Solved

Manage an ASA 5505 via console port with 2511

Posted on 2009-07-03
7
1,040 Views
Last Modified: 2012-05-07
I have a 2511 router configured to connect with all of my devices successfully...except for the ASA 5505 firewall. When I try to access the firewall it opens a connection, I know this because it says it's open and can be verified with the 'sh sessions' command; but it seems to get stuck there without even getting to the authentication. The firewall and router work otherwise. I'm fairly new to this and I'd appreciate any help.
2511

------------------------------------------------

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname R1

!

!

username <username> privilege 15 password 7 <password>

ip subnet-zero

ip host R2 2001 10.0.0.100

ip host R3 2002 10.0.0.100

ip host R4 2003 10.0.0.100

ip host S1 2004 10.0.0.100

ip host S2 2005 10.0.0.100

ip host S3 2006 10.0.0.100

ip host F1 2007 10.0.0.100

!

!

interface Loopback0

 ip address 10.0.0.100 255.255.255.255

 no ip directed-broadcast

!

interface Ethernet0

 ip address 10.0.0.1 255.255.255.240

 no ip directed-broadcast

!

interface Serial0

 no ip address

 no ip directed-broadcast

 shutdown

!

ip classless

!

!

!

line con 0

 logging synchronous

 transport input none

line 1 16

 transport input telnet

line aux 0

 password 7 <password>

 login local

line vty 0 4

 password 7 <password>

 login local

!

end
 
 
 

========================================

ASA 5505

--------------------

ASA Version 7.2(4)

!

hostname F1

enable password <password> encrypted

passwd <password> encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.1.1.129 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

 name-server X.X.X.X

 name-server X.X.X.X

object-group icmp-type ICMP-INBOUND

 icmp-object echo-reply

 icmp-object unreachable

 icmp-object time-exceeded

object-group network GROUP

 network-object X.X.X.X 255.255.255.255

 network-object X.X.X.X 255.255.255.255

access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND

access-list INBOUND extended permit ip object-group GROUP any

access-list INBOUND extended permit tcp host X.X.X.X any eq X

pager lines 24

logging enable

logging console notifications

logging buffered warnings

logging asdm notifications

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface X X.X.X.X X netmask 255.255.255.255
 

access-group INBOUND in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet X.X.X.X 255.255.255.0 inside

telnet X.X.X.X 255.255.255.0 inside

telnet timeout 5

ssh X.X.X.X 255.255.255.0 inside

ssh timeout 5

console timeout 15

dhcp-client client-id interface outside

dhcpd auto_config outside

!
 

username <username> password <password> encrypted privilege 15

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:57520962a0f6ef77157b8d1edce371f6

: end

Open in new window

0
Comment
Question by:d_prime
  • 3
  • 2
  • 2
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 168 total points
ID: 24776939
There's nothing special or magic about the asa console port different from a router. Not sure why it wouldn't work just as you have it. Uses same baud rate and everything else that the other devices use.. unless you've changed them someplace.
0
 
LVL 28

Expert Comment

by:asavener
ID: 24776965
I don't think the ASA has a route to your router.

Router's address is 10.0.0.1, ASA's address is 10.1.1.129, and I don't see any route statements in the ASA configuration.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24777021
No routing required. This is a simple reverse-telnet session on the 2511 to a serial aux port connected to the console port of the ASA
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:d_prime
ID: 24777059
I added an inside route to 10.0.0.0 255.255.255.0 via gateway 10.0.0.1 (since that's the only device connected directly from that net) with metric 1 as a 'just in case' and still no dice. When I connect directly via the console port with my PC using default settings everything works perfectly, and the cable is custom but it works - I've tried it with several other devices.
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 82 total points
ID: 24778249
Er... why bother with reverse telnet when you can just telnet from the 2511?
0
 

Author Comment

by:d_prime
ID: 24780058
asavener

It would be easier to just go ahead and do that, since that does work. But, it seems like I should be able to get the reverse telnet working somehow, and i tend to learn more trying to 'fix' things than just circumventing the problem...on the other hand, there doesn't seem to be much more to do to 'fix' this problem.

i guess I'll leave this open for a bit longer to see if anybody is able to add anything - otherwise i'll have to consider it a lost cause :(
0
 

Author Comment

by:d_prime
ID: 24780196
problem solved - the wonderful custom cable that I'd been using was the problem. I swapped it out with all my other connections to test it with other devices, again, but this time it wasn't working so well. Again, I tried a new cable for the ASA 5505 connection and that seemed to work. So, moral of the story is that I need to get a decent cable tester.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now