Re: ASA Firewall Config Issue with SSH - Page 2

ITManagerNRMoto · ‎09-15-2025

Hey there.

Im trying to setup a management VLAN on my Switch downstairs through my ASA thats on my same network but im having the address on another network so its routed through the ASA to harden up SSH to my address only.

Some rough config is

Management vlan 999 on switch at 10.0.200.250 I can ping this from my PC and the ASA. I cannot SSH into it

I can ssh into its other ip via layer 2 when im on the same network. EG 10.10.10.* Which is why i wanted it to be address based only to harden it up.

My ruling of Source Address *Mine* Dest 10.0.200.250 ssh permit as rule 1

any Source Address, Dest 10.0.200.250 ssh deny is second. Even when ive disabled this I cannot SSH into it..

Just wondering if i could of missed something? It worked for the other address I had on a different network but its not on this one.

Cheers

ITManagerNRMoto · ‎09-18-2025

Still having no luck. I cant see any ruling or issue with TCP but its not working, its permited..

Still getting SSH RST packets when trying to connect to 10.0.200.250.. works fine still on local due to L2 as 10.0.2.250

Aref Alsouqi · ‎09-23-2025

Could you please run packet capture on the ASA CLI while you're trying to SSH and share the output for review?

capture SSH interface INSIDE-AMC-SSH match tcp host 10.0.2.210 12345 host 10.0.200.250 eq 22

Could you also do some type asp-drop capture as well please? that will show us the dropps on the firewall.

capture SSH-DROP type asp-drop all real-time

I'm thinking loud here, maybe the switch has another path on the network to get back to the 10.0.2.x network that is not via the firewall? if that is the case, it would explain why the traffic gets dropped, because in that case the firewall will only see half of that traffic and that would also explain why you are getting those TCP resets.

If that is really what's going on then you can fix as explained in this post of mine:

https://bluenetsec.com/asa-tcp-state-bypass/