REXEC - Possible inspection issue

Unanswered Question
Apr 24th, 2009

Hi Everyone,

I'm trying to make an REXEC connection to a device outside of our network in order to run an xterm window.

However, even after configuring the ASA to allow outbound connections to the remote IP address (in the ACL) this still fails, I see in the log the following...

Inbound TCP connection denied from <REMOTE IP>/37510 to <PUBLIC ADDRESS NAT>/6000 flags SYN on interface outside.

I think this may be because I need to inspect rcmd traffic, however, I cannot add that inspect rule (as its not an option on the ASA unlike the inspect session command on a router)

Any ideas....



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Fri, 04/24/2009 - 07:28


Yes X windows is back to front ie. 6000 is an Xwindows port and in absence of inspection you would need to allow that port back in from the remote client. Trouble is X runs on a range of ports 6000 -> 6xxx, apologies but can't remember off the top of my head what the top range is !

An alternative is to look into tunnelling X through port 22 which would allow you to secure the connection. I must admit i didn't realise they had dropped the inspection - seems like a mistake to me.


AxiomConsulting Mon, 04/27/2009 - 01:09

Hi Jon,

Thank you for your reply.

For testing puposes I have amended my inbound ACL on the ASA to allow ALL IP from the Remote IP address to the IP address our connection gets NATed to.

I have also created an ACL, put this ACL in a class map and added this class map to the policy map to esnure that matching traffic gets inspected, but still no joy. The same error I'm afraid.

I don't suppose you have any other ideas do you? also, does anyone know of a command I can use on the ASA to show inspected traffic, I am looking for a similar command to the router command, sho ip tcp inspect....

Thanks again for your assistance



This Discussion