Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
373
Views
5
Helpful
1
Replies

Cisco ASA 5525-X - Allow Outside IP via ssh - Duplicate TCP SYN

olealrd1981
Level 1
Level 1

‎02-27-2023 11:55 AM - edited ‎02-27-2023 12:51 PM

We have a public /24 subnet delegated to us by our ISP. Due to how this connection is setup I can't just allow what I need on the outside interface, which is ssh (on my other firewall I just do ssh xx.xx.xx.xx 255.255.255.255 Outside and that's it). But in this one connections to my actual Outside interface are not allowed, so they have delegated a /24 and we currently use some of those IPv4 addresses for a public website, development, etc (they are then translated to the internal host IPv4 (private) address). The issue I have is that I need to pick one unused (which I did) and allow a remote host to ssh using this IPv4 address on my side (one from the /24). I've created a rule that specify that this remote host is allowed (tcp/22) and the destination address is one of the /24 addresses and when this connection is attempted I can see that the ASA is receiving the request but no connection can be completed, and the logs have "Duplicate TCP SYN From Inside ... with different initial sequence number".

I would like to know if this is possible to do instead of just allowing the connection to an internal host since we need that the remote entity is allowed to manage the firewall via ssh

 

Regards

O

Labels:
1 Reply 1

M02@rt37
VIP
VIP

‎03-07-2023 03:40 AM

Hello @olealrd1981 

One solution to this problem is to enable TCP state bypass for the specific IP address and port that you want to allow SSH access to. This will allow the ASA to bypass the normal TCP state tracking for that connection and allow the packets to pass through without interference.

policy-map global_policy
class inspection_default
inspect tcp
service-policy tcp-bypass interface outside
!
policy-map tcp-bypass
class ssh
set connection advanced-options tcp-state-bypass
!
access-group outside_access_in in interface outside

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card