Solved

cannot telnet outside to ASA

Posted on 2010-09-01
7
1,426 Views
Last Modified: 2012-05-10
I cannot telnet  by IP 20.20.20.3 to 20.20.20.2 interface outside of ASA , but  inside 10.12.2.X can telnet to 10.12.2.1 interface inside

note :-
1-  when 20.20.20.3 ping to 20.20.20.2 there is reply
2-  I used this comment crypto key generate  rsa but still not work :-S
2 - this config content all config just about Telnet

 ASA5520# wr t
: Saved
:
ASA Version 8.0(4)
!
hostname ASA5520
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 20.20.20.2 255.255.255.0
!

!
interface GigabitEthernet0/2
 nameif inside
 security-level 100
 ip address 10.12.2.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown    
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list inside_acl extended permit ip 10.12.2.0 255.255.255.0 any log
access-list outside_acl extended permit ip any any
access-list outside_acl extended permit ah any any
access-list outside_acl extended permit esp any any
access-list outside_acl extended permit gre any any
access-list 100 remark ****** link to ASA mater *******
access-list 100 extended permit ip 10.12.2.0 255.255.255.0 10.12.5.0 255.255.255.0
access-list 100 extended permit icmp 10.12.2.0 255.255.255.0 10.12.5.0 255.255.255.0
access-list 100 extended permit ip host 10.12.3.3 10.12.5.0 255.255.255.0
access-list 100 extended permit icmp host 10.12.3.3 10.12.5.0 255.255.255.0
access-list nonat remark ****** NAT ACL *******
access-list nonat extended permit ip 10.12.2.0 255.255.255.0 10.12.5.0 255.255.255.0
access-list nonat extended permit ip 10.12.2.0 255.255.255.0 10.12.3.0 255.255.255.0

pager lines 24
logging asdm informational
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu management 1500

no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any dmz
icmp permit any inside
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.12.2.0 255.255.255.0

access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 20.20.20.1 1
route outside 80.79.144.11 255.255.255.255 20.20.20.1 1

aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL

 
crypto isakmp nat-traversal 60
telnet 10.12.2.0 255.255.255.0 inside
telnet 10.12.2.2 255.255.255.255 inside
telnet 10.12.2.3 255.255.255.255 inside
telnet 20.20.20.3 255.255.255.255 outside
telnet 192.168.1.2 255.255.255.255 management
telnet timeout 5
ssh 10.12.2.0 255.255.255.0 inside
ssh 10.12.2.2 255.255.255.255 inside
ssh 10.12.2.3 255.255.255.255 inside
ssh 20.20.20.3 255.255.255.255 outside
ssh 192.168.1.2 255.255.255.255 management
ssh timeout 5
console timeout 0

username admin password eY/fQXw7Ure8Qrz7 encrypted

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dfabc417a306218c13c696402c354191
: end
0
Comment
Question by:metaprov
  • 2
  • 2
7 Comments
 
LVL 17

Accepted Solution

by:
Kvistofta earned 250 total points
ID: 33574320
It is by design. You cannot telnet to the firewall interface facing internet. You need to use SSH or VPN.

/Kvistofta
0
 

Author Comment

by:metaprov
ID: 33576548
but I used SSH Version 1 and 2 i cannot from outside :-S
0
 
LVL 4

Assisted Solution

by:mpickreign
mpickreign earned 250 total points
ID: 33577015
AS of right now you can only SSH to the outside interface from the host at 20.20.20.3.

Also you need to generate a new general-use key. You can do this from config mode by entering the following command.

crypto key generate rsa general-keys modulus 1024

0
 

Author Comment

by:metaprov
ID: 33585658
thx solve
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33585698
Why not award points to me and the other authors answer? In my opinion my comment that your problem to telnet to outside is by design is totally clear.

My suggestion: Award me 500 points or do a point split between me and mpickreign.

Not awarding points when experts takes theie valuable time to answer questions is imho not good behavior. Enough of this and experts like me wont care about answering questions here att EE.

/Kvistofta
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now