«

I have a new ASA5505 that I am using in transparent firewall mode.

I can't figure out how to enable SSH and use it remotely?


Any advice is appreciated!


Thanks!

On Fri, 14 Mar 2008, Julius wrote:

> I have a new ASA5505 that I am using in transparent firewall mode.
>
> I can't figure out how to enable SSH and use it remotely?
>
>
> Any advice is appreciated!
>
>
> Thanks!

First, generate your public/private keys with:
crypto key generate rsa modulus <modulus_size>
Second, enable ssh from the ip address that you wante to manage the ASS
from.
ssh <ip> <mask> outside

The ip address of the BVI is the management ip address.

Doan

On Mar 14, 9:00*pm, Doan <d...@usc.edu> wrote:
> On Fri, 14 Mar 2008, Julius wrote:
> > I have a new ASA5505 that I am using in transparent firewall mode.
>
> > I can't figure out how to enable SSH and use it remotely?
>
> > Any advice is appreciated!
>
> > Thanks!
>
> First, generate your public/private keys with:
> crypto key generate rsa modulus <modulus_size>
> Second, enable ssh from the ip address that you wante to manage the ASS
> from.
> ssh <ip> <mask> outside
>
> The ip address of the BVI is the management ip address.
>
> Doan

I have tried these steps and they only work on the inside interface. I
am still not able to connect from the outside interface.

I even tried

ssh 0.0.0.0 0.0.0.0 outside

and set a password.

am i missing something?

On Fri, 11 Apr 2008, Julius wrote:

> On Mar 14, 9:00*pm, Doan <d...@usc.edu> wrote:
> > On Fri, 14 Mar 2008, Julius wrote:
> > > I have a new ASA5505 that I am using in transparent firewall mode.
> >
> > > I can't figure out how to enable SSH and use it remotely?
> >
> > > Any advice is appreciated!
> >
> > > Thanks!
> >
> > First, generate your public/private keys with:
> > crypto key generate rsa modulus <modulus_size>
> > Second, enable ssh from the ip address that you wante to manage the ASS
> > from.
> > ssh <ip> <mask> outside
> >
> > The ip address of the BVI is the management ip address.
> >
> > Doan
>
> I have tried these steps and they only work on the inside interface. I
> am still not able to connect from the outside interface.
>
> I even tried
>
> ssh 0.0.0.0 0.0.0.0 outside
>
> and set a password.
>
> am i missing something?
>
Do you have an access-list on the outside interface? Check to see if you
are allowing ssh in.

Doan

[Cisco Kid]

Yes, you must add an ACE to the incoming ACL of the interface. To do this first use a "show run access-group" which will return:

access-group [name] in interface [interface_name]

where [name] is the name of the ACL. Next type "show access-list [name]" which will return something like:

access-list [name]; 4 elements
access-list [name] line 1 extended permit icmp any any echo-reply (hitcnt=0) 0xb4c01cc9
access-list [name] line 2 extended permit icmp any any unreachable (hitcnt=210) 0x53e4469e
access-list [name] line 3 extended permit icmp any any time-exceeded (hitcnt=0) 0x5e6e617b

Notice that in this example the last line of the ACL is line 3. Yours will be different. Choose the next line, which in this example would be line 4. This will be the line number for your new ACE. Enter terminal configuration using "conf t" and then enter:

access-list [name] line 4 extended permit tcp any host [external ip] eq ssh

where [name] is the name of the ACL, the line number is whatever the next line in your ACL, and [external ip] is the external ip address of your ASA.


Since you are using transparent mode, the external ip address is just the ip address or name of the interface to which you will SSH.