12-07-2016 04:25 AM - edited 03-05-2019 07:37 AM
Hello all,
I am having issues being able to SSH or HTTPS on the outside interface, looking at the log when trying I am getting an error message.
"Inbound TCP connection Denied from xx.xx.xx.xx to xx.xx.xx.xx/22 flags SYN on interface outside
Config is below, could anyone point out my stupid mistake?
hostname ASA
enable password password
passwd password
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.xx.xx255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group BTI
ip address xx.xx.xx.xx 255.255.255.255 pppoe setroute
!
boot system disk0:/asa923-k8.bin
boot system disk0:/asa922-4-k8.bin
boot system disk0:/asa921-k8.bin
boot system disk0:/asa917-9-k8.bin
ftp mode passive
clock timezone GMT 0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside-NAT
host 192.168.3.0
object network ServerIP
access-list incoming-outside extended permit icmp any any echo
access-list incoming-outside extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
object network Inside-NAT
nat (inside,outside) dynamic interface
access-group incoming-outside in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh xx.xx.xx.xx 255.255.255.255 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group BTI request dialout pppoe
vpdn group BTI localname broadband@bt.com
vpdn group BTI ppp authentication chap
vpdn username broadband@bt.com password password store-local
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username User password password privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:66689f27bc0a96bb93219f6e73e07538
Thanks!
Solved! Go to Solution.
12-17-2016 08:35 AM
Simon
I am confused about this. You say that this ASA does have static IP but here is the config of the outside interface vlan
nterface Vlan2
nameif outside
security-level 0
pppoe client vpdn group BTI
ip address pppoe setroute
which is clearly learning its IP address dynamically via pppoe. The article is not saying that the ASA should have static IP on some interface but is saying that the ASA should have static IP on the interface it is using to peer with on the VPN.
HTH
Rick
12-07-2016 08:18 AM
Simon
The issue about HTTPS is fairly clear. You have this in the config you posted
http 192.168.3.0 255.255.255.0 inside
which appears to allow access from inside but there is nothing that would permit access from outside. If you want access to work initiated from outside there must be an entry that allows it. The issue with SSH is less clear. You have this in the config you posted
ssh xx.xx.xx.xx 255.255.255.255 outside
but it is not clear whether the xx.xx.xx.xx here is the same or is different from the xx.xx.xx.xx in the log message.
HTH
Rick
12-08-2016 02:31 AM
Hi Rick,
That's my fault I forgot I removed the http outside rule before posting the config. Lets concentrate on the SSH for a moment.
The ssh xx.xx.198.2 255.255.255.255 outside is in the config and the error log is
Inbound TCP connection Denied from xx.xx.198.2 to xx.xx.xx.xx/22 flags SYN on interface outside
Thanks,
Simon
12-08-2016 01:15 PM
Simon
Thanks for the information. So it looks like the addresses do match and the access from the source address should work. So I took a closer look at the config and I find this access list applied to the outside interface
access-list incoming-outside extended permit icmp any any echo
access-list incoming-outside extended permit icmp any any echo-reply
You permit echo request and echo reply and not anything else. So SSH is denied. Try adding a permit for SSH, perhaps a permit for SSH from that specific host, and let us know if the behavior changes.
HTH
Rick
12-08-2016 01:25 PM
Hi Rick,
Thanks for coming back to me, I have compared the config with another which works and using notepad ++ the lines are all the same which is why I can't work out why it doesn't work.
What would the command be to permitt SSH to a host?
Thanks,
Simon
12-08-2016 01:41 PM
Simon
Does that config that works really have an access list applied to the outside interface that has only two lines and they permit only echo and echo-reply?
The access list might look something like this
access-list incoming-outside extended permit tcp host x.x.198.2 any eq 22
or you might want to change the "any" and specify the interface address(s) to which you would do SSH.
HTH
Rick
12-08-2016 01:52 PM
Hi Rick,
Yes, I have never needed to add anything to the access list for ssh access externally.
In this case I will try adding it and see what happens.
Many thanks!
12-14-2016 02:07 AM
Hi Rick,
I have tried the suggested and I am still getting denied as per below.
%ASA-2-106001: Inbound TCP connection denied from IP_address/port to
IP_address/port flags tcp_flags on interface interface_name
An attempt was made to connect to an inside address is denied by the security policy that is defined for the specified traffic type. The IP address displayed is the real IP address instead of the IP address that appears through NAT. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the ASA, and it was dropped. The tcp_flags in this packet are FIN and ACK
Any other suggestions.
Regards,
Simon
12-14-2016 02:34 AM
Hi Rick,
Something isn't quite right here, I am trying to get a VPN setup and I am getting the below.
Deny inbound UDP from xx.xx.81.201/500 to xx.xx.4.239/500 on interface outside
It seems things are being blocked but I can't see where and why.
Thanks!
12-14-2016 04:49 AM
Current Config
ASA Version 9.2(3)
!
hostname ASA
enable password sktanzCyYl9d8wqP encrypted
passwd sktanzCyYl9d8wqP encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.xxx 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group BTI
ip address 94.30.xx.xx 255.255.255.255 pppoe setroute
!
boot system disk0:/asa923-k8.bin
boot system disk0:/asa922-4-k8.bin
boot system disk0:/asa921-k8.bin
boot system disk0:/asa917-9-k8.bin
ftp mode passive
clock timezone GMT 0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside-NAT
subnet 192.168.3.0 255.255.255.0
object network ServerIP
access-list incoming-outside extended permit ip 192.168.3.0 255.255.255.0 any
access-list incoming-outside extended permit icmp any any echo
access-list incoming-outside extended permit icmp any any echo-reply
access-list outside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
object network Inside-NAT
nat (inside,outside) dynamic interface
access-group incoming-outside in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
http xx.xx.198.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group BTI request dialout pppoe
vpdn group BTI localname internet@bt.com
vpdn group BTI ppp authentication chap
vpdn username internet@bt.com password ***** store-local
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username User password l00jqVeCeW84ZfTy encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ae389f5d719f4b5f8ba3518818a68d43
: end
asdm image disk0:/asdm-761.bin
no asdm history enable
12-14-2016 08:52 AM
Hello
Could try this
ssh access-
crypto key generate rsa modules 1024
aaa authentication ssh console LOCAL
username xxx password xxx privilege 15
ssh 192.168.3.0 255.255.255.0 inside
ssh 84.92.xx.xx 255.255.255.255 outside
Telnet access-
aaa authentication telnet console LOCAL
username xxx password xxx privilege 15
telnet 192.168.3.0 255.255.255.0 inside
telnet 84.92.xx.xx 255.255.255.255 outside
Http:
aaa authentication http console LOCAL
username xxx password xxx privilege 15
http 192.168.3.0 255.255.255.0 inside
http 84.92.xx.xx 255.255.255.255 outside
http server enable 4444 (optional)
res
Paul
12-14-2016 08:53 AM
Hi Paul,
Thanks for your reply, I now have it sorted and working. I am having another issue which I have mentioned in this post regarding setting up a dynamic VPN though?
Regards,
Simon
12-14-2016 07:36 AM
Simon
I believe that there are several things going on. First let us look at the access list filtering that you are doing. Here is the assignment of the access list to the interface
access-group incoming-outside in interface outside
and here is the access list
access-list incoming-outside extended permit ip 192.168.3.0 255.255.255.0 any
access-list incoming-outside extended permit icmp any any echo
access-list incoming-outside extended permit icmp any any echo-reply
I do not understand why you have a permit with the source as the network that is on your inside interface for traffic coming into your outside interface.
This effectively means that the only traffic that is permitted by the access list are inbound echo request and echo reply and this would impact any attempt to SSH to the router. Additionally your config is set to enable SSH only from the 192.168.3.0 network
ssh 192.168.3.0 255.255.255.0 inside
So this would be another reason why SSH from outside is not working.
Also you say that you are attempting to set up a VPN. I see some things for IKEv1 but nothing else setting up a VPN. Until there is a VPN configured and activated on the outside interface it makes sense that the ASA would deny the UDP 500/ISAKMP packets.
HTH
Rick
12-14-2016 07:47 AM
Hi Rick,
I have now got it working, the config is below.
I am having an issue though after setting up the below.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html
As soon as I apply the below I loose access and the pc that's connected looses internet access.
access-list outside_cryptomap_65535.1 line 1 extended permit ip any4 any4
crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map 1 set reverse-route
crypto dynamic-map outside_dyn_map 1 set ikev1 transform-set FirstSet
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
Current config below.
ASA Version 9.2(3)
!
hostname ASA
enable password sktanzCyYl9d8wqP encrypted
passwd sktanzCyYl9d8wqP encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.xx 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group BTI
ip address pppoe setroute
!
boot system disk0:/asa923-k8.bin
boot system disk0:/asa922-4-k8.bin
boot system disk0:/asa921-k8.bin
boot system disk0:/asa917-9-k8.bin
ftp mode passive
clock timezone GMT 0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ServerIP
access-list incoming-outside extended permit icmp any any echo
access-list incoming-outside extended permit icmp any any echo-reply
access-list outside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
access-group incoming-outside in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
http 84.92.xx.xx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh 84.92.xx.xx 255.255.255.255 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group BTI request dialout pppoe
vpdn group BTI localname Internet@bt.com
vpdn group BTI ppp authentication chap
vpdn username Internet@bt.com password ***** store-local
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username User password l00jqVeCeW84ZfTy encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Regards,
Simon
12-15-2016 10:34 AM
Simon
I did have a look at the link that you mention and have looked through this config. I do have a few comments/suggestions.
- it is unusual to have the access list used for crypto VPN to permit ip any any. I believe that this is part of your issue. I did see that the example in that link did have a crypto access list with permit ip any any. But that was on the peer with a fixed address and you are trying to configure it on the peer with dynamic address. I suggest that you change this access list so that it permits the traffic from your site to the other site.
- I notice that you are using the dynamic map on this ASA. In the example in the link the ASA with static address used the dynamic map while the ASA with the dynamic address used the traditional crypto map entry. I suggest that you change your config to use the same approach as is used in the example.
- You have an access list configured for nonat but it is not used anywhere. And the logic of this access list puzzles me.
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.3.0 255.255.255.0
Why do you have 192.168.3.0 as both the source and the destination?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide