Cisco ASA to 2811 GUI access

I have a ASA5510 with a 2811 router on the outside. if i try to access to manage the 2811 via telnet or the GUI it fails. the only way i can access it is to use a console cable on the 2811 and make my changes. i would like to be able to reach it from my desktop computer (which is on the inside of the asa). what should i be looking for on the asa to allow this?
davidummelAsked:
Who is Participating?
 
ccsistaffCommented:
To piggy back off of donboo, I'm not suggesting you leave the access-class off forever.  I'm simply suggesting that since you are having so much trouble connecting over telnet, it would be worth removing the access-class temporarily to make sure it is a config issue on the router and not somewhere else.  

Because this router does sit live on the internet, it is a good idea, as suggested by donboo, to enable SSH and deny all telnet traffic to the vty with

crypto key generate rsa usage-keys 1024

line vty 0 4
transport input ssh
0
 
ccsistaffCommented:
You could have more than one issue here, but I'll try to be as thorough as possible.  The ASA inside interface has a higher security level than the outside interface and as such all traffic is allowed to pass by default from the inside to the outside.  Likely the problem is not in the ASA unless you've disallowed specific protocol traffic to pass.  

On the 2811 router, verify that the the line configuration is correct for telnet/ssh and that the http server access is available:

line vty 0 4
password <password>
login
transport input ssh telnet

router#(config)ip http server

--For added http security:
router#(config)ip http secure-server
0
 
davidummelAuthor Commented:
I will attach the config, you will see why i need to get in there. much stuff to clean.
note;
XXXXX = stuff removed/changed
encina-gw#wr t
Building configuration...
 
Current configuration : 5203 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service sequence-numbers
!
hostname encina-gw
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 $1$.rzl$1vmRPtZypv1/HyTUdwwrB.
enable password 7 0558080C70424F030904
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
no ip bootp server
ip domain name ALTER.NET
ip name-server 198.6.1.2
login block-for 5 attempts 100 within 5
!
username encina privilege 15 secret 5 $1$oUqE$5VjJVdMhiSxLi8M/9WpsK.
!
!
!
interface FastEthernet0/0
 description To Office FastEthernet
 ip address 65.193.119.129 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 description To UUNET (u57952)
 bandwidth 1536
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
 bandwidth 1536
 ip unnumbered FastEthernet0/0
 ip access-group 101 in
 no cdp enable
 frame-relay interface-dlci 500 IETF
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
no ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
logging trap debugging
logging facility local2
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit udp any any eq bootpc
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp host 199.171.54.0 any
access-list 101 permit icmp host 153.39.50.6 any
access-list 101 permit icmp host 153.39.57.136 any
access-list 101 permit icmp host 153.39.57.196 any
access-list 101 permit icmp host 153.39.129.196 any
access-list 101 permit icmp host 153.39.129.230 any
access-list 101 permit icmp host 153.39.129.30 any
access-list 101 permit icmp host 153.39.201.154 any
access-list 101 permit icmp host 153.39.201.213 any
access-list 101 permit icmp host 153.39.203.154 any
access-list 101 permit icmp host 153.39.203.213 any
access-list 101 deny   ip host 208.172.35.201 any
access-list 101 deny   ip any host 208.172.35.201
access-list 101 deny   icmp host 208.172.35.201 any
access-list 101 deny   ip host 137.39.5.176 any
access-list 101 deny   icmp host 137.39.5.176 any
access-list 101 deny   ip host 65.193.11.48 any
access-list 101 deny   icmp any any timestamp-request
access-list 101 deny   icmp any any mask-request
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
snmp-server engineID local 000000090200000427F67AE0
snmp-server community bdde5085d3 RO
snmp-server packetsize 2048
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
 
no cdp run
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
 
used the username "cisco" to login to the router and your IOS image supports the
 
"one-time" user option, then this username has already expired. You will not be
 
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^CINE
You have logged into a secure device, logoff now or face criminal prosecution ^C
 
banner motd ^CINE
You have logged into a secure device, logout now or face criminal prosecution ^C
 
!
line con 0
 exec-timeout 5 0
 password a0a569d764
 login authentication local_auth
 transport preferred none
 transport output telnet
line aux 0
 exec-timeout 15 0
 password a0a569d764
 login authentication local_auth
 modem InOut
 transport preferred none
 transport input all
 transport output pad telnet rlogin udptn v120
 stopbits 1
 flowcontrol hardware
line vty 0 4
 access-class 23 in
 privilege level 15
 password 7 053C071B245E1617
 login authentication local_auth
 transport preferred none
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 password 7 122E04031719541A
 login authentication local_auth
 transport input telnet
!
no scheduler allocate
!
end
 
encina-gw#

Open in new window

0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
ccsistaffCommented:
Your access-list 23 is permitting access to telnet and http only from 10.0.0.0 0.0.0.7.  Your ASA is performing NAT.  Try adding the network 65.193.119.129 255.255.255.224 to your access-list 23.

access-list 23 permit ip 65.193.119.129 0.0.0.31
0
 
davidummelAuthor Commented:
when adding the command it did not like the '0.0.0.31' part
bit it added this line to the config.
access-list 23 permit ip 62.58.128.48 65.193.119.129
i still cannot access it via web or telnet
0
 
ccsistaffCommented:
try using your NATed public IP specifically.  if you don't know it, go to whatismyip.com.  then add
access-list 23 permit ip (public-IP)

remove the ones added before.
0
 
davidummelAuthor Commented:
wheni type in the following;
access-list 23 permit ip xx.xxx.xxx.xxx   (x=my outside ip)
it inserts the line;
access-list 23 permit ip 62.58.128.49 xx.xxx.xxx.xxx (x=my outside ip that i typed in)
why does it insert the -62.58.128.49-?
i am thinking that i need to type somthing like 0.0.0.31, this is what you sugested above but then it syas in console somthing like translating with 198.6.1.2, and then changeds the access list as shown.
0
 
DonbooCommented:
What you can do is type

access-list 23 permit ip host x.x.x.x (X= you outside IP address)

e.g. access-list 23 permit ip host 11.22.33.44

This will also allow the single IP address 11.22.33.44 to connect to vty (telnet/ssh)

Also you should for security reasons remove telnet access and add ssh access instead for the vty.
0
 
ccsistaffCommented:
sorry.  The syntax is

access-list 23 permit ip host 62.58.128.49

adding the 'host' keyword eliminates the need to add a subnet mask as it indicates only one host allowed.  

alternatively  you can remove the access-class altogether on the router

line vty 0 4
no access-class 23 in

this will remove the network restriction allowing you to telnet to the router from anywhere.
0
 
ccsistaffCommented:
to remove the restriction on http

no ip http access-class 23
0
 
davidummelAuthor Commented:
well, thanks but no go. I adjusted it and i can get to the sdm, but now it will not access the internet. with the config below could you help me out? it will sdm and console, but will not connect to my internet provider.

Current configuration : 2625 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service sequence-numbers
!
hostname encina-gw
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$k/o5$2YVPxxxT8xRgKE8DjZEdrs8G.
enable password xxxxx
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
no ip bootp server
ip domain name ALTER.NET
ip name-server 198.6.1.2
login block-for 5 attempts 100 within 5
!
!
!
!
interface FastEthernet0/0
 description To Office FastEthernet
 ip address 65.193.119.xxx 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_LAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 description To UUxxT (xxxx)
 bandwidth 1536
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
 bandwidth 1536
 ip unnumbered FastEthernet0/0
 ip access-group 101 in
 no cdp enable
 frame-relay interface-dlci 500 IETF
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
ip http server
!
!
logging trap debugging
logging facility local2
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit udp any any eq bootpc
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp host 199.171.54.0 any
access-list 101 permit icmp host 153.39.50.6 any
access-list 101 permit icmp host 153.39.57.136 any
access-list 101 permit icmp host 153.39.57.196 any
access-list 101 permit icmp host 153.39.129.196 any
access-list 101 permit icmp host 153.39.129.230 any
access-list 101 permit icmp host 153.39.129.30 any
snmp-server engineID local 000000090200000427F67AE0
snmp-server community bdde5085d3 RO
snmp-server packetsize 2048
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
 
no cdp run
!
control-plane
!
!
line con 0
 password xxx
line aux 0
 password xxx
line vty 0 4
 password xxxx
!
no scheduler allocate
!
end
 
encina-gw#

Open in new window

0
 
ccsistaffCommented:
Your access-list 101 is missing a lot of its original entries.  Specifically it is missing the statement.  

acccess-list 101 permit ip any any



Specifics:

Now all of these original entries are missing.  The permit ip any any is the one stopping your internet access.

access-list 101 deny   ip host 208.172.35.201 any
access-list 101 deny   ip any host 208.172.35.201
access-list 101 deny   icmp host 208.172.35.201 any
access-list 101 deny   ip host 137.39.5.176 any
access-list 101 deny   icmp host 137.39.5.176 any
access-list 101 deny   ip host 65.193.11.48 any
access-list 101 deny   icmp any any timestamp-request
access-list 101 deny   icmp any any mask-request
access-list 101 permit ip any any
0
 
DonbooCommented:
also you should consider allow ESP
access-list 101 permit ESP any any

The removal of access-class 23 in on the vty/http  makes every one able to connect to the router I recommend you use the access-list from my last post for security reasons.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.