Solved

SSH and Telnet Access

Posted on 2008-06-17
7
2,248 Views
Last Modified: 2013-11-16
I've setup a Cisco ASA 5510 as our Firewall security for our network. I had configured the asa for telnet access on the inside interface of the network, but for some abrupt reason, I am unable to establish any more sessions with it from my workstation. I've made no configuration changes to telnet on the device, I am able to ping the interface, and connect to the device using ASDM, but prefer to use command line. Any ideas what a noob like me did? As for SSH, what are the proper commands to enable SSH on an interface?

KDillon$ telnet 10.0.2.2
Trying 10.0.2.2...
telnet: connect to address 10.0.2.2: Operation timed out

0
Comment
Question by:IcueTV
  • 4
  • 3
7 Comments
 
LVL 7

Expert Comment

by:kanlue
ID: 21803613
assuming that your internal ip is 192.168.10.0/24, here is the basic telnet config you may use in asa5510:
----------
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 0
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 0
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
username <your username> password <yourpassword>
----------

hope it helps.

0
 

Author Comment

by:IcueTV
ID: 21803780
All of these are in place, and it's refusing connections now for some reason.
0
 
LVL 7

Expert Comment

by:kanlue
ID: 21804821
can you post 'sh run' here?
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 

Author Comment

by:IcueTV
ID: 21805078
ASA Version 8.0(3)

!

hostname IcueTVFW

domain-name icuetv.com

enable password CXN3PTQq6r3J5cT3 encrypted

names

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 65.xxx.xxx.xxx 255.255.255.248

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 10.0.2.2 255.255.255.0

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 shutdown

 nameif management

 security-level 0

 no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name icuetv.com

access-list outside extended permit tcp any host 65.196.22.202 eq 3389

access-list outside extended permit tcp any host 65.196.22.202 eq 3030

access-list outside extended permit tcp any host 65.196.22.202 eq 5222

access-list outside extended permit tcp any host 65.196.22.202 eq 3000

access-list outside extended permit tcp any host 65.196.22.202 eq 800

access-list outside extended permit tcp any host 65.196.22.202 eq ftp

access-list outside extended permit tcp any host 65.196.22.202 eq ssh

access-list outside extended permit tcp any host 65.196.22.202 eq 9090

access-list outside extended permit tcp any host 65.196.22.202 eq 8443

access-list outside extended permit tcp any host 65.196.22.202 eq 8080

access-list outside extended permit tcp any host 65.196.22.202 eq smtp

access-list outside extended permit tcp any host 65.196.22.202 eq pop3

access-list outside extended permit tcp any host 65.196.22.202 eq imap4

access-list outside extended permit tcp any host 65.196.22.202 eq https

access-list outside extended permit tcp any host 65.196.22.202 eq 1677

access-list outside extended permit tcp any host 65.196.22.202 eq 22201

access-list outside extended permit tcp any host 65.196.22.202 eq 22200

access-list outside extended permit tcp any host 65.196.22.202 eq 5900

access-list outside extended permit udp any host 65.196.22.202 eq 800

access-list outside extended permit udp any host 65.196.22.202 eq 5900

access-list inside_nat0_outbound extended permit ip any 10.0.2.0 255.255.255.128



pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool VPN_Pool 10.0.2.50-10.0.2.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.0.0.0 255.0.0.0

static (inside,inside) tcp 10.0.1.222 8443 65.196.22.202 8443 netmask 255.255.25

5.255

static (inside,inside) tcp 10.0.1.222 8080 65.196.22.202 8080 netmask 255.255.25

5.255

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 65.196.22.201 1

route inside 10.0.1.0 255.255.255.0 10.0.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.0.1.0 255.255.255.0 inside

http 10.0.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128

-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256

-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 10

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 30

 authentication pre-share

 encryption aes-256

 hash sha

 group 5

 lifetime 86400

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh 10.0.0.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 inside

ssh 10.0.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics

ntp server 10.0.2.2

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol webvpn

group-policy IcueTVTunnel internal

group-policy IcueTVTunnel attributes

 dns-server value 4.2.2.1 4.2.2.2

 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

 default-domain value icueTV.com

username administrator password 7TLPNITT4n1yUxsx encrypted privilege 15

username administrator attributes

 memberof administrators

username rthompson password JJktGBmsvPEebls6 encrypted privilege 15

username rthompson attributes

 service-type nas-prompt

username kdillon password Ktz9P4uOEcFAU3oZ encrypted privilege 15

username kdillon attributes

 vpn-group-policy IcueTVTunnel

tunnel-group IcueTVTunnel type remote-access

tunnel-group IcueTVTunnel general-attributes

 address-pool VPN_Pool

 authentication-server-group (outside) LOCAL

authorization-server-group (outside) LOCAL

 default-group-policy IcueTVTunnel

tunnel-group IcueTVTunnel ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:db465056a7420704b2e4154346e2f755
0
 
LVL 7

Accepted Solution

by:
kanlue earned 50 total points
ID: 21805160
please add the following three lines to try:
telnet 10.0.2.0 255.255.255.0 inside
ssh 10.0.2.0 255.255.255.0 inside
no ssh 0.0.0.0 0.0.0.0 inside

hope it helps.

0
 

Author Comment

by:IcueTV
ID: 21805684
ssh is working now, telnet is still not for some reason.
0
 

Author Comment

by:IcueTV
ID: 21805830
kanlue, I appreciate the help, I'm going to end it, it's best I don't run telnet anyway, keep things more secure by running ssh.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Edge Routers for BGP 6 97
Password recovery 2960S 4 36
Password recovery 2950 is Deleting configuration Why 8 41
pfsense upgrade from 2.2.6 to 2.3.3 28 35
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question