Solved

cannot telnet outside to ASA

Posted on 2010-09-01
7
1,461 Views
Last Modified: 2012-05-10
I cannot telnet  by IP 20.20.20.3 to 20.20.20.2 interface outside of ASA , but  inside 10.12.2.X can telnet to 10.12.2.1 interface inside

note :-
1-  when 20.20.20.3 ping to 20.20.20.2 there is reply
2-  I used this comment crypto key generate  rsa but still not work :-S
2 - this config content all config just about Telnet

 ASA5520# wr t
: Saved
:
ASA Version 8.0(4)
!
hostname ASA5520
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 20.20.20.2 255.255.255.0
!

!
interface GigabitEthernet0/2
 nameif inside
 security-level 100
 ip address 10.12.2.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown    
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list inside_acl extended permit ip 10.12.2.0 255.255.255.0 any log
access-list outside_acl extended permit ip any any
access-list outside_acl extended permit ah any any
access-list outside_acl extended permit esp any any
access-list outside_acl extended permit gre any any
access-list 100 remark ****** link to ASA mater *******
access-list 100 extended permit ip 10.12.2.0 255.255.255.0 10.12.5.0 255.255.255.0
access-list 100 extended permit icmp 10.12.2.0 255.255.255.0 10.12.5.0 255.255.255.0
access-list 100 extended permit ip host 10.12.3.3 10.12.5.0 255.255.255.0
access-list 100 extended permit icmp host 10.12.3.3 10.12.5.0 255.255.255.0
access-list nonat remark ****** NAT ACL *******
access-list nonat extended permit ip 10.12.2.0 255.255.255.0 10.12.5.0 255.255.255.0
access-list nonat extended permit ip 10.12.2.0 255.255.255.0 10.12.3.0 255.255.255.0

pager lines 24
logging asdm informational
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu management 1500

no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any dmz
icmp permit any inside
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.12.2.0 255.255.255.0

access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 20.20.20.1 1
route outside 80.79.144.11 255.255.255.255 20.20.20.1 1

aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL

 
crypto isakmp nat-traversal 60
telnet 10.12.2.0 255.255.255.0 inside
telnet 10.12.2.2 255.255.255.255 inside
telnet 10.12.2.3 255.255.255.255 inside
telnet 20.20.20.3 255.255.255.255 outside
telnet 192.168.1.2 255.255.255.255 management
telnet timeout 5
ssh 10.12.2.0 255.255.255.0 inside
ssh 10.12.2.2 255.255.255.255 inside
ssh 10.12.2.3 255.255.255.255 inside
ssh 20.20.20.3 255.255.255.255 outside
ssh 192.168.1.2 255.255.255.255 management
ssh timeout 5
console timeout 0

username admin password eY/fQXw7Ure8Qrz7 encrypted

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dfabc417a306218c13c696402c354191
: end
0
Comment
Question by:metaprov
  • 2
  • 2
7 Comments
 
LVL 17

Accepted Solution

by:
Kvistofta earned 250 total points
ID: 33574320
It is by design. You cannot telnet to the firewall interface facing internet. You need to use SSH or VPN.

/Kvistofta
0
 

Author Comment

by:metaprov
ID: 33576548
but I used SSH Version 1 and 2 i cannot from outside :-S
0
 
LVL 4

Assisted Solution

by:mpickreign
mpickreign earned 250 total points
ID: 33577015
AS of right now you can only SSH to the outside interface from the host at 20.20.20.3.

Also you need to generate a new general-use key. You can do this from config mode by entering the following command.

crypto key generate rsa general-keys modulus 1024

0
 

Author Comment

by:metaprov
ID: 33585658
thx solve
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33585698
Why not award points to me and the other authors answer? In my opinion my comment that your problem to telnet to outside is by design is totally clear.

My suggestion: Award me 500 points or do a point split between me and mpickreign.

Not awarding points when experts takes theie valuable time to answer questions is imho not good behavior. Enough of this and experts like me wont care about answering questions here att EE.

/Kvistofta
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to setup 3 isps on a redundant mode? 3 33
cisco 2800 cannot ping lan 4 23
ASA 5505 latency problem 8 45
Cannot connect to wireless using RADIUS 16 35
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question