Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco ASA to 2811 GUI access

Posted on 2009-04-30
13
Medium Priority
?
1,240 Views
Last Modified: 2012-06-22
I have a ASA5510 with a 2811 router on the outside. if i try to access to manage the 2811 via telnet or the GUI it fails. the only way i can access it is to use a console cable on the 2811 and make my changes. i would like to be able to reach it from my desktop computer (which is on the inside of the asa). what should i be looking for on the asa to allow this?
0
Comment
Question by:davidummel
  • 7
  • 4
  • 2
13 Comments
 
LVL 3

Expert Comment

by:ccsistaff
ID: 24272820
You could have more than one issue here, but I'll try to be as thorough as possible.  The ASA inside interface has a higher security level than the outside interface and as such all traffic is allowed to pass by default from the inside to the outside.  Likely the problem is not in the ASA unless you've disallowed specific protocol traffic to pass.  

On the 2811 router, verify that the the line configuration is correct for telnet/ssh and that the http server access is available:

line vty 0 4
password <password>
login
transport input ssh telnet

router#(config)ip http server

--For added http security:
router#(config)ip http secure-server
0
 

Author Comment

by:davidummel
ID: 24272963
I will attach the config, you will see why i need to get in there. much stuff to clean.
note;
XXXXX = stuff removed/changed
encina-gw#wr t
Building configuration...
 
Current configuration : 5203 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service sequence-numbers
!
hostname encina-gw
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 $1$.rzl$1vmRPtZypv1/HyTUdwwrB.
enable password 7 0558080C70424F030904
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
no ip bootp server
ip domain name ALTER.NET
ip name-server 198.6.1.2
login block-for 5 attempts 100 within 5
!
username encina privilege 15 secret 5 $1$oUqE$5VjJVdMhiSxLi8M/9WpsK.
!
!
!
interface FastEthernet0/0
 description To Office FastEthernet
 ip address 65.193.119.129 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 description To UUNET (u57952)
 bandwidth 1536
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
 bandwidth 1536
 ip unnumbered FastEthernet0/0
 ip access-group 101 in
 no cdp enable
 frame-relay interface-dlci 500 IETF
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
no ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
logging trap debugging
logging facility local2
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit udp any any eq bootpc
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp host 199.171.54.0 any
access-list 101 permit icmp host 153.39.50.6 any
access-list 101 permit icmp host 153.39.57.136 any
access-list 101 permit icmp host 153.39.57.196 any
access-list 101 permit icmp host 153.39.129.196 any
access-list 101 permit icmp host 153.39.129.230 any
access-list 101 permit icmp host 153.39.129.30 any
access-list 101 permit icmp host 153.39.201.154 any
access-list 101 permit icmp host 153.39.201.213 any
access-list 101 permit icmp host 153.39.203.154 any
access-list 101 permit icmp host 153.39.203.213 any
access-list 101 deny   ip host 208.172.35.201 any
access-list 101 deny   ip any host 208.172.35.201
access-list 101 deny   icmp host 208.172.35.201 any
access-list 101 deny   ip host 137.39.5.176 any
access-list 101 deny   icmp host 137.39.5.176 any
access-list 101 deny   ip host 65.193.11.48 any
access-list 101 deny   icmp any any timestamp-request
access-list 101 deny   icmp any any mask-request
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
snmp-server engineID local 000000090200000427F67AE0
snmp-server community bdde5085d3 RO
snmp-server packetsize 2048
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
 
no cdp run
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
 
used the username "cisco" to login to the router and your IOS image supports the
 
"one-time" user option, then this username has already expired. You will not be
 
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^CINE
You have logged into a secure device, logoff now or face criminal prosecution ^C
 
banner motd ^CINE
You have logged into a secure device, logout now or face criminal prosecution ^C
 
!
line con 0
 exec-timeout 5 0
 password a0a569d764
 login authentication local_auth
 transport preferred none
 transport output telnet
line aux 0
 exec-timeout 15 0
 password a0a569d764
 login authentication local_auth
 modem InOut
 transport preferred none
 transport input all
 transport output pad telnet rlogin udptn v120
 stopbits 1
 flowcontrol hardware
line vty 0 4
 access-class 23 in
 privilege level 15
 password 7 053C071B245E1617
 login authentication local_auth
 transport preferred none
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 password 7 122E04031719541A
 login authentication local_auth
 transport input telnet
!
no scheduler allocate
!
end
 
encina-gw#

Open in new window

0
 
LVL 3

Expert Comment

by:ccsistaff
ID: 24273052
Your access-list 23 is permitting access to telnet and http only from 10.0.0.0 0.0.0.7.  Your ASA is performing NAT.  Try adding the network 65.193.119.129 255.255.255.224 to your access-list 23.

access-list 23 permit ip 65.193.119.129 0.0.0.31
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 

Author Comment

by:davidummel
ID: 24273251
when adding the command it did not like the '0.0.0.31' part
bit it added this line to the config.
access-list 23 permit ip 62.58.128.48 65.193.119.129
i still cannot access it via web or telnet
0
 
LVL 3

Expert Comment

by:ccsistaff
ID: 24273439
try using your NATed public IP specifically.  if you don't know it, go to whatismyip.com.  then add
access-list 23 permit ip (public-IP)

remove the ones added before.
0
 

Author Comment

by:davidummel
ID: 24273879
wheni type in the following;
access-list 23 permit ip xx.xxx.xxx.xxx   (x=my outside ip)
it inserts the line;
access-list 23 permit ip 62.58.128.49 xx.xxx.xxx.xxx (x=my outside ip that i typed in)
why does it insert the -62.58.128.49-?
i am thinking that i need to type somthing like 0.0.0.31, this is what you sugested above but then it syas in console somthing like translating with 198.6.1.2, and then changeds the access list as shown.
0
 
LVL 9

Expert Comment

by:Donboo
ID: 24275091
What you can do is type

access-list 23 permit ip host x.x.x.x (X= you outside IP address)

e.g. access-list 23 permit ip host 11.22.33.44

This will also allow the single IP address 11.22.33.44 to connect to vty (telnet/ssh)

Also you should for security reasons remove telnet access and add ssh access instead for the vty.
0
 
LVL 3

Expert Comment

by:ccsistaff
ID: 24275092
sorry.  The syntax is

access-list 23 permit ip host 62.58.128.49

adding the 'host' keyword eliminates the need to add a subnet mask as it indicates only one host allowed.  

alternatively  you can remove the access-class altogether on the router

line vty 0 4
no access-class 23 in

this will remove the network restriction allowing you to telnet to the router from anywhere.
0
 
LVL 3

Expert Comment

by:ccsistaff
ID: 24275096
to remove the restriction on http

no ip http access-class 23
0
 

Author Comment

by:davidummel
ID: 24275296
well, thanks but no go. I adjusted it and i can get to the sdm, but now it will not access the internet. with the config below could you help me out? it will sdm and console, but will not connect to my internet provider.

Current configuration : 2625 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service sequence-numbers
!
hostname encina-gw
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$k/o5$2YVPxxxT8xRgKE8DjZEdrs8G.
enable password xxxxx
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
no ip bootp server
ip domain name ALTER.NET
ip name-server 198.6.1.2
login block-for 5 attempts 100 within 5
!
!
!
!
interface FastEthernet0/0
 description To Office FastEthernet
 ip address 65.193.119.xxx 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_LAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 description To UUxxT (xxxx)
 bandwidth 1536
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
 bandwidth 1536
 ip unnumbered FastEthernet0/0
 ip access-group 101 in
 no cdp enable
 frame-relay interface-dlci 500 IETF
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
ip http server
!
!
logging trap debugging
logging facility local2
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit udp any any eq bootpc
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp host 199.171.54.0 any
access-list 101 permit icmp host 153.39.50.6 any
access-list 101 permit icmp host 153.39.57.136 any
access-list 101 permit icmp host 153.39.57.196 any
access-list 101 permit icmp host 153.39.129.196 any
access-list 101 permit icmp host 153.39.129.230 any
access-list 101 permit icmp host 153.39.129.30 any
snmp-server engineID local 000000090200000427F67AE0
snmp-server community bdde5085d3 RO
snmp-server packetsize 2048
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
 
no cdp run
!
control-plane
!
!
line con 0
 password xxx
line aux 0
 password xxx
line vty 0 4
 password xxxx
!
no scheduler allocate
!
end
 
encina-gw#

Open in new window

0
 
LVL 3

Expert Comment

by:ccsistaff
ID: 24276060
Your access-list 101 is missing a lot of its original entries.  Specifically it is missing the statement.  

acccess-list 101 permit ip any any



Specifics:

Now all of these original entries are missing.  The permit ip any any is the one stopping your internet access.

access-list 101 deny   ip host 208.172.35.201 any
access-list 101 deny   ip any host 208.172.35.201
access-list 101 deny   icmp host 208.172.35.201 any
access-list 101 deny   ip host 137.39.5.176 any
access-list 101 deny   icmp host 137.39.5.176 any
access-list 101 deny   ip host 65.193.11.48 any
access-list 101 deny   icmp any any timestamp-request
access-list 101 deny   icmp any any mask-request
access-list 101 permit ip any any
0
 
LVL 9

Expert Comment

by:Donboo
ID: 24277170
also you should consider allow ESP
access-list 101 permit ESP any any

The removal of access-class 23 in on the vty/http  makes every one able to connect to the router I recommend you use the access-list from my last post for security reasons.
0
 
LVL 3

Accepted Solution

by:
ccsistaff earned 2000 total points
ID: 24279633
To piggy back off of donboo, I'm not suggesting you leave the access-class off forever.  I'm simply suggesting that since you are having so much trouble connecting over telnet, it would be worth removing the access-class temporarily to make sure it is a config issue on the router and not somewhere else.  

Because this router does sit live on the internet, it is a good idea, as suggested by donboo, to enable SSH and deny all telnet traffic to the vty with

crypto key generate rsa usage-keys 1024

line vty 0 4
transport input ssh
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question