Solved

Need help troubleshooting SSH connection over Cisco ASA5510 firewall

Posted on 2013-06-05
7
704 Views
Last Modified: 2013-06-05
I'm attempting to setup SSH connnections with another company that has to traverse our ASA.  I'm not able to connect and the other end says their firewall is open to our traffic.  Now this is a situation I find myself in frequently and I'd like to learn the proper way of diagnosing the problem.  I'm not a Cisco expert but I am familiar with the tools and have full access to the device via command line and asdm.

If someone out there wouldn't mind walking me through the basic troubleshooting steps to figure this out I would greatly appreciate it.  I've tried using the packet trace tool in the asdm which I think is probably what would help the most but it baffles me.
0
Comment
Question by:First Last
  • 3
  • 2
  • 2
7 Comments
 
LVL 17

Assisted Solution

by:StrifeJester
StrifeJester earned 250 total points
ID: 39222581
You could use something like this image as your setting only replace the IPs with the actual IPs you are working with.Packet Trace settings
0
 
LVL 17

Expert Comment

by:StrifeJester
ID: 39222590
The source port really doesn't matter since your PC will generally choose a high-level port at random. The steps will then show you using check boxes which step it fails on if any. You may also want to turn logging on for your ACLs and monitor if there is a logged message when you attempt to connect. If you have a lot of traffic flowing though this can be much harder.
0
 
LVL 1

Author Comment

by:First Last
ID: 39222613
Ok, I ran the analyzer and here is the result:

ASDM output
It looks simple enough, WEBVPN-SVC, Actop - DROP and Info: Flow is denied by configured rule.

How can I tell from this result which rule is doing the deed?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 28

Accepted Solution

by:
Jan Springer earned 250 total points
ID: 39222903
I find 'packet-tracer' is the best tool to work with:

packet-tracer input inside tcp <ip of inside host> 4000 <ip of destination host> 22

You can also add 'detail" to the end of that command.

What do you get?
0
 
LVL 1

Author Comment

by:First Last
ID: 39223173
Great command, I never tried that before.  When I run using the following syntax its showing allow at every stage:

packet-tracer input inside tcp 10.228.254.11 22 10.225.34.21 22

For example here is Phase 19 -
Phase: 19
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xad180800, priority=0, domain=inspect-ip-options, deny=true
        hits=63493352, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

So I'm not sure why I get data passing the test with this trace but the gui trace fails as in the screenshot above.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39223314
Did each step of the results show "allow"?  (and preferably test with a realistic source port -- something greater than 1024).
0
 
LVL 1

Author Comment

by:First Last
ID: 39223350
Yes, each step shows allow as above.  Not sure why I'd need to change the source port since I'm testing for SSH on port 22.

I wound up opening a case with Cisco.  We created two new ACLs, one for outbound and another for inbound, then watched to see the increments.  We saw outbound traffic going up but nothing coming back so it looks like a problem on the vendor's side.  Thanks everyone for the tips, I'll split up the points evenly.
0

Featured Post

Watch Anatomy of a Wi-Fi Hack On-Demand

In less than a weekend, anyone with Internet access and some free time can become a Wi-Fi MitM to wreak havoc on your network. View our Wi-Fi Expert in an on-demand episode of our Secure Wi-Fi mini-series as he explores the motives, execution, and anatomy of a Wi-Fi hack.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cannot connect to wireless using RADIUS 16 64
cisco asa proxy arp 2 25
Cisco Anyconnect for Android 6 40
Cisco Switch VLAN voice and Data 2 39
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question