01-16-2011 08:32 PM - edited 03-06-2019 03:01 PM
Hi,
I’m trying to ssh to a router through a ASA 5505 and have the router I’m reaching return the traffic on tcp port 22. I’ve attached a small network diagram which explains how it’s all connected.
The pertinent configuration on Router 2 is:
ip nat inside source list Permit-NAT interface FastEthernet4 overload
!
ip access-list extended Permit-NAT
permit ip any any
exit
!
interface FastEthernet4
description Connected to RT1
ip address 172.17.0.2 255.255.255.252
ip nat outside
speed auto
duplex auto
shutdown
exit
When I view the firewall logs the packets get dropped by the Inbound ACL with:
access-list Inbound denied tcp Outside/172.17.0.2(1) -> Inside/10.1.6.1(50154)
This, I think, is due to the PAT on fa4 from router 2. How can have return traffic from Router 2 use the correct port so that the firewalls SPI filter isn’t kicking off?
Thanks.
01-16-2011 08:38 PM
Hi Prince,
ip nat inside source list Permit-NAT interface FastEthernet4 overload
!
ip access-list extended Permit-NAT
permit ip any any
exit
!
interface FastEthernet4
description Connected to RT1
ip address 172.17.0.2 255.255.255.252
ip nat outside
speed auto
duplex auto
shutdown --> (Try to no shut that port & then check)
exit.
01-16-2011 11:46 PM
Sorry, that was a typo! the port is definitely up. Well spotted thou...
01-17-2011 12:24 AM
Hi,
access-list Inbound denied tcp Outside/172.17.0.2(1) -> Inside/10.1.6.1(50154)
can you do a sh access-list on your ASA
your ssh client will initiate connection with a random port > 1024 to port 22 on ssh server and PAT on the router won't be involved if you connect on the interface going to r1.
Regards.
Alain
01-17-2011 09:59 AM
Hi,
Here's the pertinent part of the ASA's Outbond ACL:
object network RT2
host 172.17.0.2
!
object network PP-WRK-1
host 10.1.6.1
!
object-group service Perimeter-MGMT-Protocols-Outbound
service-object tcp eq ssh
service-object tcp eq https
!
object-group network PP-MGMT-Workstations
network-object object PP-WRK-1
!
access-list Outbound remark Permit Perimeter Management
access-list Outbound extended permit object-group Perimeter-MGMT-Protocols-Outbound object-group PP-MGMT-Workstations object RT2
There is no specific ACE on the Inbound ACL as the return traffic should be automatically allowed via SPI. I think the problem isn't the outbound traffic, rather the return traffic as it's retuning on a random port.
Thanks for taking a look.
01-17-2011 12:37 PM
Hi,
Can you do a packet capture command on ASA simulating your ssh from LAN host to RTR2
access-list Inbound denied tcp Outside/172.17.0.2(1) -> Inside/10.1.6.1(50154)
it should come from port 22 it it was response traffic from ssh
Regards.
Alain.
01-17-2011 12:49 PM
I'll try that tonight using:
http://analysisandreview.com/cisco/how-to-configure-a-packet-capture-in-the-cisco-asa/
and post back.
I did run the packet tracer on the packets going outbound which passed, and I can confirm the packets are arriving at the router, it's the router's returning traffic that gets stopped because of the random port it's using.
Thanks.
01-17-2011 11:17 PM
Here are the commands I used for the capture and the results.
access-list PktCapture extended permit ip host 10.1.6.1 host 172.17.0.2
access-list PktCapture extended permit ip host 172.17.0.2 host 10.1.6.1
!
capture captured access-list PktCapture interface Inside packet-length 1522
capture captured access-list PktCapture interface Outside packet-length 1522
Results:
3 packets captured
1: 23:02:04.126198 802.1Q vlan#20 P0 10.1.6.1.49542 > 172.17.0.2.22: S 2641216073:2641216073(0) win 8192
2: 23:02:07.132500 802.1Q vlan#20 P0 10.1.6.1.49542 > 172.17.0.2.22: S 2641216073:2641216073(0) win 8192
3: 23:02:13.138649 802.1Q vlan#20 P0 10.1.6.1.49542 > 172.17.0.2.22: S 2641216073:2641216073(0) win 8192
3 packets shown
It only saw the outgoing packets. Seems the acl drops packets before the caputre sees them?
01-18-2011 12:25 AM
Hi,
Is your ASA pre 8.3?
access-list PktCapture extended permit ip host 172.17.0.2 host 10.1.6.1
if yes it can't work if you haven't got any static nat and your destination is public address because here it is not a reply to packet from inside to outside
In your previous post your log was mentioning this inside address, are you doing nat exemption?
Can you post config of ASA and router please.
Regards.
Alain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide