Access to ASA 5520

Srakandaev — Mon, 11 Mar 2019 20:31:20 GMT

I have ASA 5520 which works fine, but after some time it denies any management access exept console. Asdm 641, SW asa 841. With previous versions i didn't have such problems. ASDM Launcher hangs duting log in, telnet and web access are logged: <163>1 2011-05-10T11:27:02+03:00 10.2.1.1 %ASA-3-710003 - - - %ASA-3-710003: TCP access denied by ACL from 10.2.1.4/56894 to Common:10.2.1.1/80 Telnet doesn't connect. After reboot everything works fine.

Re: Access to ASA 5520

varrao — Tue, 10 May 2011 10:03:18 GMT

Philip,

Could you provide a configuration from the firewall. This might be a known issue and I would suggest you to open a TAC case for it or upgrade the firewall software to the latest in 8.4 train.

Thanks,

Varun

Re: Access to ASA 5520

Srakandaev — Tue, 10 May 2011 11:17:41 GMT

ASA Version 8.4(1)
!
hostname asa
domain-name ***.com
enable password *** encrypted
passwd *** encrypted
multicast-routing
names
dns-guard
!
interface GigabitEthernet0/0
nameif DMZ
security-level 50
ip address 10.2.5.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
no ip address
!
interface GigabitEthernet0/1.100
vlan 100
nameif Devices

security-level 100
ip address 10.2.0.1 255.255.255.0
!
interface GigabitEthernet0/1.101
vlan 101
nameif Common
security-level 100
ip address 10.2.1.1 255.255.255.0
!
interface GigabitEthernet0/1.102
vlan 102
nameif Design
security-level 100
ip address 10.2.2.1 255.255.255.0
!
interface GigabitEthernet0/1.103
vlan 103
nameif Ruhlamat
security-level 90
ip address 10.2.3.1 255.255.255.0
!
interface GigabitEthernet0/2
no nameif
security-level 100

no ip address
!
interface GigabitEthernet0/2.10
vlan 10
nameif HOLOGR
security-level 40
ip address 10.1.2.4 255.255.0.0
!
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address *.*.*.* 255.255.255.248
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.1.1 255.255.255.0
management-only
!
boot system disk0:/asa841-k8.bin
no ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS

domain-name ***.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network HTTP
host 10.1.2.1
object network WWW
host 10.2.1.6
object network MAIL
host 10.2.5.5
object-group network DM_INLINE_NETWORK_1
network-object host 10.1.0.88
network-object host 10.1.6.1
network-object host 10.1.6.5
network-object host 10.1.0.57
network-object 10.2.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_8
network-object host 10.1.4.138
network-object host 10.1.4.214
network-object host 10.1.4.143
object-group service DM_INLINE_TCP_1 tcp
port-object eq 2080
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_6
network-object host 10.1.4.149
network-object host 10.1.4.42
network-object host 10.1.4.234
network-object host 10.1.4.91
network-object host 10.1.4.240
network-object host 10.1.4.56
network-object host 10.1.4.175
network-object host 10.1.1.74
network-object host 10.1.1.91
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
object-group network DM_INLINE_NETWORK_4
network-object host 10.2.1.4
network-object host 10.2.1.5
object-group service DM_INLINE_TCP_2 tcp
port-object eq pop3
port-object eq smtp
port-object eq 2080
object-group network DM_INLINE_NETWORK_5
network-object host 10.2.1.14
network-object host 10.2.1.39
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
network-object host 10.2.1.85
network-object host 10.2.1.31
network-object host 10.2.1.32
network-object host 10.2.1.40
network-object host 10.2.1.55
network-object host 10.2.1.35
object-group service DM_INLINE_TCP_3 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_11
network-object host 10.2.0.14
network-object host 10.2.1.5
object-group network DM_INLINE_NETWORK_7
network-object host 10.1.6.1
network-object host 10.1.1.57
network-object host 10.1.0.88
network-object host 10.1.6.5
network-object host 10.1.0.57
network-object host 10.1.1.101
object-group network DM_INLINE_NETWORK_9
network-object host 10.2.1.4
network-object host 10.2.1.3
object-group network DM_INLINE_NETWORK_2
network-object host 10.1.1.101
network-object host 10.1.6.1
object-group network DM_INLINE_NETWORK_10
network-object host 10.2.1.4
network-object host 10.2.1.5
object-group service DM_INLINE_TCP_4 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_12
network-object host 10.1.1.1
network-object host 10.1.2.130
object-group service DM_INLINE_TCP_5 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_13
network-object host 10.2.1.4
network-object host 10.2.1.5
object-group network DM_INLINE_NETWORK_14
network-object host 8.8.4.4
network-object host 8.8.8.8
access-list outside_access_in extended permit tcp any 10.2.5.0 255.255.255.0 eq smtp
access-list outside_access_in extended permit tcp host *.*.*.* host 10.2.1.6 eq 4899
access-list Common_access_in extended permit icmp any any
access-list Common_access_in extended permit ip host 10.2.1.76 host *.*.*.*

access-list Common_access_in extended permit tcp host 10.2.1.6 host *.*.*.* eq 400
access-list Common_access_in extended permit ip host 10.2.1.6 host 10.2.5.5
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_3 10.2.2.0 255.255.255.0
access-list Common_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14 eq domain
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_5 host 10.2.3.3
access-list Common_access_in extended permit tcp 10.2.1.0 255.255.255.0 host 10.1.1.1 object-group DM_INLINE_TCP_3
access-list Common_access_in extended permit ip 10.2.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list Common_access_in extended permit tcp 10.2.1.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_1
access-list Design_access_in extended permit tcp 10.2.2.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_2
access-list Design_access_in extended permit ip 10.2.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_4
access-list global_mpc_1 extended permit ip any any
access-list HOLOGR_access_in extended permit icmp any any
access-list HOLOGR_access_in extended permit tcp object-group DM_INLINE_NETWORK_12 host 10.2.5.5 object-group DM_INLINE_TCP_4
access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_9
access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_2 10.2.1.0 255.255.255.0
access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_7 10.2.1.0 255.255.255.0 inactive
access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_11
access-list Ruhlamat_access_in extended permit ip 10.2.3.0 255.255.255.0 object-group DM_INLINE_NETWORK_10
access-list Ruhlamat_access_in extended permit tcp host 10.2.3.3 host 10.2.5.5 object-group DM_INLINE_TCP_5
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging trap warnings
logging from-address *@*.*
logging recipient-address *@*.* level critical
logging host Common 10.2.1.2
logging flash-bufferwrap
logging flash-maximum-allocation 8192
logging permit-hostdown
no logging message 106014
no logging message 313005
no logging message 313001
no logging message 106023
no logging message 305006
no logging message 733101
no logging message 733100
logging message 313001 level critical
mtu DMZ 1500
mtu inside 1500
mtu Devices 1500
mtu Common 1500
mtu Design 1500
mtu Ruhlamat 1500
mtu HOLOGR 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any DMZ
icmp permit any Common
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
!
object network WWW
nat (Common,outside) static interface service tcp 4899 4899
object network MAIL
nat (DMZ,outside) static interface service tcp smtp smtp
!
nat (DMZ,outside) after-auto source dynamic any interface
nat (Common,outside) after-auto source dynamic any interface
nat (Devices,outside) after-auto source dynamic any interface
access-group Common_access_in in interface Common
access-group Design_access_in in interface Design
access-group Ruhlamat_access_in in interface Ruhlamat
access-group HOLOGR_access_in in interface HOLOGR
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
route HOLOGR 192.168.5.0 255.255.255.0 10.1.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.2.1.6 255.255.255.255 Common
http 10.2.1.0 255.255.255.0 Common
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no snmp-server enable
sysopt noproxyarp DMZ
sysopt noproxyarp inside
sysopt noproxyarp Devices
sysopt noproxyarp Common
sysopt noproxyarp Design
sysopt noproxyarp Ruhlamat
sysopt noproxyarp HOLOGR
sysopt noproxyarp outside
sysopt noproxyarp management
service resetoutside
telnet 10.2.1.6 255.255.255.255 Common
telnet timeout 15
ssh timeout 5
console timeout 0
management-access Common
dhcprelay setroute Common
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port number-of-rate 2
threat-detection statistics protocol number-of-rate 2
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map global-class
match default-inspection-traffic
class-map global-class1
match access-list global_mpc_1
!
!
policy-map type inspect im IM
parameters
match service chat conference file-transfer games voice-chat webcam
log
policy-map global_policy
policy-map global-policy
class global-class
inspect dcerpc
inspect dns dynamic-filter-snoop
inspect http
inspect icmp
inspect icmp error
inspect netbios
inspect snmp
inspect sqlnet
class global-class1
ips inline fail-open sensor vs0
set connection timeout idle 1:00:00 dcd 0:15:00 5
!
service-policy global-policy global
smtp-server 10.2.5.5
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable

Re: Access to ASA 5520

varrao — Wed, 11 May 2011 19:21:41 GMT

It looks like a Known issue to me, you might need to upgrade the firewall to ASA version 8.4.1.2, but I would suggest you open a TAC case fisrt for it.

Thanks,

Varun

Re: Access to ASA 5520

Srakandaev — Fri, 13 May 2011 13:38:49 GMT

Thank you for your help. I've opened a TAC case.

Re: Access to ASA 5520

varrao — Fri, 13 May 2011 13:52:47 GMT

Hi Philip,

Thats good, let us know on the thread what the outcome was, would be interesting to see if I was thinking on the correct line.

Thanks,

Varun

Re: Access to ASA 5520

Srakandaev — Wed, 25 May 2011 09:14:04 GMT

Resolution :

============

Running into bug CSCtl77907 and have now upgraded the ASA’s to version 8.4.1.3 and will monitor to check if the issue reoocurs.

topic Re: Access to ASA 5520 in Network Security

Access to ASA 5520

Re: Access to ASA 5520

Re: Access to ASA 5520

Re: Access to ASA 5520

Re: Access to ASA 5520

Re: Access to ASA 5520

Re: Access to ASA 5520