08-04-2015 07:41 PM - edited 03-11-2019 11:23 PM
Hi I have an issue, can anyone have a look and let me know how can i troubleshoot the issue. As per the packet-tracer output port is showing open but user is saying still he is unable to access port 21 and 22. can anyone tell me how can I check at switch end port is open or not.
Source IP add 172.18.56.31
Destination ip add 172.31.134.33
Source switch:
interface Vlan18
description NOC-DR-Data Network
ip address 172.18.56.1 255.255.255.128
ip helper-address 166.77.80.252
ip helper-address 172.20.116.10
ip wccp 81 redirect in
ip flow ingress
hold-queue 2000 in
Source Swtich to destination trace
CORE1#traceroute 172.31.134.33 source 172.18.56.1
Type escape sequence to abort.
Tracing the route to 172.31.134.33
1 172.20.245.38 0 msec 4 msec 0 msec
2 * * *
3 *
In firewall:-
asa# sh run route | i 172.
route outside 0.0.0.0 0.0.0.0 172.20.240.121 1
route inside 172.31.0.0 255.255.0.0 172.31.0.6 1
packet tracer output
asa# packet-tracer input outside tcp 172.18.56.31 2020 172.31.134.33 22
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.31.0.0 255.255.0.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit tcp object-group DIVA-DFM-SRC object-group DIVA-DFM-DST object-group DIVA-DFM-PORTS
object-group network DIVA-DFM-SRC
network-object host 172.18.56.33
network-object host 172.18.56.31
object-group network DIVA-DFM-DST
network-object host 172.31.134.33
object-group service DIVA-DFM-PORTS tcp
port-object eq ssh
port-object eq ftp
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 125702167, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
tnna-bc-asa#
08-04-2015 09:03 PM
You can telnet on port 21 and 22 to see if the service is open the destined device
telnet ip address 21
telnet ip address 22
Regards,
Puneesh
Please rate helpful posts
08-05-2015 05:16 AM
Hi,
So the connection is coming from "outside" to "inside". The "packet-tracer" seems to suggest that the connection would go through the firewall. Seems there is no NAT performed so the connection should be visible to the remote device with its original IP address.
You could atleast do the following
I am not really sure what command(s) can be used to check on a Cisco switch on what ports its listening on. Its not the same as on ASA atleast.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide