Hi, So the connection is

akash.deep · ‎08-04-2015

Hi I have an issue, can anyone have a look and let me know how can i troubleshoot the issue. As per the packet-tracer output port is showing open but user is saying still he is unable to access port 21 and 22. can anyone tell me how can I check at switch end port is open or not.

Source IP add 172.18.56.31

Destination ip add 172.31.134.33

Source switch:

interface Vlan18
description NOC-DR-Data Network
ip address 172.18.56.1 255.255.255.128
ip helper-address 166.77.80.252
ip helper-address 172.20.116.10
ip wccp 81 redirect in
ip flow ingress
hold-queue 2000 in

Source Swtich to destination trace

CORE1#traceroute 172.31.134.33 source 172.18.56.1

Type escape sequence to abort.
Tracing the route to 172.31.134.33

1 172.20.245.38 0 msec 4 msec 0 msec
2 * * *
3 *

In firewall:-

asa# sh run route | i 172.
route outside 0.0.0.0 0.0.0.0 172.20.240.121 1

route inside 172.31.0.0 255.255.0.0 172.31.0.6 1

packet tracer output

asa# packet-tracer input outside tcp 172.18.56.31 2020 172.31.134.33 22

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.31.0.0 255.255.0.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit tcp object-group DIVA-DFM-SRC object-group DIVA-DFM-DST object-group DIVA-DFM-PORTS
object-group network DIVA-DFM-SRC
network-object host 172.18.56.33
network-object host 172.18.56.31
object-group network DIVA-DFM-DST
network-object host 172.31.134.33
object-group service DIVA-DFM-PORTS tcp
port-object eq ssh
port-object eq ftp
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 125702167, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

tnna-bc-asa#

Puneesh Chhabra · ‎08-04-2015

You can telnet on port 21 and 22 to see if the service is open the destined device

telnet ip address 21

telnet ip address 22

Regards,

Puneesh

Please rate helpful posts

Jouni Forss · ‎08-05-2015

Hi,

So the connection is coming from "outside" to "inside". The "packet-tracer" seems to suggest that the connection would go through the firewall. Seems there is no NAT performed so the connection should be visible to the remote device with its original IP address.

You could atleast do the following

Attempt the connection through the firewall and issue the command "show conn address <source or destination ip>" and check the output for the connection attempt that you are trying. Copy that output here to the forums so we can see what state the connection is in.
Check the remote device (Cisco switch?) if it has been configure with an "access-class" command and if it is then check the used ACL configuration and confirm that the source address is allowed in that ACL. If its not then naturally the remote management connection is not possible.
Check the path from the devices behind "outside" and "inside" interface of ASA that there is route for both the source and destination subnets. In the other directon the hosts are probably following the default route.

I am not really sure what command(s) can be used to check on a Cisco switch on what ports its listening on. Its not the same as on ASA atleast.

- Jouni

Its Regarding ASA--its urgent pls help