This document provides answers to frequently asked questions about the use of Techsupport Tunnels on Cisco Content Security appliances.
Cisco recommends that you have knowledge of these topics:
- Cisco Email Security Appliance (ESA)
- Cisco Web Security Appliance (WSA)
- Cisco Security Management Appliance (SMA)
The information in this document is based on the Cisco Content Security appliances that run any version of AsyncOS.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
What are Techsupport Tunnels?
Techsupport tunnels are Secure Shell (SSH) connections that are created from a Cisco Content Security appliance to a bastion host at Cisco Content Security headquarters. Tunnels allow Cisco Customer Support and Applications Engineers to analyze a system and make repairs.
How do Techsupport Tunnels work?
The Techsupport Tunnel works through most firewalls without modification. When the tunnel connection initiates, the appliance makes a SSH connection from a random high-source port to the specified port of one of these Cisco secured servers:
- 220.127.116.11 - for older AsyncOS builds
- upgrades.ironport.com - for older AsyncOS builds
- c.tunnels.ironport.com - for C-Series appliances/ESA
- x.tunnels.ironport.com - for X-Series appliances/ESA
- m.tunnels.ironport.com - for M-Series appliances/SMA
- s.tunnels.ironport.com - for S-Series appliances/WSA
The ports that are available on the Cisco secured-tunnel servers are 22, 25, 53, 80, 443, and 4766. Since the connection is made to the hostname rather than a hard-coded IP address, an active Domain Name Server (DNS) is required in order to establish the tunnel.
Some protocol-aware devices block the connection due to the protocol/port mismatch and some Simple Mail Transport Protocol (SMTP)-aware devices interrupt the connection. In cases where there are protocol-aware devices or outbound connections that are blocked, the use of a port other than the default (25) might be required. Access to the remote end of the tunnel is restricted to only the Cisco Customer Support and Applications Engineers.
How do I establish a Techsupport Tunnel?
In order to establish a Techsupport Tunnel connection via the appliance CLI as an admin user, complete these steps:
- Enter the techsupport command.
- Choose Tunnel
- Complete the prompts.
In order to establish a tunnel from the appliance admin GUI, complete these steps:
- Navigate to System Administration > Remote Access.
- Ensure that you check both the Allow remote access to this appliance and Initiate connection via secure tunnel check boxes.
- Submit the form.
It is important to note that any firewall must be configured in order to allow outbound connections to upgrades.ironport.com. If your firewall has SMTP protocol inspection enabled, the tunnel does not establish. In these situations, you must specify an alternative port. Choose the most suitable port from this list:
How can I test the Techsupport Tunnel for connectivity?
Use this example in order to perform an initial test for connectivity through your firewall:
example.run> telnet upgrades.ironport.com 25
Connected to upgrades.ironport.com.
Escape character is '^]'.