topic Re: why cant i telnet? in Network Security

why cant i telnet?

nygenxny123 — Mon, 11 Mar 2019 14:23:00 GMT

I am unable to telnet to our ASA

the config is as follows

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

I am logged into the switch that this is connected to

Re: why cant i telnet?

vvarakan — Tue, 09 Dec 2008 17:52:41 GMT

Enable packet capture on the inside interface to check the packet flow. Other option is to check connection build's and teardown but you need to enable "logging buffered debug"

Re: why cant i telnet?

nygenxny123 — Tue, 09 Dec 2008 18:28:25 GMT

sadly..we are using asdm 6.0 with the known bug and cant access it now

would that debug cause a huge load on my asa?

its at a remote site and i dont want to have it hang and get stuck

Re: why cant i telnet?

ajagadee — Tue, 09 Dec 2008 19:12:14 GMT

Hi,

Was this working before or is this a new set up.

Can you post the configuration from the ASA along with the source and destination IP Address that you are telnetting from. Make sure that you can ping the ASA inside interface.

Regards,

Arul

Re: why cant i telnet?

nygenxny123 — Tue, 09 Dec 2008 21:12:27 GMT

its an old setup that was never really e utilized..

here is the attached config..i edited some outside IP's..

My ip is 192.168.133.4 and i log into 192.168.4.2..

which has a vlan address of 172.30.0.1 configured on it

Re: why cant i telnet?

John Blakley — Tue, 09 Dec 2008 21:49:46 GMT

Try adding:

management-access inside

See if that helps.

HTH,

John

Re: why cant i telnet?

ajagadee — Tue, 09 Dec 2008 22:06:55 GMT

Hi,

OK, configuration really helps. I don't think the below configuration is valid. You have an inside ip address of 172.30.0.2/16 and then you have configured a pool of ip addresses for the VPN Client, which is 172.30.0.x/24, which is overlapping with inside interface. This could be the issue that you are having issues accessing the inside interface.

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.30.0.2 255.255.0.0

ip local pool A-Pool 172.30.0.1-172.30.0.254 mask 255.255.255.0

Depending on your set up, you need to change the VPN Pool to a different subnet and make the necessary changes to the Split Tunnel ACL, NAT 0, etc and then try to telnet to the inside interface and see if it works.

Regards,

Arul

*Pls rate if it helps*

Re: why cant i telnet?

nygenxny123 — Wed, 10 Dec 2008 03:00:20 GMT

is there a way to exclude the address from the pool?

Re: why cant i telnet?

ajagadee — Wed, 10 Dec 2008 03:48:51 GMT

Yes. You can do something like the below configuration which excludes those addresses.

ip local pool A-Pool 172.30.0.10-172.30.0.254 mask 255.255.255.255

For testing purposes, try changing the pool to the above address range and let me know if it works. If it works, we know the pool was causing the issue, if not we can troubleshoot this further.

Regards,

Arul

*Pls rate if it helps*

Re: why cant i telnet?

nygenxny123 — Wed, 10 Dec 2008 21:01:32 GMT

Yes the Pool changed worked!!

I would think that the ASA would look for the .2 address so there wouldn't be any issues

thx