Do you still need assistance?

Hi jumora,

Yes I am still experiencing the issue. Because the device is now on a remote site I am not able to get to a management machine to console onto it. I can contact a person on site but they are not that experienced at working at the command line and they have other duties to attend to.

Did you manage to look at the config it posted to verify that it was OK?

Murray

Sent from Cisco Technical Support iPad App

Are you unable to connect with both SSH and ASDM?

I noticed you do not have an SSH command for 172.19.130.5

ssh 172.19.130.5 255.255.255.255 inside

Hi Julio,

I will ask the local guy on site to use the capture commands and get the output and have a look.

Just to add that I can ping devices either side of the firewall so I know it spassing the traffic, so i think that its either a config issue or a problem with the traffic getting back to my management worksatation.

172.19.130.5 --- LAN --- Router --- MPLS --- Router 10.252.255.30 ---- ASA Gi0/1 ---- ASAGi0/0 ----- Switch to LAN 10.252.255.17 ---- 10.252.0.0 clients

Hello,

Okey let us know,

By te way from wich IP address are you comming?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Im using 172.19.130.5 as the source IP

Hello,

Okey,

Are you 100 % sure 10.252.255.30 is the next-hop IP address.

By the way are you available for a tshoot session?

Let me know via a message (check ur inbox)

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

So I have managed to get the very helpful guy on site to capture some packets. When I try to SSH to the device no packets are captured, however, if I try to SSH to an IP on the other side of the FW I get packets being captured as shown below.

I have gone over the config but still can't find a problem, I'm close to pulling my hair out on this one.

TEE-FDC-FW01# cap capin int inside match tcp any any eq 22
TEE-FDC-FW01# sh cap capin

6 packets captured

1: 15:41:50.028852 10.64.68.32.20472 > 10.252.200.13.22: S 4240694991:4240694991(0) win 8192
2: 15:41:50.030317 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 4240694992 win 0
3: 15:41:50.563447 10.64.68.32.20472 > 10.252.200.13.22: S 1154043407:1154043407(0) win 8192
4: 15:41:50.564820 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 1154043408 win 0
5: 15:41:51.094508 10.64.68.32.20472 > 10.252.200.13.22: S 386805799:386805799(0) win 8192
6: 15:41:51.095667 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 386805800 win 0
6 packets shown

Sent from Cisco Technical Support iPad App

Hello Murray,

Are you sure the packets should arrive on the Inside interface????

If the answer is yes Then the problem is not on the ASA as the traffic is not even reaching the ASA, I would recommend then doing a SPAN monitor session on the L2 network to see where the packets are going

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Hello again,

Its been a while.

Here is the output from he capture.

As can be seen, I can traverse the firewall and SSH to a device on the otherside but not to the firewall itself.

TEE-FDC-FW01# cap capin int inside match tcp any any eq 22

TEE-FDC-FW01# sh cap capin

6 packets captured

   1: 15:41:50.028852 10.64.68.32.20472 > 10.252.200.13.22: S 4240694991:4240694991(0) win 8192

   2: 15:41:50.030317 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 4240694992 win 0

   3: 15:41:50.563447 10.64.68.32.20472 > 10.252.200.13.22: S 1154043407:1154043407(0) win 8192

   4: 15:41:50.564820 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 1154043408 win 0

   5: 15:41:51.094508 10.64.68.32.20472 > 10.252.200.13.22: S 386805799:386805799(0) win 8192

   6: 15:41:51.095667 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 386805800 win 0

6 packets shown

My bad, missread the subnetmask