Allowing SSH traffic on port 4022 through ASA 5510

sevenseas1 · ‎04-29-2015

Hi

I need to allow access to a Linux box on port 4022 via my Cisco FW 5510 via the internet (outside access). Packet tracer says that the packet will be allowed. But when I putty into the ip address for this Linux box on port 4022 the ACL doesn't get any hits and the connection times out. But when I run the packet tracer the hits do increase. This is what I have added:

object network STEVE_TEST
host internal ip address

nat (inside,outside) static interface service tcp 4022 4022

access-list STEVE_TEST extended permit tcp public ip address where host internal ip address eq 4022

access-group STEVE_TEST in interface outside

What is missing?????All help appreciated

Vibhor Amrodia · ‎04-29-2015

Hi,

As you checked the packet trace and if it shows allow , that would mean that the policies are correct and the relevant configuration does look correct.

I think the next step would be to apply captures on the ASA device interfaces:-

Captures on the Outside interface:-

capture capout interface outside match tcp host <IP of host from which you are testing> host <IP of ASA outside interface which is used for NAT>

Captures on the Inside interface:-

capture capout interface inside match tcp host <IP of host from which you are testing> host <IP address of the Linux Server(Private IP)>

Check if the traffic is making it to the Internal server ?

Also , to verify post the tracer output.

Thanks and Regards,

Vibhor Amrodia

sevenseas1 · ‎04-30-2015

Hi Vibhor

Thanks for the quick response. Attached is a screenshot of the packet trace results. The packets are now being captured as per your post, how do I see what is in this capture. where and how please?

Vibhor Amrodia · ‎04-30-2015

Hi,

In the captures , you need to check the ingress captures first and see that the packet is coming in and on the egress captures the packet should go out as well.

As you have TCP flow , you need to start with SYN packet and continue the flow. If you see a packet on one capture and not on the other , that might show the issue with the ASA device.

You can also post the captures if you are okay with that.

Thanks and Regards,

Vibhor Amrodia

sevenseas1 · ‎04-30-2015

How do I see\export these captures to post them?

Vibhor Amrodia · ‎04-30-2015

Hi,

I think this would help.

https://supportforums.cisco.com/document/6971/packet-capture-asapix-fwsm

Thanks and Regards,

Vibhor Amrodia

sevenseas1 · ‎04-30-2015

Thanks Vibhor, I read the article and run

https://XXX.XXX.XXX.XXX/capture/in-cap/pcap/inside.pcap

https://XXX.XXX.XXX.XXX/capture/out-cap/pcap/outside.pcap

and both come back with 404 errors when run from a pc that has got ASDM access?

sevenseas1 · ‎04-30-2015

but i run sh capture and attached is my screenshot it shows 0???

Vibhor Amrodia · ‎04-30-2015

Hi,

Have you verified the IP address of the source and destination ?

Thanks and Regards,

Vibhor Amrodia

sevenseas1 · ‎04-30-2015

Would you care to explain more? The packet tracer screen shot shows that the packet should be allowed? and yet I can't make a connection to the inside Linux box from an public ip address on the internet?

Vibhor Amrodia · ‎04-30-2015

Hi,

Okay , this is the possible issue.

Packet Tracer is only a Virtual packet classification tool which checks all configured policies configured on the ASA device.

Now , captures would capture the actual traffic.and show you whether this packet is actually making it out to the destination or being dropped by the ASA device or reply is being received or not .

I would request that we should focus on getting the captures as that would verify the issue.

If it is okay , you can send me the ip address and captures syntax that you have used on my email for privacy

vamrodia@cisco.com

Thanks and Regards,

Vibhor Amrodia