Solved: Re: ASA SSH and file share pass-through

mojogar · ‎04-28-2018

I have implemented a new ASA 5506 running 9.9. I have these interfaces:

*interface outside-ip address by dhcp and its the default route, security=0

*interface inside 1-ip network vlan1 10.0.0.0/24, security=100

*sub interface inside 1.2-ip network vlan2 10.0.1.0/24, security=100

The interfaces are configured to be able to pass traffic when they are the same security level, so interface 1 and 1.2 can ping to each others hosts just fine cross network. Interfaces 1 and 1.2 are not able to SSH or connect to each others file shares cross network even though I can ping the hosts from the other subnet.

I have tried adding a blanket ACL on interface 1 and 1.2 of:

'permit any any ip'

to no avail.

I have also tried an ACL for SSH:

'permit any any 22'

on each interface to no avail.

mojogar · ‎04-30-2018

I have things figured out.

In using the ASA to connect to multiple networks via the interfaces, asymmetric routing was happening. Traffic was passing through the interfaces and were keeping its original ip addresses and ports on the cross network. I entered some NAT rules for the interfaces when crossing that permitted the source address to use the destination interface address as a dynamic PAT address, but keep the source destination and port. Then the traffic hit the cross network interface and used that interface ip address to talk to the destination. The destination then was able to send back to that interface and cross back to the original network without issue

View solution in original post

Marius Gunnerud · ‎04-28-2018

Are you using the FirePOWER module in the ASA5506x?

Could you provide a full running configuration of the ASA (remove any public IPs, usernames and passwords)?

--
Please remember to select a correct answer and rate helpful posts

Florin Barhala · ‎04-30-2018

Did you apply the ACL on interfaces using access-group command?
As Marius said, full config should spell the what's missing pretty quick.

mojogar · ‎04-30-2018

thanks you in advance to anyone taking a look and giving input.

show run:

mojogar · ‎04-30-2018

Im writing this post for clarification. In my 1st post I simplified the issue and in my config you will see that I have 3 subinterfaces on Gi1/2 (10.2.6.0/24 vlan01)

2.4 10.2.4.0/24 vlan04

2.5 10.2.5.0/24 vlan05

2.11 10.2.140.0 vlan11

From Gi1/2 (from a host on the 10.2.6.0/24 vlan01 network) I can ping to hosts cross network, through the ASA, that I want to connect to via SSH or file share. But I cannot connect using SSH via PuTTY (or connect to a file share) cross network, through the ASA, I can only ping the device.

Marius Gunnerud · ‎04-30-2018

Could you set up a capture on an interface on the ASA that is going toward a device you are trying to ssh to?

for example:

cap capin interface inside match ip host 10.10.10.1 host 11.11.11.1

replace the interface name and host IPs with relevant information. Then run an SSH test. If you see traffic leaving the ASA interface towards the device you are SSHing to then this issue is most likely either with the device itself not answering SSH or that there is an issue with the network between the ASA and the device.

--
Please remember to select a correct answer and rate helpful posts

mojogar · ‎04-30-2018

I have things figured out.

In using the ASA to connect to multiple networks via the interfaces, asymmetric routing was happening. Traffic was passing through the interfaces and were keeping its original ip addresses and ports on the cross network. I entered some NAT rules for the interfaces when crossing that permitted the source address to use the destination interface address as a dynamic PAT address, but keep the source destination and port. Then the traffic hit the cross network interface and used that interface ip address to talk to the destination. The destination then was able to send back to that interface and cross back to the original network without issue