Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Unblae to communicate on SFTP port (Port No 22) between different VLANs

I am having following trouble..

Source IP from where he is trying to SFTP: 10.254.227.* (DMZ VLAN)

Destination IP: 10.254.230.* where we need access(Also a VLAN)

There is a Checkpoint and PIX firewall on which access-lists are configured.

On checking logs on both firewalls the SFTP is permitted.

We tested it many times from command prompt but connections fails saying 'Connection failed on port 22'

For eg: >telnet ip address 22

Tried to telnet from server (ip 10.254.227.*) to (10.254.230.*)

We tried telnetting on port 22 first and then 21 also but no joy.

Can someone give some ideas as what could be preventing the connection?

I have checked logs on Checkpoint and it says request accepted when I am sending request from 10.254.227.x using FileZilla software to connect to another server which is in different VLAN (10.254.230.x).

I have found that on cisco PIX, traffic is getting accepted but its not going to the appropriate destination.

Pls check my following logs from CISCO PIX

For PIX firewall it seems like address translation issue.

We have got log from PIX firewall as follows

****************************************

2008-05-07 21:31:29 Local6.Info 192.168.1.1 %ASA-6-106100: access-list Outside-inbound permitted tcp Outside/10.254.227.*(3882) -> OperWebMgmt/10.254.230.*(22) hit-cnt 1 first hit

2008-05-07 21:31:29 Local6.Error 192.168.1.1 %ASA-3-305005: No translation group found for tcp src Outside:10.254.227.*/3882 dst OperWebMgmt:10.254.230.*/22

***************************************

Looks to us like PIX is allowing to make inbound connection but not able to make it out towards destination.

There is a route between both VLAN's.

Due to security reasons ping and tracert are disabled.

14 REPLIES
Community Member

Re: Unblae to communicate on SFTP port (Port No 22) between diff

Is there any once who can help me please? I can give you PIX config. too if required...

Silver

Re: Unblae to communicate on SFTP port (Port No 22) between diff

post the config so that I can help you

troubleshoot it.

Community Member

Re: Unblae to communicate on SFTP port (Port No 22) between diff

Pls find the following config.

Below config. will give you an idea about my VLAN interface IP and the access list I have configured to pass traffic between them. I have also mentioned NAT list with different VLAN from my network which will give you more idea about NAT.

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 10.254.240.236 255.255.255.0 standby 10.254.240.235

interface GigabitEthernet0/2.63

vlan 63

nameif OperWebMgmt

security-level 50

ip address 10.254.230.254 255.255.255.0 standby 10.254.230.253

==========================================

I have configured following 2 ACL

==========================================

access-list Outside-inbound extended permit tcp host 10.254.227.6 host 10.254.230.33 eq ssh

access-list OperWeb-inbound extended permit tcp host 10.254.230.33 host 10.254.227.6 eq ssh

=========

NAT

=========

global (OperAppMgmt) 1 interface

global (InterFWInterconnect) 1 interface

global (Witness) 1 interface

global (Hmenus) 1 interface

global (App-ILO) 1 interface

global (OperWebMgmt) 1 interface

global (management) 1 interface

nat (Operators) 1 10.254.231.0 255.255.255.0

nat (Operators) 1 192.168.0.0 255.255.255.0

nat (OperWebMgmt) 0 10.254.230.0 255.255.255.0

static (InterFWInterconnect,Outside) 10.254.224.0 10.254.224.0 netmask 255.255.255.0

static (OperWebMgmt,OperAppMgmt) 10.254.230.39 10.254.230.39 netmask 255.255.255.255

static (OperAppMgmt,OperWebMgmt) 10.254.253.62 10.254.253.62 netmask 255.255.255.255

static (OperAppMgmt,OperWebMgmt) 10.254.253.61 10.254.253.61 netmask 255.255.255.255

static (OperAppMgmt,OperWebMgmt) 10.254.253.75 10.254.253.75 netmask 255.255.255.255

static (OperWebMgmt,OperAppMgmt) 10.254.230.33 10.254.230.33 netmask 255.255.255.255

static (OperWebMgmt,OperAppMgmt) 10.254.230.31 10.254.230.31 netmask 255.255.255.255

static (OperWebMgmt,OperAppMgmt) 10.254.230.32 10.254.230.32 netmask 255.255.255.255

<--- More --->

static (OperWebMgmt,OperAppMgmt) 10.254.230.13 10.254.230.13 netmask 255.255.255.255

static (OperWebMgmt,OperAppMgmt) 10.254.230.14 10.254.230.14 netmask 255.255.255.255

static (OperWebMgmt,OperAppMgmt) 10.254.230.41 10.254.230.41 netmask 255.255.255.255

static (OperWebMgmt,OperAppMgmt) 10.254.230.40 10.254.230.40 netmask 255.255.255.255

static (OperWebMgmt,OperAppMgmt) 10.254.230.34 10.254.230.34 netmask 255.255.255.255

Pls let me know if u need more info.

Community Member

Re: Unblae to communicate on SFTP port (Port No 22) between diff

Someone can help me pls... It's quite urgent as my client wanted to fix this issue ASAP and I could not find out proper solution....

Thanks,

Silver

Re: Unblae to communicate on SFTP port (Port No 22) between diff

static (OperWebMgmt,Outside) 10.254.30.x 10.254.30.x netmask 255.255.255.255

do that and it will work

Community Member

Re: Unblae to communicate on SFTP port (Port No 22) between diff

I have tried this but same result... but this time, I can't see NAT log error message.....any idea?

Now I can see following logs:

05-09-2008 12:00:54 Local6.Info 192.168.1.1 %ASA-6-106100: access-list Outside-inbound permitted tcp Outside/10.254.227.6(2710) -> OperWebMgmt/10.254.230.33(22) hit-cnt 1 first hit

=============================================

05-09-2008 12:04:40 Local6.Info 192.168.1.1 %ASA-6-106015: Deny TCP (no connection) from 10.254.227.6/2897 to 10.254.230.33/22 flags RST on interface Outside

Thanks for quick response.

Community Member

Re: Unblae to communicate on SFTP port (Port No 22) between diff

Hi,

Any time if you see this message - No translation group found, means you are missing NAT or incorrect NATing. PIX will not work without NATing though access list is allowing the traffic. It needs some kind of NAT - NAT 0 (no NAT), static or dymanic.

2008-05-07 21:31:29 Local6.Error 192.168.1.1 %ASA-3-305005: No translation group found for tcp src Outside:10.254.227.*/3882 dst OperWebMgmt:10.254.230.*/22

If you are not able to connect though you have Proper NAT and access list, means mostly your return traffic is taking different path. Packet flowing in both directions should go through same firewalls. The error Deny TCP (no connection) means return traffic came to PIX but PIX has no entry of connection initiation.

Connection initiated packet took one path but return traffic is comming through some other path, Check you routing on both end systems like default GW or host/network routes, also on firewall and any middle devices.

Rate me if this helps

Regards

Kapish

Community Member

Re: Unblae to communicate on SFTP port (Port No 22) between diff

HI Mate,

I have configured static NAT but still same thing... pls check my last post and if it makes any sense to you...

Thanks,

Community Member

Re: Unblae to communicate on SFTP port (Port No 22) between diff

I have modified my post please see it again.

Thanks

Kapish

Community Member

Re: Unblae to communicate on SFTP port (Port No 22) between diff

Can you post PIX full configuration.

Community Member

Re: Unblae to communicate on SFTP port (Port No 22) between diff

Hi, were you able to solve it?

Regards

Kapish

Community Member

Re: Unblae to communicate on SFTP port (Port No 22) between diff

You have not allowed any ftp traffic between the two hosts. Put this in your config :

access-list Outside-inbound extended permit tcp host 10.254.227.6 host 10.254.230.33 eq ftp

Community Member

Re: Unblae to communicate on SFTP port (Port No 22) between diff

sorry use eq 22 as you are using sftp. You need to check that you have "ip inspect sftp" or "fixup protocol sftp" command also on the PIX depending upon your version release.

Community Member

Re: Unblae to communicate on SFTP port (Port No 22) between diff

HI,

Yes, I'm manage to solve this issue. My client did not tell me that this is secondary IP address of that server. I have told them that its not possible to route on secondary IP and I have configured primary IP rule to allow SFTP rule.

Thanks for your great help...

1153
Views
0
Helpful
14
Replies
CreatePlease to create content