Solved

Need help troubleshooting SSH connection over Cisco ASA5510 firewall

Posted on 2013-06-05
7
708 Views
Last Modified: 2013-06-05
I'm attempting to setup SSH connnections with another company that has to traverse our ASA.  I'm not able to connect and the other end says their firewall is open to our traffic.  Now this is a situation I find myself in frequently and I'd like to learn the proper way of diagnosing the problem.  I'm not a Cisco expert but I am familiar with the tools and have full access to the device via command line and asdm.

If someone out there wouldn't mind walking me through the basic troubleshooting steps to figure this out I would greatly appreciate it.  I've tried using the packet trace tool in the asdm which I think is probably what would help the most but it baffles me.
0
Comment
Question by:First Last
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 17

Assisted Solution

by:StrifeJester
StrifeJester earned 250 total points
ID: 39222581
You could use something like this image as your setting only replace the IPs with the actual IPs you are working with.Packet Trace settings
0
 
LVL 17

Expert Comment

by:StrifeJester
ID: 39222590
The source port really doesn't matter since your PC will generally choose a high-level port at random. The steps will then show you using check boxes which step it fails on if any. You may also want to turn logging on for your ACLs and monitor if there is a logged message when you attempt to connect. If you have a lot of traffic flowing though this can be much harder.
0
 
LVL 1

Author Comment

by:First Last
ID: 39222613
Ok, I ran the analyzer and here is the result:

ASDM output
It looks simple enough, WEBVPN-SVC, Actop - DROP and Info: Flow is denied by configured rule.

How can I tell from this result which rule is doing the deed?
0
What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

 
LVL 29

Accepted Solution

by:
Jan Springer earned 250 total points
ID: 39222903
I find 'packet-tracer' is the best tool to work with:

packet-tracer input inside tcp <ip of inside host> 4000 <ip of destination host> 22

You can also add 'detail" to the end of that command.

What do you get?
0
 
LVL 1

Author Comment

by:First Last
ID: 39223173
Great command, I never tried that before.  When I run using the following syntax its showing allow at every stage:

packet-tracer input inside tcp 10.228.254.11 22 10.225.34.21 22

For example here is Phase 19 -
Phase: 19
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xad180800, priority=0, domain=inspect-ip-options, deny=true
        hits=63493352, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

So I'm not sure why I get data passing the test with this trace but the gui trace fails as in the screenshot above.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39223314
Did each step of the results show "allow"?  (and preferably test with a realistic source port -- something greater than 1024).
0
 
LVL 1

Author Comment

by:First Last
ID: 39223350
Yes, each step shows allow as above.  Not sure why I'd need to change the source port since I'm testing for SSH on port 22.

I wound up opening a case with Cisco.  We created two new ACLs, one for outbound and another for inbound, then watched to see the increments.  We saw outbound traffic going up but nothing coming back so it looks like a problem on the vendor's side.  Thanks everyone for the tips, I'll split up the points evenly.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question