Solved: Asa 5510 and telnet

Rafael Romero Diaz · ‎07-16-2012

Hi,

We have a problem with doing telnet to inside and outside interface. When we try to do, We received this message. Wha have permit any any in both interface but we can´t doing telnet.

Somebody know what we have doing to solve it??

Version Asa is 8.2.5 model 5510

thanks.

%ASA-4-402117: IPSEC: Received a non-IPsec (protocol) packet from

remote_IP to local_IP.

Ramraj Sivagnanam Sivajanam · ‎07-20-2012

Hi Bro

You cannot telnet to an outside interface that has security-level 0. You can only ssh, to an outside interface with security-level 0. In general, if any interface that has a security level of 0 or lower than any other interface, then the PIX/ASA does not allow telnet to that interface.

However, if you’re still adamant that you’d like to telnet to the outside interface, then this can be achieved but the steps are too many, too much of an hassle. Well, in order to enable a Telnet session to the outside interface, configure IPsec on the outside interface to include IP traffic that is generated by the Cisco FW and enable Telnet on the outside interface.

It is not recommended to access the security appliance through a Telnet session. The authentication credential information, such as password, are sent as clear text. The Telnet server and client communication happens only with the clear text. Cisco recommends using SSH for a more secured data communication.

For further details on this, please do refer to this URL http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml

domain-name cisco.com

ssh version 2

crypto key generate rsa modulus 768

ssh 202.188.5.0 255.255.255.0 outside

telnet 192.168.10.13 255.255.255.255 inside

P/S: If you do find this comment useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

Vincenzo Errante · ‎07-16-2012

hi,

add these line:

telnet inside

telnet outside

regards

V

Vincenzo Errante · ‎07-16-2012

please attach your config

Rafael Romero Diaz · ‎07-16-2012

Hi,

thanks for your soon answer.

But, we have the same issue.

We wrote the command telnet 192.168.0.0 255.255.0.0 outside

Attached please find a picture.

if you need more config please let us know.

Thanks.

Vincenzo Errante · ‎07-16-2012

i see in the picture other subnet in telnet access: 10.161.0.0/16 not 192.168.0.0 255.255.0.0

Rafael Romero Diaz · ‎07-16-2012

Sorry , it is a mistake, the correct is

telnet 10.161.0.0 255.255.0.0 outside

Vincenzo Errante · ‎07-16-2012

what is the ip address of RDP-FJD ?

Vincenzo Errante · ‎07-16-2012

second:

do you have user o group enable to telnet?

exaple:

aaa authentication telnet LOCAL

Rafael Romero Diaz · ‎07-16-2012

RDP-FJD is 10.161.1.71

We haven´t group. We try to enter the sentence that you tell us but no run...

thanks

Vincenzo Errante · ‎07-16-2012

well,

you cannot configure telnet in outside interface or lowest interface, use ssh

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#telnet

Note: You can enable Telnet to the security appliance on all interfaces. However, the security appliance enforces that all Telnet traffic to the outside interface be protected by IPsec. In order to enable a Telnet session to the outside interface, configure IPsec on the outside interface to include IP traffic that is generated by the security appliance and enable Telnet on the outside interface.

Note: In general, if any interface that has a security level of 0 or lower than any other interface, then PIX/ASA does not allow Telnet to that interface.

Regards

Rafael Romero Diaz · ‎07-16-2012

We try to doing like you tell us.

Thanks!!!.

Regards.

Ramraj Sivagnanam Sivajanam · ‎07-20-2012

Hi Bro

You cannot telnet to an outside interface that has security-level 0. You can only ssh, to an outside interface with security-level 0. In general, if any interface that has a security level of 0 or lower than any other interface, then the PIX/ASA does not allow telnet to that interface.

However, if you’re still adamant that you’d like to telnet to the outside interface, then this can be achieved but the steps are too many, too much of an hassle. Well, in order to enable a Telnet session to the outside interface, configure IPsec on the outside interface to include IP traffic that is generated by the Cisco FW and enable Telnet on the outside interface.

It is not recommended to access the security appliance through a Telnet session. The authentication credential information, such as password, are sent as clear text. The Telnet server and client communication happens only with the clear text. Cisco recommends using SSH for a more secured data communication.

For further details on this, please do refer to this URL http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml

domain-name cisco.com

ssh version 2

crypto key generate rsa modulus 768

ssh 202.188.5.0 255.255.255.0 outside

telnet 192.168.10.13 255.255.255.255 inside

P/S: If you do find this comment useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

Rafael Romero Diaz · ‎07-24-2012

Hi,

I tested this confuguración and it works.

interface Ethernet0/1.82

vlan 82

nameif transito-asa-cpe

security-level 50

ip address 192.168.0.1 255.255.255.252

domain-name cisco.com

ssh version 2

crypto key generate rsa modulus 768

ssh Lan-FJD 255.255.0.0 outside

telnet 192.168.0.0 255.255.255.252 transito-asa-cpe

Thank you very much for your help.

Cheers.