Announcement

Collapse
No announcement yet.

5510 IOS 8.4 upgrade. Lost SSH

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 5510 IOS 8.4 upgrade. Lost SSH

    Recently upgraded two 5510s configured in Active/Standby from IOS 8.2 to 8.4.
    Prior to the upgrade, I had SSH access, but no longer. Looking over my config, it looks like I'm missing telling ssh to allow through.

    Result of the command: "SH SSH"

    Timeout: 5 minutes
    Versions allowed: 1 and 2


    When trying to enter ssh 0.0.0.0 0.0.0.0 outside, it comes back with:

    ERROR: Unable to configure service on port 22, on interface 'outside'. This port is currently in use by another feature
    Usage: [no] ssh {<local_ip>|<hostname>} <mask> <if_name>
    [no] ssh timeout <number>
    [no] ssh version 1|2
    [no] ssh scopy enable
    show ssh [sessions [<client_ip>]]
    ssh disconnect <session_id>
    show running-config [all] ssh
    clear configure ssh


    It appears that SOMETHING is listening on 22

    Protocol Socket Local Address Foreign Address State
    TCP 0002871f [OUTSIDE IP OMITTED]:22 0.0.0.0:* LISTEN
    SSL 0249946f [OUTSIDE IP OMITTED]:443 0.0.0.0:* LISTEN
    SSL 02724598 [OUTSIDE IP OMITTED]:443 [OMITTED].1:18397 ESTAB
    SSL 02735c08 [OUTSIDE IP OMITTED]:443 [OMITTED].1:49547 ESTAB
    SSL 030be848 [OUTSIDE IP OMITTED]:443 [OMITTED].1:35678 ESTAB


    I've hopping that it's just something simple that I've missed, but have beaten my head on it for so long that I'm not seeing it.

    Whole Config:
    : Saved
    :
    ASA Version 8.4(1)
    !
    firewall transparent
    hostname [OMITTED]
    enable password hQeQwqdgfeBvU/IT encrypted
    passwd Aek.dNhic4ap/KRp encrypted
    names
    name [OMITTED]
    name [OMITTED]
    name [OMITTED]
    name [OMITTED]
    name [OMITTED]
    name [OMITTED]
    name [OMITTED]
    name [OMITTED]
    name [OMITTED]
    name [OMITTED]
    name [OMITTED]
    name [OMITTED]
    name [OMITTED]
    name [OMITTED]
    !
    interface Ethernet0/0
    speed 1000
    duplex full
    nameif outside
    bridge-group 1
    security-level 0
    !
    interface Ethernet0/1
    nameif inside
    bridge-group 1
    security-level 100
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    !
    interface Ethernet0/3
    description LAN Failover Interface
    !
    interface Management0/0
    nameif management
    security-level 0
    management-only
    !
    interface BVI1
    ip address [OMITTED]
    !
    banner login Unauthorized access is prohibited. Voilators will be prosecuted.
    boot system disk0:/asa841-k8.bin
    ftp mode passive
    clock timezone EST -5
    object-group network [OMITTED]
    description [OMITTED]
    network-object host [OMITTED]
    network-object host [OMITTED]
    network-object host [OMITTED]
    network-object host [OMITTED]
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq www
    port-object eq https
    object-group network staging-web-servers
    description Staging Web Servers
    network-object host vps-web1
    network-object host vps-web2
    object-group network staging-sql-servers
    description Staging SQL Servers
    network-object host vps-sql1
    network-object host vps-sql2
    object-group network production-web-servers
    description Production Web Servers
    network-object host web1
    network-object host web2
    network-object host web3
    network-object host web4
    object-group network production-sql-servers
    description Production SQL Servers
    network-object host sql1
    network-object host sql2
    object-group service filezilla tcp
    port-object eq ftp
    port-object range 20000 21000
    object-group network ftp-servers
    description Staging and Production FTP Servers
    network-object host vps-web1
    network-object host web1
    object-group service DM_INLINE_TCP_2 tcp
    port-object eq www
    port-object eq https
    access-list outside_access_in remark [OMITTED]
    access-list outside_access_in extended permit ip object-group [OMITTED] any
    access-list outside_access_in extended permit tcp any interface outside eq ssh
    access-list outside_access_in remark RDP from everywhere NOT GOOD
    access-list outside_access_in extended permit tcp any any eq 3389
    access-list outside_access_in remark HTTP and HTTPS to Staging Web Servers
    access-list outside_access_in extended permit tcp any object-group staging-web-servers object-group DM_INLINE_TCP_1
    access-list outside_access_in remark HTTP and HTTPS to Production Web Servers
    access-list outside_access_in extended permit tcp any object-group production-web-servers object-group DM_INLINE_TCP_1
    access-list outside_access_in remark FTP to web1 and vps-web1
    access-list outside_access_in extended permit tcp any object-group ftp-servers object-group filezilla
    access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_2
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-list outside_access_in extended permit icmp any any unreachable
    access-list outside_access_in extended permit ip any any log debugging
    pager lines 24
    logging enable
    logging standby
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    failover
    failover lan unit secondary
    failover lan interface Failover Ethernet0/3
    failover key *****
    failover replication http
    failover mac address Ethernet0/0 f866.f2b1.5362 f866.f2b1.5330
    failover interface ip Failover 192.168.1.2 255.255.255.0 standby 192.168.1.1
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-641.bin
    no asdm history enable
    arp timeout 14400
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 [OMITTED] 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 outside
    snmp-server host outside [OMITTED] poll community *****
    snmp-server host outside [OMITTED] poll community *****
    snmp-server host inside [OMITTED] poll community *****
    snmp-server host outside [OMITTED] poll community *****
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    service resetoutside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username root password uDjpCz4hUzIDq4kM encrypted
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:c39ef12d8d165c020f301b9f289e2167
    : end


    Cheers!

  • #2
    Re: 5510 IOS 8.4 upgrade. Lost SSH

    UPDATE
    FYI, I ran "ssh 0.0.0.0 0.0.0.0 inside" and can SSH from behind them, but still want external SSH access.

    Comment

    Working...
    X