Solved

Need help troubleshooting SSH connection over Cisco ASA5510 firewall

Posted on 2013-06-05
7
699 Views
Last Modified: 2013-06-05
I'm attempting to setup SSH connnections with another company that has to traverse our ASA.  I'm not able to connect and the other end says their firewall is open to our traffic.  Now this is a situation I find myself in frequently and I'd like to learn the proper way of diagnosing the problem.  I'm not a Cisco expert but I am familiar with the tools and have full access to the device via command line and asdm.

If someone out there wouldn't mind walking me through the basic troubleshooting steps to figure this out I would greatly appreciate it.  I've tried using the packet trace tool in the asdm which I think is probably what would help the most but it baffles me.
0
Comment
Question by:First Last
  • 3
  • 2
  • 2
7 Comments
 
LVL 17

Assisted Solution

by:StrifeJester
StrifeJester earned 250 total points
ID: 39222581
You could use something like this image as your setting only replace the IPs with the actual IPs you are working with.Packet Trace settings
0
 
LVL 17

Expert Comment

by:StrifeJester
ID: 39222590
The source port really doesn't matter since your PC will generally choose a high-level port at random. The steps will then show you using check boxes which step it fails on if any. You may also want to turn logging on for your ACLs and monitor if there is a logged message when you attempt to connect. If you have a lot of traffic flowing though this can be much harder.
0
 
LVL 1

Author Comment

by:First Last
ID: 39222613
Ok, I ran the analyzer and here is the result:

ASDM output
It looks simple enough, WEBVPN-SVC, Actop - DROP and Info: Flow is denied by configured rule.

How can I tell from this result which rule is doing the deed?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 28

Accepted Solution

by:
Jan Springer earned 250 total points
ID: 39222903
I find 'packet-tracer' is the best tool to work with:

packet-tracer input inside tcp <ip of inside host> 4000 <ip of destination host> 22

You can also add 'detail" to the end of that command.

What do you get?
0
 
LVL 1

Author Comment

by:First Last
ID: 39223173
Great command, I never tried that before.  When I run using the following syntax its showing allow at every stage:

packet-tracer input inside tcp 10.228.254.11 22 10.225.34.21 22

For example here is Phase 19 -
Phase: 19
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xad180800, priority=0, domain=inspect-ip-options, deny=true
        hits=63493352, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

So I'm not sure why I get data passing the test with this trace but the gui trace fails as in the screenshot above.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39223314
Did each step of the results show "allow"?  (and preferably test with a realistic source port -- something greater than 1024).
0
 
LVL 1

Author Comment

by:First Last
ID: 39223350
Yes, each step shows allow as above.  Not sure why I'd need to change the source port since I'm testing for SSH on port 22.

I wound up opening a case with Cisco.  We created two new ACLs, one for outbound and another for inbound, then watched to see the increments.  We saw outbound traffic going up but nothing coming back so it looks like a problem on the vendor's side.  Thanks everyone for the tips, I'll split up the points evenly.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now