I have a SSH SOCKS tunnel set up on the socks server which is a linux box.
When I connect my machine to the switch 2, I am NOT able to recieve and mail by setting up a mail client and it seems SOCKS traffic does not reach the socks server. I can however run a telnet command on port 1080 (socks port) which connects which shows that the port was going through and open. However there was no SOCKS traffic..
When I connected the machine to Switch 1, SOCKS traffic worked as expected snd I was able to recieve mail.
This suggests to me that the ASA has some inherent rule that does not allow SOCKS traffic...
Since you mentioned that bypassing the Cisco ASA FW, the SOCKS connection works fine. Then it’s clear that the Cisco FW is the issue here. Cisco FW doesn’t support SOCKS running on it, but it can pass SOCKS traffic through, since it uses TCP. I’m assuming from the client to the server, routing is good, hence you’re able to ping the server from the client.
My guess is permitting TCP/1080 isn’t enough to make this connection through. Perhaps, more TCP ports are needed to be permitted. To confirm this, you could perform the following;
To place your workstation in Switch1 and Switch2, run Wireshark and initiate the communication. With both this packet captures, you’ll be able to see the TCP port numbers needed to have a successful communication between the client and the server.
To issue the “clear service-policy” command and initiate the communication and capture the “show service-policy” to ensure the Cisco ASA FW isn’t dropping any packets.
P/S: if you think this comment is useful, please do rate them nicely :-)
Ramraj Sivagnanam Sivajanam
Technical Specialist/Service Delivery Manager – Managed Service Department
I have actually also tested by allowing all traffic to our SOCKS servers and that still does not work which is why I am led to beleive that the Cisco ASA has an inherent rule that blocks SOCKS traffic. Although I do not see that in the logs.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...