- Posts: 3
- Thank you received: 0
Cisco ASA 5505 not permitting SSH/HTTPS
16 years 6 months ago #26089
by aphex
Cisco ASA 5505 not permitting SSH/HTTPS was created by aphex
So to preface my situation:
I have already set this up device in one location and haven't had any issues connecting to it while on the local subnet or remotely. In fact, she's worked like a champ however I'm not having the same luck with the new unit. The only difference between the two units is the one that is successfully working is pulling DHCP from my ISP, while the new unit has a static IP address... and to be honest, this shouldnt matter. Everything is working/getting forwarded properly with the exception of remote SSH/HTTPS (for ASDM). There are no other pieces of hardware between the 5505 and the DSL box from my ISP.
This is the current log error: 4 May 13 2008 17:52:36 106023 74.66.9.9 68.236.1.1 Deny tcp src outside:74.66.9.9/6439 dst inside:68.236.1.1/22 by access-group "outside_access_in" [0x0, 0x0]
Although it wasnt required on the first unit I setup, I tried adding an ACL to permit traffic using: access-list outside_access_in extended permit tcp 0.0.0.0 0.0.0.0 interface outside eq ssh
However, the new log error is: 2 May 13 2008 18:08:47 106016 Deny IP spoof from (74.66.9.9) to 68.236.1.1 on interface outside
Ultimately I have removed that and below is my current running-config:
: Saved
:
ASA Version 7.2(3)
!
hostname ASA5505-L
domain-name *****.com
enable password /6PwnBEvY9QuBfqa encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 68.236.1.1 255.255.255.0
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd /6PwnBEvY9QuBfqa encrypted
banner asdm You are now logged into Lincoln.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ****.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq domain
access-list outside_access_in extended permit udp any interface outside eq domain
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp host 84.105.7.7 interface outside eq 211
access-list outside_access_in extended permit tcp host 74.66.9.9 interface outside eq 211
access-list outside_access_in extended permit tcp host 68.236.2.2 interface outside eq 211
access-list outside_access_in extended permit tcp host 68.161.3.3 interface outside eq 211
access-list outside_access_in extended permit tcp host 68.161.2.2 interface outside eq rtsp
access-list outside_access_in extended permit tcp host 68.161.3.3 interface outside eq rtsp
access-list outside_access_in extended permit tcp host 68.236.2.2 interface outside eq 1194
access-list outside_access_in extended permit tcp host 68.236.3.3 interface outside eq 1194
pager lines 24
logging enable
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface domain 192.168.1.149 domain netmask 255.255.255.255
static (inside,outside) udp interface domain 192.168.1.149 domain netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.149 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.149 www netmask 255.255.255.255
static (inside,outside) tcp interface 211 192.168.1.149 211 netmask 255.255.255.255
static (inside,outside) tcp interface rtsp 192.168.1.149 rtsp netmask 255.255.255.255
static (inside,outside) tcp interface 1194 192.168.1.149 1194 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.236.191.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 1
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 2
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cb3e1e7c5ba938aaa4e8e46605169abb
: end
asdm image disk0:/asdm-523.bin
asdm history enable
I have already set this up device in one location and haven't had any issues connecting to it while on the local subnet or remotely. In fact, she's worked like a champ however I'm not having the same luck with the new unit. The only difference between the two units is the one that is successfully working is pulling DHCP from my ISP, while the new unit has a static IP address... and to be honest, this shouldnt matter. Everything is working/getting forwarded properly with the exception of remote SSH/HTTPS (for ASDM). There are no other pieces of hardware between the 5505 and the DSL box from my ISP.
This is the current log error: 4 May 13 2008 17:52:36 106023 74.66.9.9 68.236.1.1 Deny tcp src outside:74.66.9.9/6439 dst inside:68.236.1.1/22 by access-group "outside_access_in" [0x0, 0x0]
Although it wasnt required on the first unit I setup, I tried adding an ACL to permit traffic using: access-list outside_access_in extended permit tcp 0.0.0.0 0.0.0.0 interface outside eq ssh
However, the new log error is: 2 May 13 2008 18:08:47 106016 Deny IP spoof from (74.66.9.9) to 68.236.1.1 on interface outside
Ultimately I have removed that and below is my current running-config:
: Saved
:
ASA Version 7.2(3)
!
hostname ASA5505-L
domain-name *****.com
enable password /6PwnBEvY9QuBfqa encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 68.236.1.1 255.255.255.0
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd /6PwnBEvY9QuBfqa encrypted
banner asdm You are now logged into Lincoln.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ****.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq domain
access-list outside_access_in extended permit udp any interface outside eq domain
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp host 84.105.7.7 interface outside eq 211
access-list outside_access_in extended permit tcp host 74.66.9.9 interface outside eq 211
access-list outside_access_in extended permit tcp host 68.236.2.2 interface outside eq 211
access-list outside_access_in extended permit tcp host 68.161.3.3 interface outside eq 211
access-list outside_access_in extended permit tcp host 68.161.2.2 interface outside eq rtsp
access-list outside_access_in extended permit tcp host 68.161.3.3 interface outside eq rtsp
access-list outside_access_in extended permit tcp host 68.236.2.2 interface outside eq 1194
access-list outside_access_in extended permit tcp host 68.236.3.3 interface outside eq 1194
pager lines 24
logging enable
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface domain 192.168.1.149 domain netmask 255.255.255.255
static (inside,outside) udp interface domain 192.168.1.149 domain netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.149 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.149 www netmask 255.255.255.255
static (inside,outside) tcp interface 211 192.168.1.149 211 netmask 255.255.255.255
static (inside,outside) tcp interface rtsp 192.168.1.149 rtsp netmask 255.255.255.255
static (inside,outside) tcp interface 1194 192.168.1.149 1194 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.236.191.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 1
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 2
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cb3e1e7c5ba938aaa4e8e46605169abb
: end
asdm image disk0:/asdm-523.bin
asdm history enable
16 years 6 months ago #26092
by sp1k3tou
Replied by sp1k3tou on topic Re: Cisco ASA 5505 not permitting SSH/HTTPS
Ok the first thing I would remove just for security is the http allow any ip address from the outside and the ssh allow any ip address from the ouside and only allow the ip addresses of the people that will be administrating it from the net.
Then I would add username authentication also.
Next to fix your problem you need to add this line below so that you can login. What is does is lets the enable password that is in your config be able to be used for authentication.
aaa authentication ssh console LOCAL
Then I would add username authentication also.
Next to fix your problem you need to add this line below so that you can login. What is does is lets the enable password that is in your config be able to be used for authentication.
aaa authentication ssh console LOCAL
16 years 6 months ago #26093
by aphex
Turns out power cycling the device fixed the issue. Not really sure why since the running config is identical.
Anyways, i left everything outside at 0.0.0.0 intentionally for testing purposes since undoubtedley someone would have suggested making it 0.0.0.0 if had i restricted incoming connections to specific ips. :lol:
Thanks!
Replied by aphex on topic Re: Cisco ASA 5505 not permitting SSH/HTTPS
Ok the first thing I would remove just for security is the http allow any ip address from the outside and the ssh allow any ip address from the ouside and only allow the ip addresses of the people that will be administrating it from the net.
Then I would add username authentication also.
Next to fix your problem you need to add this line below so that you can login. What is does is lets the enable password that is in your config be able to be used for authentication.
aaa authentication ssh console LOCAL
Turns out power cycling the device fixed the issue. Not really sure why since the running config is identical.
Anyways, i left everything outside at 0.0.0.0 intentionally for testing purposes since undoubtedley someone would have suggested making it 0.0.0.0 if had i restricted incoming connections to specific ips. :lol:
Thanks!
Time to create page: 0.121 seconds