Re: ASA 5506 9.8 - Allow Remote ASA to TFTP to HQ VPN Connected Server - Telnet from HQ Management ...

stownsend · ‎04-30-2019

I've upgraded a few 5506 ASAs (form 9.3, 9.5) to 9.8. I Migrated the Configs from the older style useless ports to a Bridge-group so I i can use all of the GE Ports.

interface GigabitEthernet1/<2-8>
 speed auto
 duplex auto
no  flowcontrol send on
 bridge-group 1
 nameif inside_<2-7>
 no cts manual
 security-level 100
 delay 1
!
interface Management1/1
 speed auto
 duplex auto
no  flowcontrol send on
 management-only
 no nameif
 no cts manual
 no security-level
 no ip address
 delay 1
!
interface BVI1
 nameif inside
 security-level 100
 ip address 10.111.111.1 255.255.0.0
!

The VPN is up, I can pass VPN Traffic back and forth and all is good from remote clients on the other side of the inside interface of the Remote ASA.

I cannot however save my Config to my TFTP server on the HQ Connected TFTP server. I can ping it using the internal interface. I have set (with inside and inside_1-Inside_7):

tftp-server inside <IP of server> <filename>

I also can no longer telnet to the remote ASA from HQ's Management Subnet.

I have the following (with inside and inside_1-Inside_7):

telnet NETWORK-OLIVET 255.255.0.0 inside
telnet NETWORK-HBG 255.255.255.0 inside
management-access inside

None work.

I can telnet and ssh to other devices on the remote network.

Copy of a sanitized config:

: Saved

:
: Serial Number: JAD23080D24
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname olivet
domain-name <Our Domain>
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
name <Subnet of HBG>  NETWORK-HBG
name <Subnet of Olivet> NETWORK-OLIVET
name <IP of TFTP Server> <Name of TFTP Server> 
name <IP of SYSLOGD Server> <Name of SYSLOGD Server>
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address <Comcast IP Address> 255.255.255.0
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 nameif inside
 security-level 100
 ip address <Subnet of Olivet>.1 255.255.0.0
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name <Our Domain>
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK-HBG
 subnet <subnet of HBG> 255.255.0.0
object network NETWORK-OLIVET
 subnet <Subnet of Olivet> 255.255.0.0
object-group network NETWORK_LOCAL
 description Local Networks
 network-object object NETWORK-OLIVET
object-group network NETWORK_REMOTE
 description Remote Networks
 network-object object NETWORK-HBG
access-list outside_cryptomap_1 extended permit ip object-group NETWORK_LOCAL object-group NETWORK_REMOTE
pager lines 54
logging enable
logging timestamp
logging list xlate-log message 202001
logging list xlate-log message 305009-305012
logging list SMTP-log message 108002
logging list startup-log message 199001-199005
logging list GRE-log message 302017-302018
logging list verifycertdn-log message 320001
logging list IDS-log message 400000-400050
logging list sa-log message 602201
logging list sa-log message 602301-602302
logging list VPNCLIENT-log message 611301-611323
logging list ISAKMP-log message 702201-702212
logging list IPSecConnect-log message 113019
logging list MISC-Log message 713900-713906
logging list acl-drop message 106023
logging list acl-drop message 106100
logging list acl-drop message 106104
logging buffer-size 1048576
logging console notifications
logging monitor informational
logging buffered debugging
logging trap informational
logging asdm warnings
logging mail warnings
logging from-address olivet@eandm.com
logging recipient-address scott@eandm.com level errors
logging device-id hostname
logging host inside <IP of SYSLOGD Server>
logging debug-trace
logging permit-hostdown
no logging message 305012
no logging message 305011
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 609002
no logging message 609001
no logging message 302016
no logging message 302021
no logging message 302020
logging message 305012 level warnings
logging message 305010 level warnings
logging message 305009 level warnings
logging message 302013 level warnings
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside_1,outside) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK_REMOTE NETWORK_REMOTE no-proxy-arp route-lookup description No not NAT traffic to/from Remote Networks
nat (inside_2,outside) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK_REMOTE NETWORK_REMOTE no-proxy-arp route-lookup description No not NAT traffic to/from Remote Networks
nat (inside_3,outside) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK_REMOTE NETWORK_REMOTE no-proxy-arp route-lookup description No not NAT traffic to/from Remote Networks
nat (inside_4,outside) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK_REMOTE NETWORK_REMOTE no-proxy-arp route-lookup description No not NAT traffic to/from Remote Networks
nat (inside_5,outside) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK_REMOTE NETWORK_REMOTE no-proxy-arp route-lookup description No not NAT traffic to/from Remote Networks
nat (inside_6,outside) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK_REMOTE NETWORK_REMOTE no-proxy-arp route-lookup description No not NAT traffic to/from Remote Networks
nat (inside_7,outside) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK_REMOTE NETWORK_REMOTE no-proxy-arp route-lookup description No not NAT traffic to/from Remote Networks
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
object network obj_any2
 nat (inside_2,outside) dynamic interface
object network obj_any3
 nat (inside_3,outside) dynamic interface
object network obj_any4
 nat (inside_4,outside) dynamic interface
object network obj_any5
 nat (inside_5,outside) dynamic interface
object network obj_any6
 nat (inside_6,outside) dynamic interface
object network obj_any7
 nat (inside_7,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 <Comcast GW IP on Outside Interface> 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http NETWORK-HBG 255.255.0.0 inside_1
http NETWORK-OLIVET 255.255.0.0 inside_1
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 match address outside_cryptomap_1
crypto map outside_map1 1 set peer <IP of HQ ASA>
crypto map outside_map1 1 set ikev1 phase1-mode aggressive
crypto map outside_map1 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto ca trustpool policy
crypto isakmp identity hostname
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet NETWORK-OLIVET 255.255.0.0 inside_1
! Limiting to 255.2555.255.0 Subnet for Management IPs only vs 255.255.0.0
telnet NETWORK-HBG 255.255.255.0 inside_1
telnet timeout 25
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server <NTP Server> source outside prefer
tftp-server inside <IP of TFTP Server> remoteASA-2019.0426.02.cfg
group-policy <IP of HQ ASA> internal
group-policy <IP of HQ ASA> attributes
 vpn-idle-timeout 35791394
dynamic-access-policy-record DfltAccessPolicy
tunnel-group <IP of HQ ASA> type ipsec-l2l
tunnel-group <IP of HQ ASA> general-attributes
 default-group-policy <IP of HQ ASA>
tunnel-group <IP of HQ ASA> ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 1024
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect http
  inspect ils
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect netbios
  inspect dns migrated_dns_map_1
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
event manager applet VPN-Always-UP
 event timer watchdog time 60
 action 1 cli command "ping inside <HQ IP>"
 output none
: end

dadelacr · ‎04-30-2019

Just for testing, have you tried this?

management-access inside_1
management-access inside_2
management-access inside_3
management-access inside_4
management-access inside_5
management-access inside_6
management-access inside_7

telnet 0.0.0.0 0.0.0.0 inside_1
telnet 0.0.0.0 0.0.0.0 inside_2
telnet 0.0.0.0 0.0.0.0 inside_3
telnet 0.0.0.0 0.0.0.0 inside_4
telnet 0.0.0.0 0.0.0.0 inside_5
telnet 0.0.0.0 0.0.0.0 inside_6
telnet 0.0.0.0 0.0.0.0 inside_7

If this works, just limit the sources of the TELNET Clients.

stownsend · ‎04-30-2019

I have tried adding (Expanded of course)

    management-access inside_[1..7]
    telnet 0.0.0.0 0.0.0.0 inside_[1..7]

There was no success with those. You can only have one Management interface. The unit I was testing with in my office only had Interface inside_1 connected.

I don't think it is a routing issue, When there is a routing issue, Telnetting to the ASA takes a while to timeout. When the Flow is good I get

Trying <remote ASA IP> ... Open

[Connection to <remote ASA IP> closed by foreign host]

It is just odd that its blocking the TFTP from the ASA. That seems separate from the not being able to Telnet in.

Thanks!

ASA 5506 9.8 - Allow Remote ASA to TFTP to HQ VPN Connected Server - Telnet from HQ Management to Remote ASA