CISCO ASA, 5510 - SSH CONNECTIONS DROPPING / SETTING UP PING
Newly installed CISCO ASA 5510, finding that SSH / Telnet connections to our remote servers are dropping from client terminals...
I was going to set up a ping to monitor but the echo is not set up.
I would like to set up echo’s on the outside interface along with replies from inside to outside requests.
These are the access lists I have currently.
access-list inside_access_in extended permit ip any any
access-list outside extended permit tcp any host xxx.xxx.x.25 eq www
access-list outside extended permit tcp any host xxx.xxx.x.25 eq https
access-list outside extended permit tcp any host xxx.xxx.x.25 eq ftp
access-list outside extended permit tcp any host xxx.xxx.x.25 eq 3389
access-list outside extended permit tcp any host xxx.xxx.x.26 eq 3389
access-list outside extended permit tcp any host xxx.xxx.x.20 eq 3389
access-list server_ext extended permit ip 192.168.51.0 255.255.255.0 host xxx.xxx.x.25
access-list server_ext extended permit ip 192.168.51.0 255.255.255.0 host xxx.xxx.x.26
access-list server_ext extended permit ip 192.168.51.0 255.255.255.0 host xxx.xxx.x.20
Also dns lookups have slowed……
Thanks for your help
I was going to set up a ping to monitor but the echo is not set up.
I would like to set up echo’s on the outside interface along with replies from inside to outside requests.
These are the access lists I have currently.
access-list inside_access_in extended permit ip any any
access-list outside extended permit tcp any host xxx.xxx.x.25 eq www
access-list outside extended permit tcp any host xxx.xxx.x.25 eq https
access-list outside extended permit tcp any host xxx.xxx.x.25 eq ftp
access-list outside extended permit tcp any host xxx.xxx.x.25 eq 3389
access-list outside extended permit tcp any host xxx.xxx.x.26 eq 3389
access-list outside extended permit tcp any host xxx.xxx.x.20 eq 3389
access-list server_ext extended permit ip 192.168.51.0 255.255.255.0 host xxx.xxx.x.25
access-list server_ext extended permit ip 192.168.51.0 255.255.255.0 host xxx.xxx.x.26
access-list server_ext extended permit ip 192.168.51.0 255.255.255.0 host xxx.xxx.x.20
Also dns lookups have slowed……
Thanks for your help
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks the ping responses are working thanks - Do you have any clues to why our SSH connections keep dropping?......
We have circa 25 client connections through the firewall.
Is this anything to do with the outside interface subnet?
interface Ethernet0/0
description Gateway
speed 10
duplex full
nameif outside
security-level 0
ip address xx.xx.xx.xx158 255.255.255.248
!
We have circa 25 client connections through the firewall.
Is this anything to do with the outside interface subnet?
interface Ethernet0/0
description Gateway
speed 10
duplex full
nameif outside
security-level 0
ip address xx.xx.xx.xx158 255.255.255.248
!
ASKER
If our domain controller is issuing DNS through dhcp does the firewall need DNS entries?
allow port 22 through firewall.
I think the firewall should have DNS entries for your ISP. and your internal DHCP / DNS should be configured to forward queries for non internal domains to the firewall .
D the SSH connection stay established for a period of time? Are they active or inactive most of the time? I'm thinking that they may be affected by timeouts if they are inactive for periods of time.
ASKER
Ah ok so our domain controller should give the LAN ip of the firewall 192.168.51.1?
Just looking at allowing the port 22 through the firewall
the only access list I have are ones that specify particular spare Public IP's
access-list outside extended permit tcp any host xxx.xxx.x.25 eq ftp
Would i do this
access-list outside extended permit tcp any host eq 22
Thanks
Just looking at allowing the port 22 through the firewall
the only access list I have are ones that specify particular spare Public IP's
access-list outside extended permit tcp any host xxx.xxx.x.25 eq ftp
Would i do this
access-list outside extended permit tcp any host eq 22
Thanks
ASKER
This could be something - the activity on the interfaces the customer service team is intermittent as they use multiple systems – Is there a work around?
Cheers
Cheers
ASKER
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Which SSH client? They could try setting the TCP Keepalive option in their clients.
ASKER
We also use port 23 telnet heavily is this handled in the same way?
ASKER
Sure there are settings for this so i am going to test thanks. So there are no formal settings for the firewall to keepalive the connections also?
You inactive timeout for connected sessions is 1 hour. This can be extended, but would potentially increase the timeout for everything not listed elsewhere and potentially increase memory usage.
timeout conn 1:00:00
timeout conn 1:00:00
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok,
So currently we have our domain controller as the DHCP server which issues the actual DNS entries.
ip – 192.168.51.100
sn – 255.255.255.0
dg – 192.168.51.1
dns servers
xxx.xxx.xx.30
xxx.xxx.xx.31
Looking at the server the forwarders are set to the above – if I change these to the internal ip of the firewall will I have to activate dns on the inside and outside interface?
As currently it is only on the outside interface..
Thanks
So currently we have our domain controller as the DHCP server which issues the actual DNS entries.
ip – 192.168.51.100
sn – 255.255.255.0
dg – 192.168.51.1
dns servers
xxx.xxx.xx.30
xxx.xxx.xx.31
Looking at the server the forwarders are set to the above – if I change these to the internal ip of the firewall will I have to activate dns on the inside and outside interface?
As currently it is only on the outside interface..
Thanks
If this setup is working for you then leave as is.
otherwise you have to allow dns queries to the firewall from internal.
otherwise you have to allow dns queries to the firewall from internal.
ASKER
I tried changing the forward lookups to the firewall for a test and enabled the dns lookup on the outside and inside interface but it practically ground to a halt...
I think I have tried that before with the same result.
I think I have tried that before with the same result.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Understood.
The ASA has the DNS settings enabled on the outside interface - are these required at all?
Thanks
The ASA has the DNS settings enabled on the outside interface - are these required at all?
Thanks
are you able to perform DNS queries to your ISPs DNS servers from the DC ?
ASKER
Yes 100%.
When you write mem on an ASA does that temporarily disconnect from the gateway?
When you write mem on an ASA does that temporarily disconnect from the gateway?
dnt this so..
write mem only saves the config
As soon as the config is entered on the command line, it is running on the device. When you mention that it has the DNS settings enabled on the outside, do you mean it is querying an external DNS server for resolution. This should not cause any problems, but you may prefer to use an internal server so that you can resolve internal addresses.
ASKER
Ok thanks,
So i can disable the DNS on the outside interface and enable the inside interface to lookat at the DC internal IP?..
Thanks
So i can disable the DNS on the outside interface and enable the inside interface to lookat at the DC internal IP?..
Thanks
Ys, you should be able to disable the DNS lookup on the outside interface and enable on the inside int.
And on a security note, DNS and Firewalls should not be in 1 sentence together.
Only with IP addresses you know where your traffic goes.
DNS can be manipulated, spoofed etc etc,
Therefor using a firewall to lookup IP's it is using, is very unsecure
So NO DNS resolution in your firewall.
On your problem,
it is most likely here
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
is the telnet and ssh you use related to AS400/Unix systems?
They usually dont send keep alives and have bad IP/TCP habits e.g. keeping half open connections
and they will timeout in 10 min - you can set them higher but then everything else will be on that timer too and memory could be a problem if there is alot of connections on your line cause they will all stay open till the timer runs out
Only with IP addresses you know where your traffic goes.
DNS can be manipulated, spoofed etc etc,
Therefor using a firewall to lookup IP's it is using, is very unsecure
So NO DNS resolution in your firewall.
On your problem,
it is most likely here
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
is the telnet and ssh you use related to AS400/Unix systems?
They usually dont send keep alives and have bad IP/TCP habits e.g. keeping half open connections
and they will timeout in 10 min - you can set them higher but then everything else will be on that timer too and memory could be a problem if there is alot of connections on your line cause they will all stay open till the timer runs out
ASKER
Understood.
Yes the telnet and SSh connections are related to Unix shipping systems.
Can the time out be put a little higher as a balance?
Thanks
Yes the telnet and SSh connections are related to Unix shipping systems.
Can the time out be put a little higher as a balance?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://unreachabledestination.blogspot.com/2009/05/allow-icmp-through-asa.html