Solved

Need help troubleshooting SSH connection over Cisco ASA5510 firewall

Posted on 2013-06-05
7
702 Views
Last Modified: 2013-06-05
I'm attempting to setup SSH connnections with another company that has to traverse our ASA.  I'm not able to connect and the other end says their firewall is open to our traffic.  Now this is a situation I find myself in frequently and I'd like to learn the proper way of diagnosing the problem.  I'm not a Cisco expert but I am familiar with the tools and have full access to the device via command line and asdm.

If someone out there wouldn't mind walking me through the basic troubleshooting steps to figure this out I would greatly appreciate it.  I've tried using the packet trace tool in the asdm which I think is probably what would help the most but it baffles me.
0
Comment
Question by:First Last
  • 3
  • 2
  • 2
7 Comments
 
LVL 17

Assisted Solution

by:StrifeJester
StrifeJester earned 250 total points
ID: 39222581
You could use something like this image as your setting only replace the IPs with the actual IPs you are working with.Packet Trace settings
0
 
LVL 17

Expert Comment

by:StrifeJester
ID: 39222590
The source port really doesn't matter since your PC will generally choose a high-level port at random. The steps will then show you using check boxes which step it fails on if any. You may also want to turn logging on for your ACLs and monitor if there is a logged message when you attempt to connect. If you have a lot of traffic flowing though this can be much harder.
0
 
LVL 1

Author Comment

by:First Last
ID: 39222613
Ok, I ran the analyzer and here is the result:

ASDM output
It looks simple enough, WEBVPN-SVC, Actop - DROP and Info: Flow is denied by configured rule.

How can I tell from this result which rule is doing the deed?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 28

Accepted Solution

by:
Jan Springer earned 250 total points
ID: 39222903
I find 'packet-tracer' is the best tool to work with:

packet-tracer input inside tcp <ip of inside host> 4000 <ip of destination host> 22

You can also add 'detail" to the end of that command.

What do you get?
0
 
LVL 1

Author Comment

by:First Last
ID: 39223173
Great command, I never tried that before.  When I run using the following syntax its showing allow at every stage:

packet-tracer input inside tcp 10.228.254.11 22 10.225.34.21 22

For example here is Phase 19 -
Phase: 19
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xad180800, priority=0, domain=inspect-ip-options, deny=true
        hits=63493352, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

So I'm not sure why I get data passing the test with this trace but the gui trace fails as in the screenshot above.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39223314
Did each step of the results show "allow"?  (and preferably test with a realistic source port -- something greater than 1024).
0
 
LVL 1

Author Comment

by:First Last
ID: 39223350
Yes, each step shows allow as above.  Not sure why I'd need to change the source port since I'm testing for SSH on port 22.

I wound up opening a case with Cisco.  We created two new ACLs, one for outbound and another for inbound, then watched to see the increments.  We saw outbound traffic going up but nothing coming back so it looks like a problem on the vendor's side.  Thanks everyone for the tips, I'll split up the points evenly.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question