I am pretty new to asa and I am trying to troubleshoot a ssh problem coming from outside interface.
Settings for the servers are identical, however, ssh failed on 2223 where 2222 is running perfect fine. I do not understand why using port 2223 is not working. Any comment or idea will be appreciated!
In summary, i am having two problem:
1. ssh from outside interface is not passing through
2. Packet tracer is reporting "denied implicit rule" with working configuration (may be i have the command wrong?)
name 192.168.10.90 cent5push01
static (inside,outside) tcp interface 2222 cent5push01 2222 netmask 255.255.255.255
name 192.168.10.80 QCCENT5
static (inside,outside) tcp interface 2223 QCCENT5 2223 netmask 255.255.255.255
access-list outside_access_in line 29 remark ssh1
access-list outside_access_in line 30 extended permit tcp any interface outside eq 2222 (hitcnt=31) 0xbd684543
access-list outside_access_in line 31 remark ssh2
access-list outside_access_in line 32 extended permit tcp any interface outside eq 2223 (hitcnt=23) 0x8890efe9
match tcp inside host cent5push01 eq 2222 outside any static translation to x.x.x.x/2222
match tcp inside host QCCENT5 eq 2223 outside any static translation to x.x.x.x/2223
TCP outside 188.8.131.52:2998 inside cent5push01:2222, idle 0:00:00, bytes 423044, flags UIOB
I tried to use packet tracer to troubleshot the problem, but seems like the packet tracer is not working correctly for me while port 2222 is open.
packet-tracer input outside tcp 184.108.40.206 3000 192.168.10.90 2222 detailed.
Found no matching flow, creating a new flow
in 192.168.10.0 255.255.255.0 inside
Forward Flow based lookup yields rule:
in id=0x3d366f0, priority=11, domain=permit, deny=true
hits=1627282, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Drop-reason: (acl-drop) Flow is denied by configured rule
Since the packet capture shows no return traffic, If it is a linux host, make sure the following look right:
Right IP address ---> ifconfig
Right default route ---> netstat -rn
Right ARP entry for gateway ---> arp -an
Your packet-tracer is destined for a private IP address. You should be using the public as defined by your static NAT. In your case, the outside interface.
packet-tracer input outside tcp 220.127.116.11 3000 [2222 | 2223] detailed