@Marvin Rhoads
Now what you've done is the right syntax , I haven't try to increase ssh session before but I always like to make use of possibility before concluding on the documentation direction.
Your Configuration is only matching on TCP Port 22 according to your command, I wanted to just agreed this might be a deadlock stuff , but I had to think of the way ASA handle FTP traffic when in passive , and the way ASA handle traceroute as well. I believe you are familiar with the afore-mentioned protocol (FTP & Traceroute)
In the case of FTP , when you check default inspection , you can see ASA is inspecting FTP but technically ASA will deny FTP in passive mode due to variation in outbound ports and inbound port ( check FTP order of operation on this)
In the case of traceroute , cisco uses unix based whilst Window machine doesn't, the mode of manually placing exception for this protocol is different when it comes to where the traffic is been generated from. In IOS / UNIX based UDP is use as outbound and return traffic is TCP ( do you see different) , this is why traceroute packet get drop until you manually inspect this via MPF.
On Windows Machine it uses TCP as outbound and the return packet consist of two different ICMP code traffic.
With your configuration , even if this is not possible I guess you still haven't done the manual inspection properly in terms of what your class-map is matching or inspecting.
The logic before using MPF is to check :
- ASA logs via buffer or console when not production device
- sh conn all
The above guidance will tell you what is seen outbound and what is seen inbound , as we know ASA is stateful behaviour , it will expect the outbound traffic to be the same with inbound , but in the case of non standard protocol we need manually exception by looking into logs / connection details to get this right.
Please let see if this work....
