Unblae to communicate on SFTP port (Port No 22) between different VLANs

pannu3679 · ‎05-07-2008

I am having following trouble..

Source IP from where he is trying to SFTP: 10.254.227.* (DMZ VLAN)

Destination IP: 10.254.230.* where we need access(Also a VLAN)

There is a Checkpoint and PIX firewall on which access-lists are configured.

On checking logs on both firewalls the SFTP is permitted.

We tested it many times from command prompt but connections fails saying 'Connection failed on port 22'

For eg: >telnet ip address 22

Tried to telnet from server (ip 10.254.227.*) to (10.254.230.*)

We tried telnetting on port 22 first and then 21 also but no joy.

Can someone give some ideas as what could be preventing the connection?

I have checked logs on Checkpoint and it says request accepted when I am sending request from 10.254.227.x using FileZilla software to connect to another server which is in different VLAN (10.254.230.x).

I have found that on cisco PIX, traffic is getting accepted but its not going to the appropriate destination.

Pls check my following logs from CISCO PIX

For PIX firewall it seems like address translation issue.

We have got log from PIX firewall as follows

****************************************

2008-05-07 21:31:29 Local6.Info 192.168.1.1 %ASA-6-106100: access-list Outside-inbound permitted tcp Outside/10.254.227.*(3882) -> OperWebMgmt/10.254.230.*(22) hit-cnt 1 first hit

2008-05-07 21:31:29 Local6.Error 192.168.1.1 %ASA-3-305005: No translation group found for tcp src Outside:10.254.227.*/3882 dst OperWebMgmt:10.254.230.*/22

***************************************

Looks to us like PIX is allowing to make inbound connection but not able to make it out towards destination.

There is a route between both VLAN's.

Due to security reasons ping and tracert are disabled.

pannu3679 · ‎05-08-2008

Is there any once who can help me please? I can give you PIX config. too if required...

cisco24x7 · ‎05-08-2008

post the config so that I can help you

troubleshoot it.

pannu3679 · ‎05-08-2008

Pls find the following config.

Below config. will give you an idea about my VLAN interface IP and the access list I have configured to pass traffic between them. I have also mentioned NAT list with different VLAN from my network which will give you more idea about NAT.

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 10.254.240.236 255.255.255.0 standby 10.254.240.235

interface GigabitEthernet0/2.63

vlan 63

nameif OperWebMgmt

security-level 50

ip address 10.254.230.254 255.255.255.0 standby 10.254.230.253

==========================================

I have configured following 2 ACL

==========================================

access-list Outside-inbound extended permit tcp host 10.254.227.6 host 10.254.230.33 eq ssh

access-list OperWeb-inbound extended permit tcp host 10.254.230.33 host 10.254.227.6 eq ssh

=========

NAT

=========

global (OperAppMgmt) 1 interface

global (InterFWInterconnect) 1 interface

global (Witness) 1 interface

global (Hmenus) 1 interface

global (App-ILO) 1 interface

global (OperWebMgmt) 1 interface

global (management) 1 interface

nat (Operators) 1 10.254.231.0 255.255.255.0

nat (Operators) 1 192.168.0.0 255.255.255.0

nat (OperWebMgmt) 0 10.254.230.0 255.255.255.0

static (InterFWInterconnect,Outside) 10.254.224.0 10.254.224.0 netmask 255.255.255.0

static (OperWebMgmt,OperAppMgmt) 10.254.230.39 10.254.230.39 netmask 255.255.255.255

static (OperAppMgmt,OperWebMgmt) 10.254.253.62 10.254.253.62 netmask 255.255.255.255

static (OperAppMgmt,OperWebMgmt) 10.254.253.61 10.254.253.61 netmask 255.255.255.255

static (OperAppMgmt,OperWebMgmt) 10.254.253.75 10.254.253.75 netmask 255.255.255.255

static (OperWebMgmt,OperAppMgmt) 10.254.230.33 10.254.230.33 netmask 255.255.255.255

static (OperWebMgmt,OperAppMgmt) 10.254.230.31 10.254.230.31 netmask 255.255.255.255

static (OperWebMgmt,OperAppMgmt) 10.254.230.32 10.254.230.32 netmask 255.255.255.255

<--- More --->

static (OperWebMgmt,OperAppMgmt) 10.254.230.13 10.254.230.13 netmask 255.255.255.255

static (OperWebMgmt,OperAppMgmt) 10.254.230.14 10.254.230.14 netmask 255.255.255.255

static (OperWebMgmt,OperAppMgmt) 10.254.230.41 10.254.230.41 netmask 255.255.255.255

static (OperWebMgmt,OperAppMgmt) 10.254.230.40 10.254.230.40 netmask 255.255.255.255

static (OperWebMgmt,OperAppMgmt) 10.254.230.34 10.254.230.34 netmask 255.255.255.255

Pls let me know if u need more info.

pannu3679 · ‎05-08-2008

Someone can help me pls... It's quite urgent as my client wanted to fix this issue ASAP and I could not find out proper solution....

Thanks,

cisco24x7 · ‎05-08-2008

static (OperWebMgmt,Outside) 10.254.30.x 10.254.30.x netmask 255.255.255.255

do that and it will work

pannu3679 · ‎05-08-2008

I have tried this but same result... but this time, I can't see NAT log error message.....any idea?

Now I can see following logs:

05-09-2008 12:00:54 Local6.Info 192.168.1.1 %ASA-6-106100: access-list Outside-inbound permitted tcp Outside/10.254.227.6(2710) -> OperWebMgmt/10.254.230.33(22) hit-cnt 1 first hit

=============================================

05-09-2008 12:04:40 Local6.Info 192.168.1.1 %ASA-6-106015: Deny TCP (no connection) from 10.254.227.6/2897 to 10.254.230.33/22 flags RST on interface Outside

Thanks for quick response.

kapish.mohole · ‎05-08-2008

Hi,

Any time if you see this message - No translation group found, means you are missing NAT or incorrect NATing. PIX will not work without NATing though access list is allowing the traffic. It needs some kind of NAT - NAT 0 (no NAT), static or dymanic.

2008-05-07 21:31:29 Local6.Error 192.168.1.1 %ASA-3-305005: No translation group found for tcp src Outside:10.254.227.*/3882 dst OperWebMgmt:10.254.230.*/22

If you are not able to connect though you have Proper NAT and access list, means mostly your return traffic is taking different path. Packet flowing in both directions should go through same firewalls. The error Deny TCP (no connection) means return traffic came to PIX but PIX has no entry of connection initiation.

Connection initiated packet took one path but return traffic is comming through some other path, Check you routing on both end systems like default GW or host/network routes, also on firewall and any middle devices.

Rate me if this helps

Regards

Kapish

pannu3679 · ‎05-08-2008

HI Mate,

I have configured static NAT but still same thing... pls check my last post and if it makes any sense to you...

Thanks,

kapish.mohole · ‎05-08-2008

I have modified my post please see it again.

Thanks

Kapish

CiscogeekIND · ‎05-08-2008

Can you post PIX full configuration.

kapish.mohole · ‎05-09-2008

Hi, were you able to solve it?

Regards

Kapish

rkalia1 · ‎05-09-2008

You have not allowed any ftp traffic between the two hosts. Put this in your config :

access-list Outside-inbound extended permit tcp host 10.254.227.6 host 10.254.230.33 eq ftp

rkalia1 · ‎05-09-2008

sorry use eq 22 as you are using sftp. You need to check that you have "ip inspect sftp" or "fixup protocol sftp" command also on the PIX depending upon your version release.

pannu3679 · ‎05-10-2008

HI,

Yes, I'm manage to solve this issue. My client did not tell me that this is secondary IP address of that server. I have told them that its not possible to route on secondary IP and I have configured primary IP rule to allow SFTP rule.

Thanks for your great help...