https://community.cisco.com/t5/network-security/asa-implicit-drop/m-p/2105741#M394667 <P>I need to be able to ssh to local interface on an ASA 7.2.5 cluster, IP=X.147.1.110 (primary cluster address) for management.</P><P>- the acl on the interface allows the connection, and shows hits</P><P>- ssh is allowed "ssh Y.35.252.0 255.255.254.0 elink"</P><P>- fw is sending a TCP reset (service resetinbound and service resetoutside are set)</P><P>- packet tracer shows</P><P># packet-tracer input elink tcp Y.35.252.89 9999 X.147.1.110 22</P><P></P><P>Phase: 1</P><P>Type: FLOW-LOOKUP</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found no matching flow, creating a new flow</P><P></P><P>Phase: 2</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; X.147.1.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 255.255.255.0&nbsp;&nbsp; elink</P><P></P><P>Phase: 3</P><P>Type: ACCESS-LIST</P><P>Subtype:</P><P>Result: DROP</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P></P><P></P><P> Anyone know why this is failing? elink is the middle security level of the three interfaces, and there are PATs on X.147.1.110, that is, traffic leaving elink is being hidden behind X.147.1.110.</P> Tue, 12 Mar 2019 00:33:11 GMT adamcarteratcisco 2019-03-12T00:33:11Z https://community.cisco.com/t5/network-security/asa-implicit-drop/m-p/2105741#M394667 <P>I need to be able to ssh to local interface on an ASA 7.2.5 cluster, IP=X.147.1.110 (primary cluster address) for management.</P><P>- the acl on the interface allows the connection, and shows hits</P><P>- ssh is allowed "ssh Y.35.252.0 255.255.254.0 elink"</P><P>- fw is sending a TCP reset (service resetinbound and service resetoutside are set)</P><P>- packet tracer shows</P><P># packet-tracer input elink tcp Y.35.252.89 9999 X.147.1.110 22</P><P></P><P>Phase: 1</P><P>Type: FLOW-LOOKUP</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found no matching flow, creating a new flow</P><P></P><P>Phase: 2</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; X.147.1.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 255.255.255.0&nbsp;&nbsp; elink</P><P></P><P>Phase: 3</P><P>Type: ACCESS-LIST</P><P>Subtype:</P><P>Result: DROP</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P></P><P></P><P> Anyone know why this is failing? elink is the middle security level of the three interfaces, and there are PATs on X.147.1.110, that is, traffic leaving elink is being hidden behind X.147.1.110.</P> Tue, 12 Mar 2019 00:33:11 GMT https://community.cisco.com/t5/network-security/asa-implicit-drop/m-p/2105741#M394667 adamcarteratcisco 2019-03-12T00:33:11Z https://community.cisco.com/t5/network-security/asa-implicit-drop/m-p/2105742#M394668 <HTML><HEAD></HEAD><BODY><P>Hello ,</P><P></P><P>If you are trying to innitiate sessions from behind the X interface of the ASA&nbsp; to the Ip address of the X interface, then you need the following:</P><P>- ssh 0 0 inside ( or the name)</P><P>- a crypto key on your ASA</P><P>&nbsp;&nbsp;&nbsp;&nbsp; CRYPTO key generate rsa</P><P></P><P>Let me know how it goes.</P></BODY></HTML> Thu, 06 Dec 2012 00:12:22 GMT https://community.cisco.com/t5/network-security/asa-implicit-drop/m-p/2105742#M394668 Julio Carvajal 2012-12-06T00:12:22Z https://community.cisco.com/t5/network-security/asa-implicit-drop/m-p/2105743#M394669 <HTML><HEAD></HEAD><BODY><P>- ssh 0 0 inside ( or the name)</P><P></P><P>This is already achieved with the line "ssh Y.35.252.0 255.255.254.0 elink". The source of the connection is Y.35.252.0/23 and the interface name is elink.</P><P></P><P>- a crypto key on your ASA</P><P>&nbsp;&nbsp;&nbsp;&nbsp; CRYPTO key generate rsa</P><P></P><P>Yep - that's already been done.</P><P></P><P>Is there a way to verify the sshd is running? Something like ps on unix?</P></BODY></HTML> Thu, 06 Dec 2012 00:23:52 GMT https://community.cisco.com/t5/network-security/asa-implicit-drop/m-p/2105743#M394669 adamcarteratcisco 2012-12-06T00:23:52Z https://community.cisco.com/t5/network-security/asa-implicit-drop/m-p/2105744#M394670 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Can you run a debug SSH 255 and then attemtp to connect,</P><P></P><P>What logs is the firewall showing you?</P><P></P><P>Also the show asp table socket</P><P></P><P></P><P>Regards,</P></BODY></HTML> Thu, 06 Dec 2012 00:35:10 GMT https://community.cisco.com/t5/network-security/asa-implicit-drop/m-p/2105744#M394670 Julio Carvajal 2012-12-06T00:35:10Z