent versions of PuTTY:
(1) launch puttygen
(2) in the group 'Settings' at the bottom of the dialog box, click the type of key SSH1. Also, I would recommend to set the number of bits in the key generated to 2048.
3) click on Generate... Follow the instructions. The key information appears in the upper pane of the dialog box.
(4) clear on the 'key' comment editing area
(5) to select all the text in the pane labeled "Public key for pasting into authorized_keys file" and press Ctrl-C.
(6) areas of edition of type a password in the "Key passphrase" and "Confirm passphrase".
7) click "save private key".
(8) save the PuTTY private key file to a directory that is private to your Windows login (in the "Documents and Settings / (userid) /My Documents" subtree under Win2K/XP).
(9) launch PuTTY
(10) create a new PuTTY session as follows:
Session:
IP address: IP address of the sensor IDS
Protocol: SSH
Port: 22
Connection:
Auto-login username: cisco (or whatever connection you use on the sensor)
Connection/SSH:
Preferred SSH version: 1 only
Connection/SSH/Auth:
Private key for authentication file: Navigate to the. PPK file saved in step 8 above.
Session: (back to top)
Saved sessions: (enter the sensor name, click Save)
11) click Open
Use password authentication to connect to the sensor CLI, since we do not yet have the public key on the sensor.
(12) type the following command in CLI and press ENTER:
Configure the terminal
(13) the following command in the CLI, but do not press ENTER again (make and type a space at the end):
SSH authorized key mykey
(14) right click of the mouse in the PuTTY terminal window... causing material Clipboard copied in step 5 to be entered in the CLI
(15) press on enter
(16) type the following command in CLI and press ENTER:
output
(17) confirm that the authorized key has been entered correctly. The following CLI command and press ENTER:
view authorized ssh keys mykey
(18) leave the CLI IDS. The following CLI command and press ENTER:
output
=====
In my next post, I will finish these instructions...
-
PIX and SSH - access to PIX via SSH
Need help with PIX and SSH
Objective: Connect to PIX via SSH from the 10.1.1.50 IP address behind inside the interface on the PIX using local aaa on PIX.
Current settings:
hostname pix1
example.com domain name
CA generates the key rsa 1024
example username password abc123 privileges 15
include authentication AAA ssh inside 10.1.1.50 255.255.255.255 local
SSH 10.1.1.50 255.255.255.255 inside
Thanks for any help!
Try this:
AAA-server local LOCAL Protocol
the ssh LOCAL console AAA authentication
-
SSH keys are protected by a password that is supported for SSH tunnels?
Using SQL Developer 4.1 I get an error if I try to connect a SSH Tunnel using a private key that is protected by a password.
com.jcraft.jsch.JSchException: privatekey: aes256-cbc is not available [B@2ef5d584 at com.jcraft.jsch.KeyPair.load(KeyPair.java:654) at oracle.dbtools.raptor.ssh.RaptorFileIdentity.createIdentity(RaptorFileIdentity.java:26) at oracle.dbtools.raptor.ssh.RaptorIdentityRepository.getRepository(RaptorIdentityRepository.java:32)
I don't see anywhere to enter the password; is it supported?
Thank you.
As Jeff said, pass phrases are supported. While your keyfile may require a password, is not what we shifted upward.
Instead, the problem is that the developer SQL does not support aes256-cbc. We don't specify as an algorithm of encryption supported by trying to open the SSH connection. If the key cannot be used. It is a bug, please add support for additional cryptographic algorithms beyond the default value OF THE used by ssh-keygen and other key generating default tools.
In the meantime, if you have a control on the generation of keys, you can try using a different encryption algorithm but preserving the password requirement. The only solution would be to create the tunnel outside the SQL Developer and then manually create connections that run through the tunnel.
-John
SQL development team
-
VMWare ESXi 3.5U4 - reboot remove SSH Keys
Hi all
I have a server ESXi I'm SSH'ing to. I have generated a public/private key pair. I know it is not supported... but I have a need to do so. I followed the instructions on the creation of the server's .ssh directory and put the keys in there.
Unfortunately, it seems that, after a restart (initiated through the VI Client), the keys were gone, so that any file that was not part of the original installation. I guess is the expected behavior. But, how is it possible solution so that I can continue to connect to the server without password?
Thank you!
You can added your SSH keys to oem.tgz to keep your changes, take a look at this page: http://www.vm-help.com/esx/esx3i/customize_oem_tgz.php
=========================================================================
William Lam
VMware vExpert 2009
Scripts for VMware ESX/ESXi and resources at: http://engineering.ucsb.edu/~duonglt/vmware/
If you find this information useful, please give points to "correct" or "useful".
-
When I press the Apple and R keys at the start of my old iMac just boots to the old system rather than start to install new sound system. Help
Command-r does not work on a 10.6.8 system, you would need 10.7 Lion or better to do. If you try to install a new system and that you have already downloaded, then go to your Applications folder and double-click "install OS X...". »
-
I need help, I spelt juice on my keyboard and some keys do not work. How can I solve this problem? I tried to remove one of the main, but it has messed up it more, I NEED HELP. Please, I beg you! Tell me a solution how to fix this please!
Replace the keyboard.
-
I bought a security certificate, and the site tells me that it has been installed successfully. I need to export the certificate so that I can create public and private keys, but I can't find the certificate to do so.
Firefox (Firefox Orange) > Options > Options > advanced > Certificates > authorities > export
-
Tab and control keys do not work the browser Firefox (my browser is up-to-date). The buttons work in IE and Chrome, however, until I realized that, I even changed my keyboard for a brand new, hoping that would solve the problem.
Hello arlusk, the problem is probably an extension that is not working properly. Try Firefox Safe mode to see if the problem goes away. Safe mode is a troubleshooting mode, which disables most of the modules.
(If you use it, switch to the default theme).
- You can open Firefox 4.0 + in Safe Mode holding the key SHIFT key when you open the desktop Firefox or shortcut in the start menu.
- Or open the Help menu and click on the restart with the disabled... modules menu item while Firefox is running.
Once you get the pop-up, simply select "" boot mode safe. "
If the issue is not present in Firefox Safe Mode, your problem is probably caused by an extension, and you need to understand that one. To do this, please follow article Troubleshooting extensions, themes and problems of hardware acceleration to resolve common Firefox problems .
To exit safe mode of Firefox, simply close Firefox and wait a few seconds before you open Firefox for normal use again.
When find you what is causing your problems, please let us know. It might help others who have the same problem.
Thank you.
Maybe you are looking for
-
Satellite L300 - do not display some or even a part of web page
A new laptop 2 days ago will not display some web pages (or sometimes a part of) even if a second machine to apparently the same specification (family Vista premium with IE8 on the same connection has no problem) A particular example is the http://ww
-
Hello guys,. I have a problem to find the driver for my HP laptop (model number: HP G62-b20sg). I tried to install all the drivers from the HP site, but it did not work... Can someone please send me the driver WLAN for this model... I'd appreciate it
-
LabVIEW stores Boolean values as a U8 in memory article. http://zone.NI.com/reference/en-XX/help/371361J-01/lvconcepts/how_labview_stores_data_in_memory/ My question is what happens when you expand in FPGA? More precisely if I made 8 tables of choice
-
Windows does not start after update
Stop PC last night and let it install 3 critical updates at shutdown. On the PC this morning, it won't start. Repair of the system indicates it cannot automatically repair... Restores the auto system restore point before the decommissioning, and it n
-
reinstalling Windows 7 or 8 on my laptop wiped, that had originally Windows 7
My sister recently gave me his old laptop that she had to restart & wipe due to bad performance etc unfortunately our parents threw the original hard disk. the laptop is only a year old & worked on Windows 7, it is preferable to install again to get