topic Mahesh,You say a switch but in Network Security

Unable to ssh switch from PC

mahesh18 — Tue, 12 Mar 2019 06:31:00 GMT

Hi,

I am trying to ssh from PC to Switch.

PC IP 192.168.2.5

Switch IP 10.31.2.34

log shows

Aug 28 2015 21:10:41: %ASA-6-302013: Built outbound TCP connection 673 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.5/1556 (192.168.2.5/1556)
Aug 28 2015 21:10:41: %ASA-6-302014: Teardown TCP connection 673 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.5/1556 duration 0:00:00 bytes 0 TCP Reset-I
Aug 28 2015 21:10:44: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.5/1556 to 10.31.2.34/22 flags RST on interface VISITOR
Aug 28 2015 21:10:44: %ASA-6-302013: Built outbound TCP connection 675 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.5/1556 (192.168.2.5/1556)
Aug 28 2015 21:10:44: %ASA-6-302014: Teardown TCP connection 675 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.5/1556 duration 0:00:00 bytes 0 TCP Reset-I
Aug 28 2015 21:10:47: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.5/1556 to 10.31.2.34/22 flags RST on interface VISITOR
Aug 28 2015 21:10:50: %ASA-6-302013: Built outbound TCP connection 677 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.5/1556 (192.168.2.5/1556)
Aug 28 2015 21:10:50: %ASA-6-302014: Teardown TCP connection 677 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.5/1556 duration 0:00:00 bytes 0 TCP Reset-I

Confi g

interface Ethernet0/0
nameif MGMT
security-level 10
ip address 10.31.2.33 255.255.255.0
!

!
interface Ethernet0/3
nameif VISITOR
security-level 50
ip address 192.168.2.1 255.255.255.0

ACL is there to allow ssh to 10.31.2.34 but i see no hit counts.

Packet tracer shows that ssh is allowed.

Also from PC i can ping the IP 10.31.2.34 but ssh does not work is this due to design?

Regards

MAhesh

Mahesh,You say a switch but

Richard Bradfield — Sat, 29 Aug 2015 05:52:21 GMT

Mahesh,

You say a switch but actually an ASA firewall, can you share more of the ASA configuration and a show access-list command

thanks

Richard.

Its not ASA it is switch

mahesh18 — Sat, 29 Aug 2015 06:52:26 GMT

Its not ASA it is switch directly connected to ASA.

ASA config

access-list MGMT_access_in extended permit ip any any
access-list VISITOR_access_in extended permit udp 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 eq domain
access-list VISITOR_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq www
access-list VISITOR_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq https
access-list VISITOR_access_in extended permit icmp 192.168.2.0 255.255.255.0 any
access-list VISITOR_access_in extended permit tcp 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 eq ssh

Regards

Mahesh

the Reset-I in your logs

Marius Gunnerud — Sat, 29 Aug 2015 18:44:08 GMT

the Reset-I in your logs indicates that the reset is coming from the VISITOR interface. Are you sure that the switch is correctly configured for SSH access?

Also could you post all your NAT configuration. I have also seen this issue being cause by incorrectly configured NAT statements.

Please remember to select a correct answer and rate helpful posts

Hi Marius, Switch is

mahesh18 — Sat, 29 Aug 2015 20:11:46 GMT

Hi Marius,

Switch is allowing the ssh.

Here is all NAT config

global (outside) 1 interface
nat (MGMT) 1 0.0.0.0 0.0.0.0
nat (VISITOR) 1 0.0.0.0 0.0.0.0
static (WLC_ASA_5505,MGMT) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (VISITOR,MGMT) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (VISITOR,WLC_ASA_5505) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

Regards

Mahesh

what are you trying to

Marius Gunnerud — Sun, 30 Aug 2015 06:57:18 GMT

what are you trying to accomplish with this NAT statement:

static (VISITOR,MGMT) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

I believe your issues are coming freom incorrect NAT usage. The above NAT statement translates a destination address of 192.168.2.0 to itself. This is an incorrect usase of NAT for the version you are running. This should be a NAT 0 statement.

access-list NAT0 extended permit ip <VISITOR subnet> <MGMT subnet>

nat (VISITOR) 0 access-list NAT0

You could probably solve this issue by using the no nat-control command and removing your current static nat entries. Though then you would need to be more specific with your nat (MGMT) and nat (VISITOR) subnets and not have them as 0.0.0.0 0.0.0.0.

Please remember to select a correct answer and rate helpful posts

here is setup WLC-----

mahesh18 — Sun, 30 Aug 2015 12:02:56 GMT

here is setup

WLC------switch-----------ASA

WLC Management IP 10.31.2.35

Switch Management IP 10.31.2.34

Switch has default gateway to the ASA IP--10.31.2.33

With that NAT I am trying to reach the 10.31.2.0 subnet from user IP 192.168.2.0.

Now I have removed that NAT but I am still able to ping and ssh to WLC IP 10.31.2.35?

Can you please tell how this is happening without any NAT from Visitor to Management interface of ASA ?

I put the no nat as you said

nat (VISITOR) 0 access-list NAT0

still same issue

Aug 30 2015 05:51:56: %ASA-6-302013: Built outbound TCP connection 40004 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.28/1498 (192.168.2.28/1498)
Aug 30 2015 05:51:56: %ASA-6-302014: Teardown TCP connection 40004 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.28/1498 duration 0:00:00 bytes 0 TCP Reset-I
Aug 30 2015 05:51:58: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.28/1498 to 10.31.2.34/22 flags RST on interface VISITOR
Aug 30 2015 05:51:59: %ASA-6-302013: Built outbound TCP connection 40007 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.28/1498 (192.168.2.28/1498)
Aug 30 2015 05:51:59: %ASA-6-302014: Teardown TCP connection 40007 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.28/1498 duration 0:00:00 bytes 0 TCP Reset-I
Aug 30 2015 05:52:02: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.28/1498 to 10.31.2.34/22 flags RST on interface VISITOR
Aug 30 2015 05:52:05: %ASA-6-302013: Built outbound TCP connection 40009 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.28/1498 (192.168.2.28/1498)
Aug 30 2015 05:52:05: %ASA-6-302014: Teardown TCP connection 40009 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.28/1498 duration 0:00:00 bytes 0 TCP Reset-I
Aug 30 2015 05:52:10: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.28/1498 to 10.31.2.34/22 flags RST on interface VISITOR
Aug 30 2015 05:51:56: %ASA-6-302013: Built outbound TCP connection 40004 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.28/1498 (192.168.2.28/1498)
Aug 30 2015 05:51:56: %ASA-6-302014: Teardown TCP connection 40004 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.28/1498 duration 0:00:00 bytes 0 TCP Reset-I
Aug 30 2015 05:51:58: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.28/1498 to 10.31.2.34/22 flags RST on interface VISITOR
Aug 30 2015 05:51:59: %ASA-6-302013: Built outbound TCP connection 40007 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.28/1498 (192.168.2.28/1498)
Aug 30 2015 05:51:59: %ASA-6-302014: Teardown TCP connection 40007 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.28/1498 duration 0:00:00 bytes 0 TCP Reset-I
Aug 30 2015 05:52:02: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.28/1498 to 10.31.2.34/22 flags RST on interface VISITOR
Aug 30 2015 05:52:05: %ASA-6-302013: Built outbound TCP connection 40009 for MGMT:10.31.2.34/22 (10.31.2.34/22) to VISITOR:192.168.2.28/1498 (192.168.2.28/1498)
Aug 30 2015 05:52:05: %ASA-6-302014: Teardown TCP connection 40009 for MGMT:10.31.2.34/22 to VISITOR:192.168.2.28/1498 duration 0:00:00 bytes 0 TCP Reset-I
Aug 30 2015 05:52:10: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.28/1498 to 10.31.2.34/22 flags RST on interface VISITOR

Also if I do no nat control then how would visitor subnet access the internet?

Regards

MAhesh

Did you define the NAT0

Marius Gunnerud — Sun, 30 Aug 2015 19:11:04 GMT

Did you define the NAT0 access list?

Also if I do no nat control then how would visitor subnet access the internet?

nat-control only tells the ASA that it REQUIRES an ACL to allow traffic between interfaces. Removing it does not prevent NAT. As long as you have a dynamic NAT for internet traffic you are fine for internet access.

Could you please provide your full running config for your ASA. Remove any public IPs and passwords.

Please remember to select a correct answer and rate helpful posts

yes i define nat 0.here is

mahesh18 — Sun, 30 Aug 2015 20:01:17 GMT

yes i define nat 0.

here is full config

ASA5520# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname ASA5520

names
!
interface Ethernet0/0
nameif MGMT
security-level 10
ip address 10.31.2.33 255.255.255.0
!
interface Ethernet0/1
description Connection to ISP SHAW
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/2
nameif WLC_ASA_5505
security-level 67
ip address 10.255.255.2 255.255.255.252

interface Ethernet0/3
nameif VISITOR
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone MST -7
clock summer-time MST recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 64.59.144.19
object-group network DM_INLINE_NETWORK_1
network-object host 4.2.2.2
network-object host 64.59.144.19
object-group network DM_INLINE_NETWORK_2
network-object host 10.31.2.34
network-object host 10.31.2.35
network-object host 10.31.2.37
network-object host 10.255.255.1
access-list MGMT_access_in extended permit ip any any
access-list VISITOR_access_in extended permit udp 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 eq domain
access-list VISITOR_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq www
access-list VISITOR_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq https
access-list VISITOR_access_in extended permit icmp 192.168.2.0 255.255.255.0 any
access-list VISITOR_access_in extended permit tcp 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 eq ssh
access-list NAT0 extended permit ip 192.168.2.0 255.255.255.0 10.31.2.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 567890
logging buffered informational
logging history informational
logging asdm informational
mtu MGMT 1500
mtu outside 1500
mtu WLC_ASA_5505 1500
mtu VISITOR 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
<--- More --->

global (outside) 1 interface
nat (MGMT) 1 0.0.0.0 0.0.0.0
nat (VISITOR) 0 access-list NAT0
nat (VISITOR) 1 0.0.0.0 0.0.0.0
static (WLC_ASA_5505,MGMT) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (VISITOR,WLC_ASA_5505) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-group MGMT_access_in in interface MGMT
access-group VISITOR_access_in in interface VISITOR
route WLC_ASA_5505 10.0.0.0 255.255.255.0 10.255.255.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 WLC_ASA_5505
http 192.168.2.0 255.255.255.0 VISITOR
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5
ssh 10.0.0.0 255.255.255.0 WLC_ASA_5505
ssh 192.168.2.0 255.255.255.0 VISITOR
ssh timeout 60
console timeout 0
dhcpd address 192.168.2.4-192.168.2.61 VISITOR
dhcpd dns 64.59.144.19 interface VISITOR
dhcpd enable VISITOR
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 136.159.2.254 source outside
ntp server 128.100.56.135 source outside prefer

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:03ff1b71e63cf283ab4d7a146dfc367c
: end

Strange thing is that i can ssh 10.31.2.35 which is WLC IP but not switch.

Regards

MAhesh

If you can ssh to 10.31.2.35

Marius Gunnerud — Sun, 30 Aug 2015 20:37:03 GMT

If you can ssh to 10.31.2.35 but not 10.31.2.34, I suggest you take a look at the SSH and VTY configuration on the switch. Also check if there are restrictions that have been added to the control-plane.

Please remember to select a correct answer and rate helpful posts

i can ssh to switch IP 192

mahesh18 — Sun, 30 Aug 2015 22:10:05 GMT

i can ssh to switch IP 192.168.2.2 but not 10.31.2.34 so that tells me that ssh config

on switch is correct.

There are no restrictions on switch.It is layer 2 switch with default gateway pointing to

ASA 10.31.2.33

below is config of switch

!
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh version 2
!
!
!
interface FastEthernet1/0/1
description Connection to ASA 5510 Eth0/0
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface FastEthernet1/0/2
description Connection to ASA 5510 Eth0/3
switchport access vlan 361
switchport mode access
spanning-tree portfast
!
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
interface FastEthernet1/0/24
description Connection_to_WAP
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/1
description WLC_P1
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/2
description WLC_P2
switchport access vlan 361
switchport mode access
spanning-tree portfast
!
interface Vlan1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface Vlan2
ip address 10.31.2.34 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface Vlan361
ip address 192.168.2.2 255.255.255.0
no ip route-cache
no ip mroute-cache
!
ip default-gateway 10.31.2.33
ip classless
ip http server
ip http secure-server
!
!
!
!
!
line con 0
line vty 0 4
login local
transport input telnet ssh
transport output ssh
line vty 5 15
login local
transport input telnet ssh
transport output ssh
!
ntp clock-period 36029625
ntp server 128.100.56.135 prefer

Regards

Mahesh

What model switch is it?

Marius Gunnerud — Mon, 31 Aug 2015 19:05:44 GMT

What model switch is it? Most L2 switches only support 1 active management VLAN interface. I think that might the problem you are facing. what is the output of show ip int bri showing you for interface vlan2?

Besides, If this was aL3 switch, traffic would never go through the ASA but be routed directly by the switch.

Please remember to select a correct answer and rate helpful posts

here is infoSwitch#sh

mahesh18 — Tue, 01 Sep 2015 03:05:29 GMT

here is info

Switch#sh inventory
NAME: "1", DESCR: "WS-C3750-24TS"
PID: WS-C3750-24TS-E , VID: F0 , SN: CAT0832X1GX

NAME: "GigabitEthernet1/0/1", DESCR: "1000BaseSX SFP"
PID: Unspecified , VID: , SN: FNS111725W2

NAME: "GigabitEthernet1/0/2", DESCR: "1000BaseSX SFP"
PID: Unspecified , VID: , SN: FNS0928H4EY

Switch#sh ip int brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  unassigned      YES NVRAM administratively down down
Vlan2                  10.31.2.34      YES NVRAM up                    up
Vlan361                192.168.2.2     YES NVRAM up                    up
FastEthernet1/0/1      unassigned      YES unset up                    up
FastEthernet1/0/2      unassigned      YES unset up                    up
FastEthernet1/0/3      unassigned      YES unset down                  down
FastEthernet1/0/4      unassigned      YES unset down                  down
FastEthernet1/0/5      unassigned      YES unset down                  down
FastEthernet1/0/6      unassigned      YES unset down                  down
FastEthernet1/0/7      unassigned      YES unset down                  down
FastEthernet1/0/8      unassigned      YES unset down                  down
FastEthernet1/0/9      unassigned      YES unset down                  down
FastEthernet1/0/10     unassigned      YES unset down                  down
FastEthernet1/0/11     unassigned      YES unset down                  down
FastEthernet1/0/12     unassigned      YES unset down                  down
FastEthernet1/0/13     unassigned      YES unset down                  down
FastEthernet1/0/14     unassigned      YES unset down                  down
FastEthernet1/0/15     unassigned      YES unset down                  down
FastEthernet1/0/16     unassigned      YES unset down                  down
FastEthernet1/0/17     unassigned      YES unset down                  down
FastEthernet1/0/18     unassigned      YES unset down                  down
FastEthernet1/0/19     unassigned      YES unset down                  down
FastEthernet1/0/20     unassigned      YES unset down                  down
FastEthernet1/0/21     unassigned      YES unset down                  down
FastEthernet1/0/22     unassigned      YES unset down                  down
FastEthernet1/0/23     unassigned      YES unset down                  down
FastEthernet1/0/24     unassigned      YES unset up                    up
GigabitEthernet1/0/1   unassigned      YES unset up                    up
GigabitEthernet1/0/2   unassigned      YES unset up                    up
Switch#

Regards

Mahesh

If you change the IP on the

Marius Gunnerud — Tue, 01 Sep 2015 07:54:02 GMT

If you change the IP on the PC to be in the 10.31.2.0/24 subnet, and configure another port to be in that VLAN, are you able to ping 10.31.2.34?

Please remember to select a correct answer and rate helpful posts

Ping is not issue i can ping

mahesh18 — Tue, 01 Sep 2015 16:19:30 GMT

Ping is not issue i can ping the switch IP 10.31.2.34 from PC with 192.168.2.x subnet.

But i will to test as per you later today.

Regards

MAhesh