ASA 8.2(5) can't ssh from NAT'ed IP address

ippolito — Fri, 21 Feb 2020 13:36:29 GMT

Hello - wondering if someone can tell me if there's a bug in the 8.2(5) code (I'm running the latest build, #58) related to ssh'ing into the appliance from a NAT'ed ip address.

My setup is like this:

my workstation (192.168.1.1)

ASA 5585-X (nats 192.168.1.1 to 10.1.1.1)

ASA 5505 10.2.2.2

On the 5585 side, here is the packet trace:

1: 09:57:43.317229 10.1.1.1.33728 > 10.2.2.2.22: S 1546719477:1546719477(0) win 8192 <mss 1380,nop,wscale 2,nop,nop,sackOK>
2: 09:57:43.317946 10.2.2.2.22 > 10.1.1.1.33728: S 692254474:692254474(0) ack 1546719478 win 8192 <mss 1380>
3: 09:57:43.318312 10.1.1.1.33728 > 10.2.2.2.22: . ack 692254475 win 64860
4: 09:57:43.318388 10.1.1.1.33728 > 10.2.2.2.22: P 1546719478:1546719529(51) ack 692254475 win 64860
5: 09:57:43.615980 10.1.1.1.33728 > 10.2.2.2.22: P 1546719478:1546719529(51) ack 692254475 win 64860
6: 09:57:44.215976 10.1.1.1.33728 > 10.2.2.2.22: P 1546719478:1546719529(51) ack 692254475 win 64860
7: 09:57:45.416024 10.1.1.1.33728 > 10.2.2.2.22: P 1546719478:1546719529(51) ack 692254475 win 64860
8: 09:57:47.824664 10.1.1.1.33728 > 10.2.2.2.22: P 1546719478:1546719529(51) ack 692254475 win 64860
9: 09:57:52.626829 10.1.1.1.33728 > 10.2.2.2.22: P 1546719478:1546719529(51) ack 692254475 win 64860
10: 09:58:02.232348 10.1.1.1.33728 > 10.2.2.2.22: R 1546719529:1546719529(0) ack 692254475 win 0

And here's the trace on the 5505 side:

1: 09:57:43.291717 10.1.1.1.33728 > 10.2.2.2.22: S 2937505576:2937505576(0) win 8192 <mss 1380,nop,wscale 2,nop,nop,sackOK>
2: 09:57:43.291809 10.2.2.2.22 > 10.1.1.1.33728: S 25078042:25078042(0) ack 2937505577 win 8192 <mss 1380>
3: 09:57:43.292709 10.1.1.1.33728 > 10.2.2.2.22: . ack 25078043 win 64860
4: 09:57:43.292877 10.1.1.1.33728 > 10.2.2.2.22: P 2937505577:2937505628(51) ack 25078043 win 64860
5: 09:57:43.590377 10.1.1.1.33728 > 10.2.2.2.22: P 2937505577:2937505628(51) ack 25078043 win 64860
6: 09:57:44.190343 10.1.1.1.33728 > 10.2.2.2.22: P 2937505577:2937505628(51) ack 25078043 win 64860
7: 09:57:45.390375 10.1.1.1.33728 > 10.2.2.2.22: P 2937505577:2937505628(51) ack 25078043 win 64860
8: 09:57:47.798954 10.1.1.1.33728 > 10.2.2.2.22: P 2937505577:2937505628(51) ack 25078043 win 64860
9: 09:57:52.601027 10.1.1.1.33728 > 10.2.2.2.22: P 2937505577:2937505628(51) ack 25078043 win 64860
10: 09:58:02.206364 10.1.1.1.33728 > 10.2.2.2.22: R 2937505628:2937505628(0) ack 25078043 win 0

Here is the log from the 5585:

%ASA-6-305011: Built dynamic TCP translation from any:192.168.1.1/59017 to any:10.1.1.1/59017
%ASA-6-302013: Built inbound TCP connection 1008925 for outside:192.168.1.1/59017 (10.1.1.1/59017) to outside:10.2.2.2/22 (10.2.2.2/22)
%ASA-6-305012: Teardown dynamic TCP translation from any:192.168.1.1/59017 to any:10.1.1.1/59017 duration 0:00:18

And the log from the 5505:

%ASA-7-609001: Built local-host outside:10.1.1.1
%ASA-7-710005: TCP request discarded from 10.1.1.1/59017 to outside:10.2.2.2/22
%ASA-7-609002: Teardown local-host outside:10.1.1.1 duration 0:00:00
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.1/59017 to 10.2.2.2/22 flags RST ACK on interface outside

This used to work when I was running the 7.2(5)15 code on the 5505, but has since broken after I upgraded it to the 8.2(5)58 code.

If I remove the NAT on the 5585, I can connect to the machine directly, but it is a business requirement that i use NAT to connect -- I'm being temporarily allowed to connect directly to the 5505 with my workstation for testing.

Any help would be greatly appreciated.

thanks,

Mike

Hi Mike,

Patrick Moubarak — Tue, 10 Nov 2015 15:57:14 GMT

Hi Mike,

on the 5505, do you allow ssh from 10.1.1.1 on the outside interface (ssh 10.1.1.1 255.255.255.255 outside)?

TCP request discarded from 10.1.1.1/59017 to outside:10.2.2.2/22

Also, what is the IP of the 5505 that faces the other ASA 5585-X? I mean on the inside interface? it looks like you are trying to connect to a far interface and being dropped which is normal; ASA cannot be managed through a farside interface unless you use the command <management-access outside>

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118092-configure-asa-00.html

If this is your setup:

my workstation (192.168.1.1)

ASA 5585-X (nats 192.168.1.1 to 10.1.1.1)

ASA 5505 10.1.1.2 (inside)

10.2.2.2 (outside)

then allow ssh to inside interface (ssh 10.1.1.1 255.255.255.255 inside) and use IP 10.1.1.2 to connect to the 5505 instead of outside interface IP...

Patrick

Hi Patrick,

ippolito — Tue, 17 Nov 2015 18:24:56 GMT

Hi Patrick,

I do have ssh 10.1.1.1 255.255.255.255 outside.

I think you're on to something with the management-access command -- I'll try that and see if it works.

Thanks for your input on this!

Mike

topic ASA 8.2(5) can't ssh from NAT'ed IP address in Network Security

ASA 8.2(5) can't ssh from NAT'ed IP address

Hi Mike,

Hi Patrick,