topic Re: ASA SSH and file share pass-through in Network Security

ASA SSH and file share pass-through

mojogar — Fri, 21 Feb 2020 15:40:54 GMT

I have implemented a new ASA 5506 running 9.9. I have these interfaces:

*interface outside-ip address by dhcp and its the default route, security=0

*interface inside 1-ip network vlan1 10.0.0.0/24, security=100

*sub interface inside 1.2-ip network vlan2 10.0.1.0/24, security=100

The interfaces are configured to be able to pass traffic when they are the same security level, so interface 1 and 1.2 can ping to each others hosts just fine cross network. Interfaces 1 and 1.2 are not able to SSH or connect to each others file shares cross network even though I can ping the hosts from the other subnet.

I have tried adding a blanket ACL on interface 1 and 1.2 of:

'permit any any ip'

to no avail.

I have also tried an ACL for SSH:

'permit any any 22'

on each interface to no avail.

Re: ASA SSH and file share pass-through

Marius Gunnerud — Sat, 28 Apr 2018 19:47:45 GMT

Are you using the FirePOWER module in the ASA5506x?

Could you provide a full running configuration of the ASA (remove any public IPs, usernames and passwords)?

Re: ASA SSH and file share pass-through

Florin Barhala — Mon, 30 Apr 2018 07:21:17 GMT

Did you apply the ACL on interfaces using access-group command?
As Marius said, full config should spell the what's missing pretty quick.

Re: ASA SSH and file share pass-through

mojogar — Mon, 30 Apr 2018 18:15:25 GMT

thanks you in advance to anyone taking a look and giving input.

show run:

Re: ASA SSH and file share pass-through

mojogar — Mon, 30 Apr 2018 13:09:06 GMT

Im writing this post for clarification. In my 1st post I simplified the issue and in my config you will see that I have 3 subinterfaces on Gi1/2 (10.2.6.0/24 vlan01)

2.4 10.2.4.0/24 vlan04

2.5 10.2.5.0/24 vlan05

2.11 10.2.140.0 vlan11

From Gi1/2 (from a host on the 10.2.6.0/24 vlan01 network) I can ping to hosts cross network, through the ASA, that I want to connect to via SSH or file share. But I cannot connect using SSH via PuTTY (or connect to a file share) cross network, through the ASA, I can only ping the device.

Re: ASA SSH and file share pass-through

Marius Gunnerud — Mon, 30 Apr 2018 14:58:52 GMT

Could you set up a capture on an interface on the ASA that is going toward a device you are trying to ssh to?

for example:

cap capin interface inside match ip host 10.10.10.1 host 11.11.11.1

replace the interface name and host IPs with relevant information. Then run an SSH test. If you see traffic leaving the ASA interface towards the device you are SSHing to then this issue is most likely either with the device itself not answering SSH or that there is an issue with the network between the ASA and the device.

Re: ASA SSH and file share pass-through

mojogar — Mon, 30 Apr 2018 18:14:03 GMT

I have things figured out.

In using the ASA to connect to multiple networks via the interfaces, asymmetric routing was happening. Traffic was passing through the interfaces and were keeping its original ip addresses and ports on the cross network. I entered some NAT rules for the interfaces when crossing that permitted the source address to use the destination interface address as a dynamic PAT address, but keep the source destination and port. Then the traffic hit the cross network interface and used that interface ip address to talk to the destination. The destination then was able to send back to that interface and cross back to the original network without issue