10-26-2012 01:52 PM - edited 03-11-2019 05:14 PM
Hi All,
I could find the sftp connection established through my Newyork firewall , but the same is not
going through the Montreal firewall;
Please help us what to do for the setup to work on,
TCP outside 65.207.115.36:2200 inside 10.35.17.52:53569, idle 0:00:04, bytes 5225, flags UIO
NY1FW01# sh run | i any
access-list inside_access_out extended deny ip any object-group Deny_Access log
debugging
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any unreachable log
access-list inside_access_dmz_mgmt extended permit icmp any any echo-reply
access-list dmz_mgmt_access_in extended permit icmp any any echo-reply
access-list dmz_mgmt_access_in extended permit tcp any any eq 161
access-list dmz_mgmt_access_in extended permit tcp any any eq ssh
access-list netflow extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply log
access-list IPS extended permit ip any any
NY1FW01# sh conn | i 65.207.115.36
MO1FW01(config)# sh run | i any
access-list inside_access_out extended permit ip any any log
access-list inside_access_out extended permit icmp any any echo log
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any host 38.107.138.25 eq www
access-list outside_access_in extended permit tcp any host 38.107.138.25 eq http
s
access-list outside_access_in extended permit tcp any host 38.107.138.21 eq www
access-list outside_access_in extended permit tcp any host 38.107.138.21 eq http
s
access-list outside_access_in extended permit tcp any host 38.107.138.75 object-
group CTX_NS_DNS_TCP_UDP
access-list outside_access_in extended permit udp any host 38.107.138.75 object-
group CTX_NS_DNS_TCP_UDP
access-list outside_access_in extended permit tcp any host 38.107.138.74 object-
group CTX_NS_WEB_TCP
access-list outside_access_in extended permit tcp any host 38.107.138.21 eq 587
access-list outside_access_in extended permit tcp any host 38.107.138.21 eq smtp
access-list outside_access_in extended permit tcp any host 38.107.138.21 eq 993
access-list riverbed extended permit tcp any any
access-list dmz_access_in extended permit ip host 10.2.70.31 any log
access-list IPS extended permit ip any any
access-list outbound_filter_temp standard permit any
MO1FW01(config)#
10-26-2012 02:34 PM
to simlify the resolution , i am giving you the global policy outputs, please suggest me what else i ahve to give in the MO1FW01 for issue eradication...
MO1FW01# sh service-policy flow tcp host 10.2.11.100 host 65.207.115.36 eq 2000
Global policy:
Service-policy: global_policy
Class-map: riverbed
Match: access-list riverbed
Access rule: permit tcp any any
Action:
Input flow: set connection advanced-options riverbed
Class-map: global_IPS
Match: access-list IPS
Access rule: permit ip any any
Action:
Input flow: ips promiscuous fail-open sensor ISHVS1
Class-map: class-default
Match: any
Action:
MO1FW01# utput flow:
NY1FW01# sh service-policy flow tcp host 10.35.17.52 host 65.207.115.36 eq 2000
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Match: default-inspection-traffic
Action:
Input flow: inspect skinny
Class-map: netflow_class
Match: access-list netflow
Access rule: permit ip any any
Action:
Output flow: flow-export event-type all destination 10.2.50.109 10.35.5
0.131 10.35.50.130
Class-map: global_IPS
Match: access-list IPS
Access rule: permit ip any any
Action:
Input flow: ips promiscuous fail-open sensor ISHVS1
Class-map: class-default
Match: any
Action:
10-26-2012 11:57 PM
If the connection shown is the one you want to allow, then your SFTP-server is running on port 2200. That has to be opened on the firewall. From your show.commands it is not visible why it doesn't work, but the packet-tracer can help you:
packet-tracer input INTERFACE tcp CLIENT-IP 1234 65.207.115.36 2200
where INTERFACE is the interface where the packet should enter your ASA (depends on the location of the client) and CLIENT-IP is the IP of one of the PCs that should be able to work with that server.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide