Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

REXEC - Possible inspection issue

Hi Everyone,

I'm trying to make an REXEC connection to a device outside of our network in order to run an xterm window.

However, even after configuring the ASA to allow outbound connections to the remote IP address (in the ACL) this still fails, I see in the log the following...

Inbound TCP connection denied from <REMOTE IP>/37510 to <PUBLIC ADDRESS NAT>/6000 flags SYN on interface outside.

I think this may be because I need to inspect rcmd traffic, however, I cannot add that inspect rule (as its not an option on the ASA unlike the inspect session command on a router)

Any ideas....



Hall of Fame Super Blue

Re: REXEC - Possible inspection issue


Yes X windows is back to front ie. 6000 is an Xwindows port and in absence of inspection you would need to allow that port back in from the remote client. Trouble is X runs on a range of ports 6000 -> 6xxx, apologies but can't remember off the top of my head what the top range is !

An alternative is to look into tunnelling X through port 22 which would allow you to secure the connection. I must admit i didn't realise they had dropped the inspection - seems like a mistake to me.


Community Member

Re: REXEC - Possible inspection issue

Hi Jon,

Thank you for your reply.

For testing puposes I have amended my inbound ACL on the ASA to allow ALL IP from the Remote IP address to the IP address our connection gets NATed to.

I have also created an ACL, put this ACL in a class map and added this class map to the policy map to esnure that matching traffic gets inspected, but still no joy. The same error I'm afraid.

I don't suppose you have any other ideas do you? also, does anyone know of a command I can use on the ASA to show inspected traffic, I am looking for a similar command to the router command, sho ip tcp inspect....

Thanks again for your assistance


CreatePlease to create content