Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
2
Replies

REXEC - Possible inspection issue

AxiomConsulting
Level 1
Level 1

‎04-24-2009 06:07 AM - edited ‎03-11-2019 08:23 AM

Hi Everyone,

I'm trying to make an REXEC connection to a device outside of our network in order to run an xterm window.

However, even after configuring the ASA to allow outbound connections to the remote IP address (in the ACL) this still fails, I see in the log the following...

Inbound TCP connection denied from <REMOTE IP>/37510 to <PUBLIC ADDRESS NAT>/6000 flags SYN on interface outside.

I think this may be because I need to inspect rcmd traffic, however, I cannot add that inspect rule (as its not an option on the ASA unlike the inspect session command on a router)

Any ideas....

Thanks

Steve

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎04-24-2009 07:28 AM

Steve

Yes X windows is back to front ie. 6000 is an Xwindows port and in absence of inspection you would need to allow that port back in from the remote client. Trouble is X runs on a range of ports 6000 -> 6xxx, apologies but can't remember off the top of my head what the top range is !

An alternative is to look into tunnelling X through port 22 which would allow you to secure the connection. I must admit i didn't realise they had dropped the inspection - seems like a mistake to me.

Jon

0 Helpful

AxiomConsulting
Level 1
Level 1
In response to Jon Marshall

‎04-27-2009 01:09 AM

Hi Jon,

Thank you for your reply.

For testing puposes I have amended my inbound ACL on the ASA to allow ALL IP from the Remote IP address to the IP address our connection gets NATed to.

I have also created an ACL, put this ACL in a class map and added this class map to the policy map to esnure that matching traffic gets inspected, but still no joy. The same error I'm afraid.

I don't suppose you have any other ideas do you? also, does anyone know of a command I can use on the ASA to show inspected traffic, I am looking for a similar command to the router command, sho ip tcp inspect....

Thanks again for your assistance

Steve

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card