Manage an ASA 5505 via console port with 2511

Posted on 2009-07-03
Last Modified: 2012-05-07
I have a 2511 router configured to connect with all of my devices successfully...except for the ASA 5505 firewall. When I try to access the firewall it opens a connection, I know this because it says it's open and can be verified with the 'sh sessions' command; but it seems to get stuck there without even getting to the authentication. The firewall and router work otherwise. I'm fairly new to this and I'd appreciate any help.


Current configuration:


version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption


hostname R1



username <username> privilege 15 password 7 <password>

ip subnet-zero

ip host R2 2001

ip host R3 2002

ip host R4 2003

ip host S1 2004

ip host S2 2005

ip host S3 2006

ip host F1 2007



interface Loopback0

 ip address

 no ip directed-broadcast


interface Ethernet0

 ip address

 no ip directed-broadcast


interface Serial0

 no ip address

 no ip directed-broadcast



ip classless




line con 0

 logging synchronous

 transport input none

line 1 16

 transport input telnet

line aux 0

 password 7 <password>

 login local

line vty 0 4

 password 7 <password>

 login local




ASA 5505


ASA Version 7.2(4)


hostname F1

enable password <password> encrypted

passwd <password> encrypted



interface Vlan1

 nameif inside

 security-level 100

 ip address


interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

 name-server X.X.X.X

 name-server X.X.X.X

object-group icmp-type ICMP-INBOUND

 icmp-object echo-reply

 icmp-object unreachable

 icmp-object time-exceeded

object-group network GROUP

 network-object X.X.X.X

 network-object X.X.X.X

access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND

access-list INBOUND extended permit ip object-group GROUP any

access-list INBOUND extended permit tcp host X.X.X.X any eq X

pager lines 24

logging enable

logging console notifications

logging buffered warnings

logging asdm notifications

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

static (inside,outside) tcp interface X X.X.X.X X netmask

access-group INBOUND in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet X.X.X.X inside

telnet X.X.X.X inside

telnet timeout 5

ssh X.X.X.X inside

ssh timeout 5

console timeout 15

dhcp-client client-id interface outside

dhcpd auto_config outside


username <username> password <password> encrypted privilege 15


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp


service-policy global_policy global

prompt hostname context


: end

Open in new window

Question by:d_prime
  • 3
  • 2
  • 2
LVL 79

Accepted Solution

lrmoore earned 168 total points
ID: 24776939
There's nothing special or magic about the asa console port different from a router. Not sure why it wouldn't work just as you have it. Uses same baud rate and everything else that the other devices use.. unless you've changed them someplace.
LVL 28

Expert Comment

ID: 24776965
I don't think the ASA has a route to your router.

Router's address is, ASA's address is, and I don't see any route statements in the ASA configuration.
LVL 79

Expert Comment

ID: 24777021
No routing required. This is a simple reverse-telnet session on the 2511 to a serial aux port connected to the console port of the ASA
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.


Author Comment

ID: 24777059
I added an inside route to via gateway (since that's the only device connected directly from that net) with metric 1 as a 'just in case' and still no dice. When I connect directly via the console port with my PC using default settings everything works perfectly, and the cable is custom but it works - I've tried it with several other devices.
LVL 28

Assisted Solution

asavener earned 82 total points
ID: 24778249
Er... why bother with reverse telnet when you can just telnet from the 2511?

Author Comment

ID: 24780058

It would be easier to just go ahead and do that, since that does work. But, it seems like I should be able to get the reverse telnet working somehow, and i tend to learn more trying to 'fix' things than just circumventing the problem...on the other hand, there doesn't seem to be much more to do to 'fix' this problem.

i guess I'll leave this open for a bit longer to see if anybody is able to add anything - otherwise i'll have to consider it a lost cause :(

Author Comment

ID: 24780196
problem solved - the wonderful custom cable that I'd been using was the problem. I swapped it out with all my other connections to test it with other devices, again, but this time it wasn't working so well. Again, I tried a new cable for the ASA 5505 connection and that seemed to work. So, moral of the story is that I need to get a decent cable tester.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now