Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
621
Views
0
Helpful
3
Replies

ASA implicit drop

adamcarteratcisco
Level 1
Level 1

‎12-05-2012 04:07 PM - edited ‎03-11-2019 05:33 PM

I need to be able to ssh to local interface on an ASA 7.2.5 cluster, IP=X.147.1.110 (primary cluster address) for management.

- the acl on the interface allows the connection, and shows hits

- ssh is allowed "ssh Y.35.252.0 255.255.254.0 elink"

- fw is sending a TCP reset (service resetinbound and service resetoutside are set)

- packet tracer shows

# packet-tracer input elink tcp Y.35.252.89 9999 X.147.1.110 22

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   X.147.1.0      255.255.255.0   elink

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Anyone know why this is failing? elink is the middle security level of the three interfaces, and there are PATs on X.147.1.110, that is, traffic leaving elink is being hidden behind X.147.1.110.

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-05-2012 04:12 PM

Hello ,

If you are trying to innitiate sessions from behind the X interface of the ASA  to the Ip address of the X interface, then you need the following:

- ssh 0 0 inside ( or the name)

- a crypto key on your ASA

     CRYPTO key generate rsa

Let me know how it goes.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

adamcarteratcisco
Level 1
Level 1
In response to Julio Carvajal

‎12-05-2012 04:23 PM

- ssh 0 0 inside ( or the name)

This is already achieved with the line "ssh Y.35.252.0 255.255.254.0 elink". The source of the connection is Y.35.252.0/23 and the interface name is elink.

- a crypto key on your ASA

     CRYPTO key generate rsa

Yep - that's already been done.

Is there a way to verify the sshd is running? Something like ps on unix?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to adamcarteratcisco

‎12-05-2012 04:35 PM

Hello,

Can you run a debug SSH 255 and then attemtp to connect,

What logs is the firewall showing you?

Also the show asp table socket

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card