topic Thanks Vibhor, I read the in Network Security

Allowing SSH traffic on port 4022 through ASA 5510

sevenseas1 — Tue, 12 Mar 2019 05:51:56 GMT

I need to allow access to a Linux box on port 4022 via my Cisco FW 5510 via the internet (outside access). Packet tracer says that the packet will be allowed. But when I putty into the ip address for this Linux box on port 4022 the ACL doesn't get any hits and the connection times out. But when I run the packet tracer the hits do increase. This is what I have added:

object network STEVE_TEST
host internal ip address

nat (inside,outside) static interface service tcp 4022 4022

access-list STEVE_TEST extended permit tcp public ip address where host internal ip address eq 4022

access-group STEVE_TEST in interface outside

What is missing?????All help appreciated

Hi,As you checked the packet

Vibhor Amrodia — Wed, 29 Apr 2015 14:56:14 GMT

Hi,

As you checked the packet trace and if it shows allow , that would mean that the policies are correct and the relevant configuration does look correct.

I think the next step would be to apply captures on the ASA device interfaces:-

Captures on the Outside interface:-

capture capout interface outside match tcp host <IP of host from which you are testing> host <IP of ASA outside interface which is used for NAT>

Captures on the Inside interface:-

capture capout interface inside match tcp host <IP of host from which you are testing> host <IP address of the Linux Server(Private IP)>

Check if the traffic is making it to the Internal server ?

Also , to verify post the tracer output.

Thanks and Regards,

Vibhor Amrodia

Hi VibhorThanks for the quick

sevenseas1 — Thu, 30 Apr 2015 08:21:04 GMT

Hi Vibhor

Thanks for the quick response. Attached is a screenshot of the packet trace results. The packets are now being captured as per your post, how do I see what is in this capture. where and how please?

Hi,In the captures , you need

Vibhor Amrodia — Thu, 30 Apr 2015 08:25:06 GMT

Hi,

In the captures , you need to check the ingress captures first and see that the packet is coming in and on the egress captures the packet should go out as well.

As you have TCP flow , you need to start with SYN packet and continue the flow. If you see a packet on one capture and not on the other , that might show the issue with the ASA device.

You can also post the captures if you are okay with that.

Thanks and Regards,

Vibhor Amrodia

How do I see\export these

sevenseas1 — Thu, 30 Apr 2015 08:27:18 GMT

How do I see\export these captures to post them?

Hi,I think this would help

Vibhor Amrodia — Thu, 30 Apr 2015 08:28:24 GMT

Hi,

I think this would help.

https://supportforums.cisco.com/document/6971/packet-capture-asapix-fwsm

Thanks and Regards,

Vibhor Amrodia

Thanks Vibhor, I read the

sevenseas1 — Thu, 30 Apr 2015 08:53:40 GMT

Thanks Vibhor, I read the article and run

https://XXX.XXX.XXX.XXX/capture/in-cap/pcap/inside.pcap

https://XXX.XXX.XXX.XXX/capture/out-cap/pcap/outside.pcap

and both come back with 404 errors when run from a pc that has got ASDM access?

but i run sh capture and

sevenseas1 — Thu, 30 Apr 2015 09:11:15 GMT

but i run sh capture and attached is my screenshot it shows 0???

Hi,Have you verified the IP

Vibhor Amrodia — Thu, 30 Apr 2015 10:12:42 GMT

Hi,

Have you verified the IP address of the source and destination ?

Thanks and Regards,

Vibhor Amrodia

Would you care to explain

sevenseas1 — Thu, 30 Apr 2015 10:21:26 GMT

Would you care to explain more? The packet tracer screen shot shows that the packet should be allowed? and yet I can't make a connection to the inside Linux box from an public ip address on the internet?

Hi,Okay , this is the

Vibhor Amrodia — Thu, 30 Apr 2015 11:18:07 GMT

Hi,

Okay , this is the possible issue.

Packet Tracer is only a Virtual packet classification tool which checks all configured policies configured on the ASA device.

Now , captures would capture the actual traffic.and show you whether this packet is actually making it out to the destination or being dropped by the ASA device or reply is being received or not .

I would request that we should focus on getting the captures as that would verify the issue.

If it is okay , you can send me the ip address and captures syntax that you have used on my email for privacy

vamrodia@cisco.com

Thanks and Regards,

Vibhor Amrodia