10-30-2015 08:38 AM - edited 02-21-2020 05:36 AM
Hello - wondering if someone can tell me if there's a bug in the 8.2(5) code (I'm running the latest build, #58) related to ssh'ing into the appliance from a NAT'ed ip address.
My setup is like this:
my workstation (192.168.1.1)
|
ASA 5585-X (nats 192.168.1.1 to 10.1.1.1)
|
ASA 5505 10.2.2.2
On the 5585 side, here is the packet trace:
1: 09:57:43.317229 10.1.1.1.33728 > 10.2.2.2.22: S 1546719477:1546719477(0) win 8192 <mss 1380,nop,wscale 2,nop,nop,sackOK>
2: 09:57:43.317946 10.2.2.2.22 > 10.1.1.1.33728: S 692254474:692254474(0) ack 1546719478 win 8192 <mss 1380>
3: 09:57:43.318312 10.1.1.1.33728 > 10.2.2.2.22: . ack 692254475 win 64860
4: 09:57:43.318388 10.1.1.1.33728 > 10.2.2.2.22: P 1546719478:1546719529(51) ack 692254475 win 64860
5: 09:57:43.615980 10.1.1.1.33728 > 10.2.2.2.22: P 1546719478:1546719529(51) ack 692254475 win 64860
6: 09:57:44.215976 10.1.1.1.33728 > 10.2.2.2.22: P 1546719478:1546719529(51) ack 692254475 win 64860
7: 09:57:45.416024 10.1.1.1.33728 > 10.2.2.2.22: P 1546719478:1546719529(51) ack 692254475 win 64860
8: 09:57:47.824664 10.1.1.1.33728 > 10.2.2.2.22: P 1546719478:1546719529(51) ack 692254475 win 64860
9: 09:57:52.626829 10.1.1.1.33728 > 10.2.2.2.22: P 1546719478:1546719529(51) ack 692254475 win 64860
10: 09:58:02.232348 10.1.1.1.33728 > 10.2.2.2.22: R 1546719529:1546719529(0) ack 692254475 win 0
And here's the trace on the 5505 side:
1: 09:57:43.291717 10.1.1.1.33728 > 10.2.2.2.22: S 2937505576:2937505576(0) win 8192 <mss 1380,nop,wscale 2,nop,nop,sackOK>
2: 09:57:43.291809 10.2.2.2.22 > 10.1.1.1.33728: S 25078042:25078042(0) ack 2937505577 win 8192 <mss 1380>
3: 09:57:43.292709 10.1.1.1.33728 > 10.2.2.2.22: . ack 25078043 win 64860
4: 09:57:43.292877 10.1.1.1.33728 > 10.2.2.2.22: P 2937505577:2937505628(51) ack 25078043 win 64860
5: 09:57:43.590377 10.1.1.1.33728 > 10.2.2.2.22: P 2937505577:2937505628(51) ack 25078043 win 64860
6: 09:57:44.190343 10.1.1.1.33728 > 10.2.2.2.22: P 2937505577:2937505628(51) ack 25078043 win 64860
7: 09:57:45.390375 10.1.1.1.33728 > 10.2.2.2.22: P 2937505577:2937505628(51) ack 25078043 win 64860
8: 09:57:47.798954 10.1.1.1.33728 > 10.2.2.2.22: P 2937505577:2937505628(51) ack 25078043 win 64860
9: 09:57:52.601027 10.1.1.1.33728 > 10.2.2.2.22: P 2937505577:2937505628(51) ack 25078043 win 64860
10: 09:58:02.206364 10.1.1.1.33728 > 10.2.2.2.22: R 2937505628:2937505628(0) ack 25078043 win 0
Here is the log from the 5585:
%ASA-6-305011: Built dynamic TCP translation from any:192.168.1.1/59017 to any:10.1.1.1/59017
%ASA-6-302013: Built inbound TCP connection 1008925 for outside:192.168.1.1/59017 (10.1.1.1/59017) to outside:10.2.2.2/22 (10.2.2.2/22)
%ASA-6-305012: Teardown dynamic TCP translation from any:192.168.1.1/59017 to any:10.1.1.1/59017 duration 0:00:18
And the log from the 5505:
%ASA-7-609001: Built local-host outside:10.1.1.1
%ASA-7-710005: TCP request discarded from 10.1.1.1/59017 to outside:10.2.2.2/22
%ASA-7-609002: Teardown local-host outside:10.1.1.1 duration 0:00:00
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.1/59017 to 10.2.2.2/22 flags RST ACK on interface outside
This used to work when I was running the 7.2(5)15 code on the 5505, but has since broken after I upgraded it to the 8.2(5)58 code.
If I remove the NAT on the 5585, I can connect to the machine directly, but it is a business requirement that i use NAT to connect -- I'm being temporarily allowed to connect directly to the 5505 with my workstation for testing.
Any help would be greatly appreciated.
thanks,
Mike
11-10-2015 07:57 AM
Hi Mike,
on the 5505, do you allow ssh from 10.1.1.1 on the outside interface (ssh 10.1.1.1 255.255.255.255 outside)?
TCP request discarded from 10.1.1.1/59017 to outside:10.2.2.2/22
Also, what is the IP of the 5505 that faces the other ASA 5585-X? I mean on the inside interface? it looks like you are trying to connect to a far interface and being dropped which is normal; ASA cannot be managed through a farside interface unless you use the command <management-access outside>
http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118092-configure-asa-00.html
If this is your setup:
my workstation (192.168.1.1)
|
ASA 5585-X (nats 192.168.1.1 to 10.1.1.1)
|
ASA 5505 10.1.1.2 (inside)
10.2.2.2 (outside)
then allow ssh to inside interface (ssh 10.1.1.1 255.255.255.255 inside) and use IP 10.1.1.2 to connect to the 5505 instead of outside interface IP...
Patrick
11-17-2015 10:24 AM
Hi Patrick,
I do have ssh 10.1.1.1 255.255.255.255 outside.
I think you're on to something with the management-access command -- I'll try that and see if it works.
Thanks for your input on this!
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide