Solved

Need help troubleshooting SSH connection over Cisco ASA5510 firewall

Posted on 2013-06-05
7
705 Views
Last Modified: 2013-06-05
I'm attempting to setup SSH connnections with another company that has to traverse our ASA.  I'm not able to connect and the other end says their firewall is open to our traffic.  Now this is a situation I find myself in frequently and I'd like to learn the proper way of diagnosing the problem.  I'm not a Cisco expert but I am familiar with the tools and have full access to the device via command line and asdm.

If someone out there wouldn't mind walking me through the basic troubleshooting steps to figure this out I would greatly appreciate it.  I've tried using the packet trace tool in the asdm which I think is probably what would help the most but it baffles me.
0
Comment
Question by:First Last
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 17

Assisted Solution

by:StrifeJester
StrifeJester earned 250 total points
ID: 39222581
You could use something like this image as your setting only replace the IPs with the actual IPs you are working with.Packet Trace settings
0
 
LVL 17

Expert Comment

by:StrifeJester
ID: 39222590
The source port really doesn't matter since your PC will generally choose a high-level port at random. The steps will then show you using check boxes which step it fails on if any. You may also want to turn logging on for your ACLs and monitor if there is a logged message when you attempt to connect. If you have a lot of traffic flowing though this can be much harder.
0
 
LVL 1

Author Comment

by:First Last
ID: 39222613
Ok, I ran the analyzer and here is the result:

ASDM output
It looks simple enough, WEBVPN-SVC, Actop - DROP and Info: Flow is denied by configured rule.

How can I tell from this result which rule is doing the deed?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 29

Accepted Solution

by:
Jan Springer earned 250 total points
ID: 39222903
I find 'packet-tracer' is the best tool to work with:

packet-tracer input inside tcp <ip of inside host> 4000 <ip of destination host> 22

You can also add 'detail" to the end of that command.

What do you get?
0
 
LVL 1

Author Comment

by:First Last
ID: 39223173
Great command, I never tried that before.  When I run using the following syntax its showing allow at every stage:

packet-tracer input inside tcp 10.228.254.11 22 10.225.34.21 22

For example here is Phase 19 -
Phase: 19
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xad180800, priority=0, domain=inspect-ip-options, deny=true
        hits=63493352, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

So I'm not sure why I get data passing the test with this trace but the gui trace fails as in the screenshot above.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39223314
Did each step of the results show "allow"?  (and preferably test with a realistic source port -- something greater than 1024).
0
 
LVL 1

Author Comment

by:First Last
ID: 39223350
Yes, each step shows allow as above.  Not sure why I'd need to change the source port since I'm testing for SSH on port 22.

I wound up opening a case with Cisco.  We created two new ACLs, one for outbound and another for inbound, then watched to see the increments.  We saw outbound traffic going up but nothing coming back so it looks like a problem on the vendor's side.  Thanks everyone for the tips, I'll split up the points evenly.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question