?
Solved

No SSH access through ASA 5510

Posted on 2010-03-31
8
Medium Priority
?
1,534 Views
Last Modified: 2012-05-09
I've been alerted by a vendor that they can no longer access their server (SSH) that is sitting behind our ASA 5510. The config hasn't changed, and the "Packet Tracer" toll ni ASDM shows that the packets shouldn't be blocked. I don't see anything in the config to suggest that it would be, so I decided to NAT one of my Linux servers to a public IP and allow SSH into it. Turns out it didn't make the connection either, however another linux server that we have still works fine being connected to via SSH from the outside. It, however is on our DMZ subnet, but there doesn't seem to be anything that I can see in the below config that is setup differently for this server.

Anyone see something that I don't? The server in question is x.x.x.100


ASA Version 8.2(2)
!
dns-guard
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address X.X.X.2 255.255.255.0 standby X.X.X.3
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address Q.Q.Q..1 255.255.255.0 standby Q.Q.Q..2
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address Z.Z.Z.1 255.255.255.0 standby Z.Z.Z.2
!
interface Ethernet0/3
 nameif JC-POLICE
 security-level 99
 ip address Y.Y.Y..1 255.255.255.0 standby Y.Y.Y..3
!
interface Management0/0
 description LAN/STATE Failover Interface
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns domain-lookup JC-POLICE
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service PowerChuteNetworkShutdown tcp
 port-object eq 161
 port-object eq 162
 port-object eq 3052
 port-object eq www
object-group service DNS udp
 port-object eq domain
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_1
 network-object host SQLServer
 network-object host JCPDW
 network-object host watson.our-domain.org
object-group network DNS-Internal
 description Our internal DNS servers
 network-object host B.B.10.13
 network-object host B.B.10.9
object-group service forms.radiosoft.com
 service-object tcp-udp eq 20700
 service-object tcp-udp eq 20710
 service-object tcp-udp eq 20711
 service-object tcp-udp eq 20712
 service-object tcp-udp eq 20730
 service-object tcp-udp eq 20732
 service-object tcp-udp eq 20734
 service-object tcp-udp eq 20735
 service-object tcp-udp eq 20737
 service-object tcp-udp eq 20870
object-group service RDP tcp-udp
 port-object eq 3389
object-group service GPS_SW_Ports tcp-udp
 port-object eq 20500
 port-object eq 20510
 port-object eq 3156
 port-object eq 3256
 port-object range 700 701
object-group network DM_INLINE_NETWORK_2
 network-object 10.0.0.0 255.0.0.0
 network-object Y.Y.Y..0 255.255.255.0
access-list 101 extended permit tcp any host X.X.X.43 eq www
access-list 101 extended permit tcp any host X.X.X.43 eq https
access-list 101 extended permit tcp any host X.X.X.42 eq nntp
access-list 101 extended permit tcp any host X.X.X.42 eq https
access-list 101 extended permit tcp any host X.X.X.43 eq smtp
access-list 101 extended permit tcp any host IronPort2_Public eq smtp
access-list 101 extended permit tcp any host IronPort1_Public eq smtp
access-list 101 extended permit tcp any host X.X.X.42 eq smtp
access-list 101 extended permit udp any host X.X.X.42 eq ntp
access-list 101 extended permit tcp any host X.X.X.42 eq daytime
access-list 101 extended deny tcp any host X.X.X.42 eq 135
access-list 101 extended deny tcp any host X.X.X.43 eq 135
access-list 101 extended deny udp any host X.X.X.43 eq 135
access-list 101 extended deny udp any host X.X.X.42 eq 135
access-list 101 extended deny tcp any host X.X.X.42 eq 8998
access-list 101 extended deny tcp any host X.X.X.43 eq 8998
access-list 101 extended deny udp any host X.X.X.42 eq 8998
access-list 101 extended deny udp any host X.X.X.43 eq 8998
access-list 101 extended deny tcp any host X.X.X.45 eq 135
access-list 101 extended deny tcp any host X.X.X.45 eq 8998
access-list 101 extended permit tcp any host X.X.X.45 eq www
access-list 101 extended permit tcp any host X.X.X.45 eq https
access-list 101 extended permit tcp any host X.X.X.47 eq pcanywhere-data
access-list 101 extended permit udp any host X.X.X.47 eq pcanywhere-status
access-list 101 extended deny tcp any host X.X.X.47 eq 135
access-list 101 extended deny tcp any host X.X.X.47 eq 8998
access-list 101 extended permit tcp any host X.X.X.47 eq www
access-list 101 extended permit tcp any host X.X.X.47 eq https
access-list 101 extended permit tcp any host X.X.X.42 eq 2703
access-list 101 extended permit udp any host X.X.X.42 eq 2703
access-list 101 extended permit tcp any host X.X.X.40 eq www
access-list 101 remark Mail Server
access-list 101 extended permit tcp any host X.X.X.42 eq www
access-list 101 extended permit tcp any host X.X.X.43 eq ssh
access-list 101 extended permit tcp any host X.X.X.46 eq www
access-list 101 extended permit tcp any host X.X.X.46 eq https
access-list 101 extended permit tcp any host X.X.X.46 eq smtp
access-list 101 extended deny tcp any host X.X.X.46 eq 135
access-list 101 extended deny udp any host X.X.X.46 eq 135
access-list 101 extended deny tcp any host X.X.X.46 eq 8998
access-list 101 extended deny udp any host X.X.X.46 eq 8998
access-list 101 remark Mail Server
access-list 101 extended deny tcp any host X.X.X.42 eq 6346
access-list 101 extended deny tcp any host X.X.X.43 eq 6346
access-list 101 remark Mail Server
access-list 101 extended deny tcp any host X.X.X.42 eq 6881
access-list 101 extended deny tcp any host X.X.X.43 eq 6881
access-list 101 extended permit ip host 75.130.49.126 host X.X.X.46
access-list 101 extended permit tcp any any eq ftp
access-list 101 extended permit tcp any host X.X.X.50 eq https
access-list 101 extended permit tcp any host X.X.X.50 eq www
access-list 101 remark Mail Server
access-list 101 extended permit tcp any host X.X.X.42 eq 26675
access-list 101 extended permit tcp any host X.X.X.51 eq https
access-list 101 extended permit tcp any host X.X.X.51 eq www
access-list 101 extended permit tcp any any eq 5492
access-list 101 remark Mail Server
access-list 101 extended permit udp any host X.X.X.42 eq isakmp
access-list 101 extended permit tcp any host X.X.X.48 eq www
access-list 101 extended permit tcp any host X.X.X.48 eq https
access-list 101 extended permit tcp host SaratogaWebSiteSupport host X.X.X.48 eq ssh
access-list 101 extended permit tcp any host X.X.X.48 eq smtp
access-list 101 extended permit tcp any host X.X.X.49 eq www
access-list 101 extended permit tcp any host X.X.X.49 eq https
access-list 101 extended permit tcp any host X.X.X.49 eq smtp
access-list 101 remark GPS Server
access-list 101 extended permit object-group TCPUDP any host X.X.X.55 eq 5017
access-list 101 remark GPS Server
access-list 101 extended permit object-group TCPUDP any host X.X.X.55 eq 5018
access-list 101 remark GPS Server
access-list 101 extended permit tcp any host X.X.X.55 eq 5050
access-list 101 remark Fire Truck
access-list 101 extended permit object-group TCPUDP any host X.X.X.48 eq 2086
access-list 101 extended permit tcp host NS1 host X.X.X.60 object-group PowerChuteNetworkShutdown
access-list 101 extended permit tcp host NS2 host X.X.X.60 object-group PowerChuteNetworkShutdown
access-list 101 remark ICMP
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit object-group DM_INLINE_PROTOCOL_1 GPS_Trucks 255.255.254.0 host GPS_Server_SW object-group GPS_SW_Ports
access-list 101 extended permit object-group DM_INLINE_PROTOCOL_1 GPS_SW_RDP 255.255.255.224 host GPS_Server_SW object-group RDP
access-list 101 extended permit ip Q.Q.Q.51.0 255.255.255.0 any
access-list 101 extended permit ip host A-216.248.167.178 host X.X.X.39
access-list 101 extended permit ip host 216.248.167.177 host X.X.X.39
access-list 101 extended permit tcp host A-24.187.221.146 host X.X.X.100 eq ssh
access-list 101 extended permit tcp host A-64.45.231.89 host X.X.X.100 eq ssh
access-list 101 extended permit tcp host A-64.81.126.163 host X.X.X.100 eq ssh
access-list 100 extended permit ip any Q.Q.Q.50.0 255.255.255.0
access-list 100 extended permit ip any Q.Q.Q.51.0 255.255.255.0
access-list 100 extended permit ip Q.Q.Q.51.0 255.255.255.0 host Y.Y.Y..41
access-list 133 extended permit tcp host Z.Z.Z.10 host Z.Z.Z.3 eq smtp
access-list 133 extended deny ip any Q.Q.Q..0 255.255.255.0
access-list 133 extended permit ip any any
access-list 133 extended permit tcp any host Z.Z.Z.20 eq pcanywhere-data
access-list 133 extended permit udp any host Z.Z.Z.20 eq pcanywhere-status
access-list 133 extended permit tcp host Z.Z.Z.46 host Z.Z.Z.3 eq smtp
access-list 133 extended permit tcp host Z.Z.Z.48 host Z.Z.Z.3 eq smtp
access-list 133 extended permit tcp host Z.Z.Z.49 host Z.Z.Z.3 eq smtp
access-list 133 extended permit tcp host X.X.X.48 any eq 2089
access-list stop extended permit ip any host Y.Y.Y..1
access-list stop extended permit ip any host 63.64.181.6
access-list stop extended permit ip host B.B.10.17 any
access-list stop extended permit ip any Q.Q.Q.50.0 255.255.255.0
access-list stop extended permit ip any Q.Q.Q.51.0 255.255.255.0
access-list stop extended permit ip any B.B.10.0 255.255.255.0
access-list stop extended permit ip any host 172.142.78.243
access-list stop extended permit udp any any eq isakmp
access-list stop extended permit udp any any eq 501
access-list stop extended permit esp any any
access-list stop extended permit ip B.B.10.0 255.255.255.0 any
access-list stop extended permit ip any Z.Z.Z.0 255.255.255.0
access-list stop extended permit udp any any
access-list stop extended permit ip host Z.Z.Z.10 host B.B.25.40
access-list stop extended permit tcp host Z.Z.Z.10 host X.X.X.60 object-group PowerChuteNetworkShutdown
access-list stop extended permit object-group forms.radiosoft.com any host forms.radiosoft.com
access-list stop extended permit tcp host Z.Z.Z.30 host X.X.X.60 object-group PowerChuteNetworkShutdown
access-list stop extended permit tcp any host www.ecrashreports.com eq https
access-list stop extended permit ip host Y.Y.Y..41 any DP
access-list stop extended permit ip B.B.9.0 255.255.255.0 any
access-list stop extended permit ip Q.Q.Q.51.0 255.255.255.0 any
pager lines 24
logging enable
logging timestamp
logging standby
logging monitor debugging
logging trap informational
logging asdm informational
logging mail informational
logging facility 18
logging device-id ipaddress JC-POLICE
logging host JC-POLICE B.B.10.66
logging debug-trace
logging class auth mail informational trap informational
logging class config trap informational
logging class ha trap informational
logging class vpdn trap informational
logging class vpn trap informational
logging class vpnc trap informational
logging class vpnlb trap informational
logging class webvpn trap informational
logging class svc trap informational
logging class ipaa trap informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination JC-POLICE B.B.10.155 9999
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu JC-POLICE 1500
ip local pool JCPD-Pool 192.168.199.1-192.168.199.254
ip local pool CJCI-Pool 192.168.188.2-192.168.188.254 mask 255.255.255.0
ip local pool WCEMS 192.168.190.5-192.168.190.200 mask 255.255.255.0
ip local pool COJ 192.168.191.10-192.168.191.100 mask 255.255.255.0
ip verify reverse-path interface outside
failover
failover lan unit primary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover Q.Q.Q.55.1 255.255.255.252 standby Q.Q.Q.55.2
no monitor-interface outside
no monitor-interface DMZ
no monitor-interface JC-POLICE
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
asdm location 63.64.181.6 255.255.255.255 outside
asdm location 172.142.78.243 255.255.255.255 outside
asdm location Z.Z.Z.20 255.255.255.255 DMZ
asdm location 192.168.100.0 255.255.255.0 outside
asdm location 192.168.101.0 255.255.255.0 outside
asdm location 192.168.188.0 255.255.255.0 outside
asdm location 192.168.199.0 255.255.255.0 outside
asdm location Q.Q.Q.50.0 255.255.255.0 outside
asdm location 199.248.214.0 255.255.255.128 outside
asdm location X.X.X.40 255.255.255.255 DMZ
asdm location 75.130.49.126 255.255.255.255 DMZ
asdm location X.X.X.46 255.255.255.255 DMZ
asdm location Q.Q.Q..42 255.255.255.255 DMZ
asdm location Z.Z.Z.40 255.255.255.255 DMZ
asdm location Z.Z.Z.11 255.255.255.255 DMZ
asdm location B.B.25.40 255.255.255.255 inside
asdm location NS1 255.255.255.255 inside
asdm location NS2 255.255.255.255 inside
asdm location eesql 255.255.255.255 inside
asdm location B.B.10.9 255.255.255.255 inside
asdm location 10.0.0.0 255.0.0.0 inside
asdm location SQLServer 255.255.255.255 inside
asdm location watson.our-domain.org 255.255.255.255 inside
asdm location www.ecrashreports.com 255.255.255.255 inside
asdm location Q.Q.Q.51.0 255.255.255.0 inside
asdm location forms.radiosoft.com 255.255.255.255 inside
asdm location SaratogaWebSiteSupport 255.255.255.255 inside
asdm location IronPort1 255.255.255.255 inside
asdm location IronPort2 255.255.255.255 inside
asdm location IronPort1_Public 255.255.255.255 inside
asdm location IronPort2_Public 255.255.255.255 inside
asdm location Internet_Router 255.255.255.255 inside
asdm location 192.168.191.0 255.255.255.0 inside
asdm location GPS_Trucks 255.255.254.0 inside
asdm location GPS_SW_RDP 255.255.255.224 inside
asdm location A-192.168.10.0 255.255.255.0 inside
asdm location GPS_Server_SW 255.255.255.255 inside
asdm location A-216.248.167.178 255.255.255.255 inside
asdm location A-64.45.231.89 255.255.255.255 inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 1 Z.Z.Z.55-Z.Z.Z.100
global (DMZ) 1 Z.Z.Z.101
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 Z.Z.Z.0 255.255.255.0
nat (JC-POLICE) 0 access-list 100
nat (JC-POLICE) 1 B.B.10.0 255.255.255.0
nat (JC-POLICE) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) X.X.X.43 Z.Z.Z.10 netmask 255.255.255.255
static (inside,outside) Q.Q.Q..1 Q.Q.Q..1 netmask 255.255.255.255
static (JC-POLICE,DMZ) Z.Z.Z.3 B.B.10.17 netmask 255.255.255.255
static (DMZ,outside) Z.Z.Z.1 Z.Z.Z.1 netmask 255.255.255.255
static (inside,outside) X.X.X.42 Q.Q.Q..42 netmask 255.255.255.255
static (DMZ,outside) IronPort2_Public IronPort2 netmask 255.255.255.255
static (DMZ,outside) IronPort1_Public IronPort1 netmask 255.255.255.255
static (DMZ,outside) X.X.X.48 Z.Z.Z.30 netmask 255.255.255.255
static (DMZ,outside) X.X.X.49 Z.Z.Z.50 netmask 255.255.255.255
static (DMZ,outside) X.X.X.46 Z.Z.Z.11 netmask 255.255.255.255
static (JC-POLICE,outside) GPS_Server_SW B.B.10.36 netmask 255.255.255.255
static (JC-POLICE,outside) X.X.X.50 JCPDW netmask 255.255.255.255
static (JC-POLICE,outside) X.X.X.51 B.B.10.26 netmask 255.255.255.255
static (JC-POLICE,outside) X.X.X.60 B.B.25.40 netmask 255.255.255.255
static (JC-POLICE,outside) X.X.X.45 B.B.1.101 netmask 255.255.255.255
static (JC-POLICE,outside) X.X.X.47 B.B.10.150 netmask 255.255.255.255
static (JC-POLICE,outside) X.X.X.55 B.B.4.25 netmask 255.255.255.255
static (JC-POLICE,outside) X.X.X.161 192.168.10.50 netmask 255.255.255.255
static (JC-POLICE,outside) X.X.X.39 B.B.10.39 netmask 255.255.255.255
static (JC-POLICE,outside) X.X.X.100 B.B.10.70 netmask 255.255.255.255
static (JC-POLICE,outside) X.X.X.66 B.B.10.66 netmask 255.255.255.255
access-group 101 in interface outside
access-group 133 in interface DMZ
access-group stop in interface JC-POLICE
route outside 0.0.0.0 0.0.0.0 Internet_Router 1
route JC-POLICE 10.0.0.0 255.0.0.0 Y.Y.Y..2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
protocol TCP version 4 connections 5
aaa authentication ssh console LOCAL
http server enable
http C.C.1.0 255.255.255.0 JC-POLICE
http B.B.10.0 255.255.255.0 JC-POLICE
http B.B.10.0 255.255.255.0 inside
http Q.Q.Q..0 255.255.255.0 inside
service resetoutside
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.0.0.0 255.0.0.0
threat-detection scanning-threat shun except ip-address Y.Y.Y..0 255.255.255.0
threat-detection scanning-threat shun except ip-address X.X.X.0 255.255.255.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
url-block url-mempool 1500
url-block url-size 4
url-block block 128
ntp server B.B.10.66 source JC-POLICE prefer
ntp server 206.246.118.250
class-map global-class
 match any
class-map my_ips_class
 match access-list IPS
class-map inspection_default
 match default-inspection-traffic
class-map smtp-port
 match port tcp eq smtp
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class global-class
  flow-export event-type flow-create destination B.B.10.155
 class inspection_default
  inspect dns preset_dns_map
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect icmp
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip  
  inspect skinny  
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
policy-map my-ids-policy
 class my_ips_class
  ips inline fail-close
!
service-policy global_policy global
prompt hostname context

0
Comment
Question by:dharrell74
  • 4
  • 4
8 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 29215420
From what I see, your statics and setup are fine.  

You have an ACL 133 on DMZ and a separate ACL on the JC-Police interface (the inside).      

Assuming nothing changed on your end, then the issue must be on the remote end...   Did they get a new ISP or new IP address?    Here's my thinking:  

The outside ACL explicitly allows SSH from the certain range:
access-list 101 extended permit tcp host A-24.187.221.146 host X.X.X.100 eq ssh
access-list 101 extended permit tcp host A-64.45.231.89 host X.X.X.100 eq ssh
access-list 101 extended permit tcp host A-64.81.126.163 host X.X.X.100 eq ssh


Your DMZ has an allow any any which kind of makes the who ACL on that interface irrelevant:
access-list 133 extended permit ip any any

However, I don't see the same on the STOP ACL.  


So I would ask for a few things.

1) Can you get the vendor to verify their IP with canyouseeme.org.  Their IP would be displayed.    Make sure this has not changed or that it does, indeed, match the ACL.  

2) As a test, you can temporarily allow ssh from any.   "permit TCP any any eq 22".   On the outside interface.   See if that improves.   Also, you can allow all ip from x.x.x.100 to any on the STOP acl as well as a temporary test.      This should immediately ID or remove the ACL as the cause of the failure.  

3)  With your syslog enabled in debug mode, you should get a report of all traffic , Accepted or denied that is bound to x.x.x.100.    Have the remote site test, then imemdiatly check your syslog.   You should see at least the attempt with either a drop or the packets passing.



0
 

Author Comment

by:dharrell74
ID: 29216478
Well, according to them nothing has changed on their end. I can see the hit count increase in ASDM for the connection in question, so I'm not sure why it isn't working. Also I setup one of my linux servers with a static NAT to an outside IP and allowed SSH into it, but it doesn't work either. Both servers are accessible on the LAN via SSH.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 29217272
If you still have that 2nd server hooked up, you can do this.   On the outside, allow "tcp any host <ip of the test server> eq 22".    Run the canyouseeme.org Port check for 22 and see if it can establish a connection.    If it cant, then add a line to the STOP acl to allow "tcp host <internal iip of test host> any eq 22" and restest.     This should help id any ACL issues.    

Which ACE is showing a hit count increase?   if it is the ALLOW, then I think its safe to say that all packets are getting though.    

What kind of host is this?    If it is a linux OS, then perhaps you can consider stopping IPTABLES for a test.   If you run Fail2Ban, you might want to stop that as well for a test.      


Do the syslogs show any dropped packets from inside to outside due to the STOP Acl?
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 

Author Comment

by:dharrell74
ID: 29219253
I tried doing the scan from canyouseeme.org,, but it appears to only allow from the IP it detects you coming from, which is a different IP than what the server is using. I did an nmap scan on these IPs yesterday and they all came back as filtered.

The line you wanted me to add to the STOP acl is already there in "access-list stop extended permit ip B.B.10.0 255.255.255.0 any "

They are both Linux, and neither has iptables enabled.

I'm not seeing any syslog entries for this connection at all. Which is interesting.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 29221747
>>but it appears to only allow from the IP it detects you coming from,  
Yes, Correct.   I assume then you don't have Gnome or other browser on the host....  

So, it seems that the ASA "thinks" its letting the packets through.   But the linux hosts aren't seeing anything coming in?      I'd say bust out the wireshark.   Capture the traffic coming into SSH host.  Do you see any inbound traffic?   Does the SSH host see any entries in the ssh log... ?        
0
 

Author Comment

by:dharrell74
ID: 29222844
No, the servers are without a GUI. But they are NATted through the ASA anyway.

I'll setup a monitor session on the switch and see what wireshark can tell us.
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 29226237
I'm very curious to see if the packets are indeed making it all the way in to the ssh hosts.   The ASA seems to think so, but the SSH hosts don't....
0
 

Author Comment

by:dharrell74
ID: 29256494
Problem solved. Wireshark revealed that our new Websense server was blocking the connection as it was heading back out...

Thanks for your help Mike Kane!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question