Cisco ASA 5505 not permitting SSH/HTTPS

Discussion in 'Hardware' started by aphex, May 13, 2008.

  1. aphex

    aphex

    Joined:
    May 13, 2008
    Messages:
    2
    So to preface my situation:
    I have already set this up device in one location and haven't had any issues connecting to it while on the local subnet or remotely. In fact, she's worked like a champ however I'm not having the same luck with the new unit. The only difference between the two units is the one that is successfully working is pulling DHCP from my ISP, while the new unit has a static IP address. Everything is working/getting forwarded properly with the exception of remote SSH/HTTPS (for ASDM).

    This is the current log error: 4 May 13 2008 17:52:36 106023 74.66.2.40 68.236.1.1 Deny tcp src outside:74.66.9.9/6439 dst inside:68.236.1.1/22 by access-group "outside_access_in" [0x0, 0x0]

    Although it wasnt required on the first unit I setup, I tried adding an ACL to permit traffic using: access-list outside_access_in extended permit tcp 0.0.0.0 0.0.0.0 interface outside eq ssh

    However, the new log error is: 2 May 13 2008 18:08:47 106016 Deny IP spoof from (74.66.9.9) to 68.236.1.1 on interface outside

    Ultimately I have removed that and below is my current running-config:

    : Saved
    :
    ASA Version 7.2(3)
    !
    hostname ASA5505-L
    domain-name *****.com
    enable password /6PwnBEvY9QuBfqa encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.254 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 68.236.1.1 255.255.255.0
    !
    interface Vlan3
    shutdown
    no forward interface Vlan1
    nameif dmz
    security-level 50
    ip address dhcp
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd /6PwnBEvY9QuBfqa encrypted
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name ****.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list outside_access_in extended permit tcp any interface outside eq domain
    access-list outside_access_in extended permit udp any interface outside eq domain
    access-list outside_access_in extended permit tcp any interface outside eq www
    access-list outside_access_in extended permit tcp any interface outside eq 3389
    access-list outside_access_in extended permit tcp host 68.236.2.2 interface outside eq 211
    access-list outside_access_in extended permit tcp host 68.161.3.3 interface outside eq 211
    access-list outside_access_in extended permit tcp host 68.161.2.2 interface outside eq rtsp
    access-list outside_access_in extended permit tcp host 68.161.3.3 interface outside eq rtsp
    access-list outside_access_in extended permit tcp host 68.236.2.2 interface outside eq 1194
    access-list outside_access_in extended permit tcp host 68.236.3.3 interface outside eq 1194
    pager lines 24
    logging enable
    logging asdm notifications
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-523.bin
    asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface domain 192.168.1.149 domain netmask 255.255.255.255
    static (inside,outside) udp interface domain 192.168.1.149 domain netmask 255.255.255.255
    static (inside,outside) tcp interface 3389 192.168.1.149 3389 netmask 255.255.255.255
    static (inside,outside) tcp interface www 192.168.1.149 www netmask 255.255.255.255
    static (inside,outside) tcp interface 211 192.168.1.149 211 netmask 255.255.255.255
    static (inside,outside) tcp interface rtsp 192.168.1.149 rtsp netmask 255.255.255.255
    static (inside,outside) tcp interface 1194 192.168.1.149 1194 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 68.236.191.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http 0.0.0.0 255.255.255.255 outside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 1
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 30
    ssh version 2
    console timeout 0

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:1c740a779931f42e1aa73f8cebfc5136
    : end
    asdm image disk0:/asdm-523.bin
    asdm history enable
     
    aphex, May 13, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. bjorn@kumlait.se
    Replies:
    1
    Views:
    3,461
    bjorn@kumlait.se
    Jun 17, 2007
  2. Jake

    5510 + ssh + https

    Jake, Jan 20, 2008, in forum: Cisco
    Replies:
    3
    Views:
    385
    Morph
    Jan 21, 2008
  3. aphex
    Replies:
    0
    Views:
    956
    aphex
    May 13, 2008
  4. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    733
    Dogg Child
    Jun 7, 2010
  5. Dogg Child

    ASA 5550 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    4
    Views:
    1,145
    Morph
    Jun 8, 2010
Loading...

Share This Page