Solved: Unable to Telnet/SSH/RDP from inside ---> DMZ, ASA 5505

mgallas6031 · ‎10-27-2011

I am unable to Telnet/SSH/RDP from my inside network to my DMZ. I am not sure where the problem lies, I am able to use VNC from the inside to the DMZ (ports 5800, 5900), and also establish connection on Ports (26700-26899).

I have a computer connected directly to the DMZ and those services work to all networks on the DMZ.

I have attached Logs of successful VNC connections, unsuccessful RDP and Telnet sessions, and the running config.

Thank you

Maykol Rojas · ‎11-01-2011

Glad to hear that.

To summarize our troubleshooting. We took captures on both interfaces of the firewall and the host that is initiating the connection. Then, we look at the captures (on pcap format using wireshark) and we saw that there were RST packets that were not generated on the host. We looked at the mac-addresses an we found out that for the packets of the connection, the mac-addresses were showing the PC mac-address but for the RST flag on the tcp packets, they were coming from another mac-address which turned out to be a Webesense server.

I am glad that we were able to narrow down the problem, in case you need further assistance, do not hesitate to reply to this post, also if you consider that this post helped you out to find the solution, mark it as solved, so other people can follow the same line of troubleshooting.

Thanks!

Mike

View solution in original post

Julio Carvajal · ‎10-27-2011

Hello Michael,

If you can do VNC to the DMZ host that let us know the communication between both areas is allowed, now I would like to do some packet tracers and if that does not help perform some captures.

Packet-tracer input inside tcp x.x.x.x.x(inside_host_ip) 1025 y.y.y.y(DMZ_HOST_IP) 3389

Packet-tracer input inside tcp x.x.x.x.x(inside_host_ip) 1025 y.y.y.y(DMZ_HOST_IP) 23

Please give us the output of both packet tracers

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

hobbe · ‎10-27-2011

Hi

First of all remove that config and sanitize it and change all the passwords and preferably the usernames also.

and do that immediately !

This is a openforum that anyone can access, you do not know who is watching or what they might use the information for.

and YES the passwords can be decoded.

ok.

you can access the server through some ports but not others.

Have you checked that it is not the windows firewall on the server that you are trying to access that is the problem ?

Good luck

HTH

mgallas6031 · ‎10-27-2011

Thanks Hobbe,

I did not even think about the passwords in the configs.

I checked the windows firewalls that is not the issue, I am having the same issue when telneting to switches and routers on the other side as well.

Thanks again

mgallas6031 · ‎10-27-2011

Thanks Julio,

I attached the packet Tracers and captures were included previously.

Thanks,

Mike

Julio Carvajal · ‎10-27-2011

Can you download the captures via pcap?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mgallas6031 · ‎10-27-2011

Pcaps added

Thanks,

Julio Carvajal · ‎10-27-2011

Hello Michael,

After checking these captures I can tell you that the problem is not with the firewall, the problem is with the PC 192.168.2.41 because it sends a reset packet after the TCP connection gets established with the 3 way handshake.

You can take a look at the captures using wireshark and you are going to see the RST packet.

I hope this help you,

Have a great day.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mgallas6031 · ‎10-27-2011

Thanks Julio,

That is what I was seeing as well, just wanted a second set of eyes. Wated to make sure I was not missing anything.

Thanks again,

Mike

mgallas6031 · ‎10-27-2011

Julio,

I just ran a capture on the local machine 192.168.2.41 and that is showing a rst packet being sent by equipment on the other side of the dmz

Thanks,

Mike

Julio Carvajal · ‎10-27-2011

Hello Michael,

Really that is an extrange behavior, can you run a capture on the other machine as well just to confirm.

Have a good day,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mgallas6031 · ‎10-27-2011

I dropped the capture - pc_capture.pcap.zip

Thanks,

Mike

Julio Carvajal · ‎10-27-2011

Hello Michael,

And what happen if you try to access another PC on the same port on that network??

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mgallas6031 · ‎10-27-2011

Julio,

I am getting the same issue from all PC on the inside to all equipment in the DMZ

Thanks,

Mike

Maykol Rojas · ‎10-27-2011

We cannot dicard or give as a fact that the problem is/isnt the firewall. From what you can see, there is a RST packet coming from the Host on the DMZ, however, we dont know for sure that the host is in fact sending the packet, it could be something in between or even the firewall.

Windows firewall is indeed not the problem, if it was, it would not complete the handshake.

The only way to rule out the firewall would be one of two things,

Either place a capture like you did but on the receiving host or

Apply captures on the ASA Firewall on the Inside as well on the DMZ, download them with wireshark and check who is the one sending the RST packet.

Here is how you can take captures:

https://supportforums.cisco.com/docs/DOC-1222

Gather them, once you have it post them here.

Mike