Hi Rick,

That's my fault I forgot I removed the http outside rule before posting the config. Lets concentrate on the SSH for a moment.

The ssh xx.xx.198.2 255.255.255.255 outside is in the config and the error log is

Inbound TCP connection Denied from xx.xx.198.2 to xx.xx.xx.xx/22 flags SYN on interface outside

Thanks,
Simon

Simon

Thanks for the information. So it looks like the addresses do match and the access from the source address should work. So I took a closer look at the config and I find this access list applied to the outside interface

access-list incoming-outside extended permit icmp any any echo
access-list incoming-outside extended permit icmp any any echo-reply

You permit echo request and echo reply and not anything else. So SSH is denied. Try adding a permit for SSH, perhaps a permit for SSH from that specific host, and let us know if the behavior changes.

HTH

Rick

Hi Rick,

Thanks for coming back to me, I have compared the config with another which works and using notepad ++ the lines are all the same which is why I can't work out why it doesn't work.

What would the command be to permitt SSH to a host?

Thanks,
Simon

Simon

Does that config that works really have an access list applied to the outside interface that has only two lines and they permit only echo and echo-reply?

The access list might look something like this

access-list incoming-outside extended permit tcp host x.x.198.2 any eq 22

or you might want to change the "any" and specify the interface address(s) to which you would do SSH.

HTH

Rick

Hi Rick,

Yes, I have never needed to add anything to the access list for ssh access externally.

In this case I will try adding it and see what happens.

Many thanks!

Hi Rick,

I have tried the suggested and I am still getting denied as per below.

%ASA-2-106001: Inbound TCP connection denied from IP_address/port to
IP_address/port flags tcp_flags on interface interface_name
An attempt was made to connect to an inside address is denied by the security policy that is defined for the specified traffic type. The IP address displayed is the real IP address instead of the IP address that appears through NAT. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the ASA, and it was dropped. The tcp_flags in this packet are FIN and ACK

Any other suggestions.

Regards,
Simon

Hi Rick,

Something isn't quite right here, I am trying to get a VPN setup and I am getting the below.

Deny inbound UDP from xx.xx.81.201/500 to xx.xx.4.239/500 on interface outside

It seems things are being blocked but I can't see where and why.

Thanks!

Current Config

ASA Version 9.2(3)
!
hostname ASA
enable password sktanzCyYl9d8wqP encrypted
passwd sktanzCyYl9d8wqP encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.xxx 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group BTI
ip address 94.30.xx.xx 255.255.255.255 pppoe setroute
!
boot system disk0:/asa923-k8.bin
boot system disk0:/asa922-4-k8.bin
boot system disk0:/asa921-k8.bin
boot system disk0:/asa917-9-k8.bin
ftp mode passive
clock timezone GMT 0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside-NAT
subnet 192.168.3.0 255.255.255.0
object network ServerIP
access-list incoming-outside extended permit ip 192.168.3.0 255.255.255.0 any
access-list incoming-outside extended permit icmp any any echo
access-list incoming-outside extended permit icmp any any echo-reply
access-list outside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
object network Inside-NAT
nat (inside,outside) dynamic interface
access-group incoming-outside in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
http xx.xx.198.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group BTI request dialout pppoe
vpdn group BTI localname internet@bt.com
vpdn group BTI ppp authentication chap
vpdn username internet@bt.com password ***** store-local

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username User password l00jqVeCeW84ZfTy encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ae389f5d719f4b5f8ba3518818a68d43
: end
asdm image disk0:/asdm-761.bin
no asdm history enable

Hello
Could try this

ssh access-
crypto key generate rsa modules 1024
aaa authentication ssh console LOCAL
username xxx password xxx privilege 15
ssh 192.168.3.0 255.255.255.0 inside
ssh 84.92.xx.xx 255.255.255.255 outside

Telnet access-
aaa authentication telnet console LOCAL
username xxx password xxx privilege 15
telnet 192.168.3.0 255.255.255.0 inside
telnet 84.92.xx.xx 255.255.255.255 outside

Http:
aaa authentication http console LOCAL
username xxx password xxx privilege 15
http 192.168.3.0 255.255.255.0 inside
http 84.92.xx.xx 255.255.255.255 outside
http server enable 4444 (optional)

res
Paul

Hi Paul,

Thanks for your reply, I now have it sorted and working. I am having another issue which I have mentioned in this post regarding setting up a dynamic VPN though?

Regards,
Simon

Simon

I believe that there are several things going on. First let us look at the access list filtering that you are doing. Here is the assignment of the access list to the interface

access-group incoming-outside in interface outside

and here is the access list

access-list incoming-outside extended permit ip 192.168.3.0 255.255.255.0 any
access-list incoming-outside extended permit icmp any any echo
access-list incoming-outside extended permit icmp any any echo-reply

I do not understand why you have a permit with the source as the network that is on  your inside interface for traffic coming into your outside interface.

This effectively means that the only traffic that is permitted by the access list are inbound echo request and echo reply and this would impact any attempt to SSH to the router. Additionally your config is set to enable SSH only from the 192.168.3.0 network

ssh 192.168.3.0 255.255.255.0 inside

So this would be another reason why SSH from outside is not working.

Also you say that you are attempting to set up a VPN. I see some things for IKEv1 but nothing else setting up a VPN. Until there is a VPN configured and activated on the outside interface it makes sense that the ASA would deny the UDP 500/ISAKMP packets.

HTH

Rick

Hi Rick,

I have now got it working, the config is below.

I am having an issue though after setting up the below.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html

As soon as I apply the below I loose access and the pc that's connected looses internet access.

access-list outside_cryptomap_65535.1 line 1 extended permit ip any4 any4
crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map 1 set reverse-route
crypto dynamic-map outside_dyn_map 1 set ikev1 transform-set FirstSet
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

Current config below.

ASA Version 9.2(3)
!
hostname ASA
enable password sktanzCyYl9d8wqP encrypted
passwd sktanzCyYl9d8wqP encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.xx 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group BTI
ip address pppoe setroute
!
boot system disk0:/asa923-k8.bin
boot system disk0:/asa922-4-k8.bin
boot system disk0:/asa921-k8.bin
boot system disk0:/asa917-9-k8.bin
ftp mode passive
clock timezone GMT 0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ServerIP
access-list incoming-outside extended permit icmp any any echo
access-list incoming-outside extended permit icmp any any echo-reply
access-list outside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
access-group incoming-outside in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
http 84.92.xx.xx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh 84.92.xx.xx 255.255.255.255 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group BTI request dialout pppoe
vpdn group BTI localname Internet@bt.com
vpdn group BTI ppp authentication chap
vpdn username Internet@bt.com password ***** store-local

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username User password l00jqVeCeW84ZfTy encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Regards,

Simon

Simon

I did have a look at the link that you mention and have looked through this config. I do have a few comments/suggestions.

- it is unusual to have the access list used for crypto VPN to permit ip any any. I believe that this is part of your issue. I did see that the example in that link did have a crypto access list with permit ip any any. But that was on the peer with a fixed address and you are trying to configure it on the peer with dynamic address. I suggest that you change this access list so that it permits the traffic from your site to the other site.

- I notice that you are using the dynamic map on this ASA. In the example in the link the ASA with static address used the dynamic map while the ASA with the dynamic address used the traditional crypto map entry. I suggest that you change your config to use the same approach as is used in the example.

- You have an access list configured for nonat but it is not used anywhere. And the logic of this access list puzzles me.

access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.3.0 255.255.255.0

Why do you have 192.168.3.0 as both the source and the destination?

HTH

Rick