cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9268
Views
0
Helpful
9
Replies

i cannot login to my firewall ASA 5510

ahmed_843
Level 1
Level 1

Hi all

i have in my network firewall ASA 5510 but the problem i cannot login to my firewall thru telnet or ssh even ASDM or bowser this is my configuration

:

ASA Version 8.2(5)

!

hostname Amco-ASA

domain-name amco.com

enable password JSI3.TL9MINmP28U encrypted

passwd JSI3.TL9MINmP28U encrypted

names

!

interface Ethernet0/0

description Polarisnet Internet Link

nameif outside

security-level 0

ip address 213.x.x.14 255.255.255.252

!

interface Ethernet0/1

description Mobily Internet Link

shutdown

nameif outside1

security-level 0

ip address 86.51.11.74 255.255.255.252

!

interface Ethernet0/2

description DMZ Server connected

nameif DMZ 

security-level 50

ip address 172.16.1.1 255.255.255.0

!

interface Ethernet0/3

description Lan Network Connected

nameif inside

security-level 100

ip address 192.168.1.11 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

ftp mode passive

dns server-group DefaultDNS

domain-name amco.com

access-list lan-no-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list dmz-no-nat extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list out-to-in extended permit tcp any host 213.x.x.19 eq 3389

access-list out-to-in extended permit tcp any host 213.x.x.17 eq www

access-list out-to-in extended permit tcp any host 213.x.x.18 eq www

pager lines 24

logging asdm informational

mtu outside 1500

mtu outside1 1500

mtu DMZ 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14x0

global (outside) 1 interface

nat (DMZ) 0 access-list dmz-no-nat

nat (DMZ) 1 172.16.1.0 255.255.255.0

nat (inside) 0 access-list lan-no-nat

nat (inside) 1 192.168.1.0 255.255.255.0

static (inside,outside) 213.x.x.17 192.168.1.4 netmask 255.255.255.255

static (inside,outside) 213.x.x.18 192.168.1.16 netmask 255.255.255.255

static (DMZ,outside) 213.x.x.19 172.16.1.3 netmask 255.255.255.255

access-group out-to-in in interface outside

route outside 0.0.0.0 0.0.0.0 213.x.x.13 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd dns 213.x.32.134

!

dhcpd address 192.168.1.51-192.168.1.2x inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username nasa password IqBVv2.6j.KCDncy encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 1

Cryptochecksum:c9b7f48e092e4b7d07a62b20e19660cd

: end

Amco-ASA#

9 Replies 9

Scott Fella
Hall of Fame
Hall of Fame

You need to move your post to the Security Community forum.  They would be able to answer your question.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

i move it thanks.

A couple commands affect the ability to login:

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

telnet 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 outside

So, the above say:

1. use LOCAL authentication for ssh and console. You have username "nasa" setup so that 's OK. BUT you do not have AAA authentication for telnet or http. First off, I'd ditch telent altogether. Makes no sense to manage a security device using an insecure transport.for http you need a line like "aaa authentication http console LOCAL"

2. turn on http server - required to use ASDM (https actually). You have no ASDM image specified so that will be a problem. I would look for a command like "asdm image disk0:". (Make sure your ASDM bin file is on disk0:.)

3. restrict ASDM access to a client connecting to the management interface. (once you have #2 above corrected ASDM should work assuming your client has a route to the ASA management interface).

4. telnet is allowed from any client coming in to outside interface. This is not recommended since it a. uses insecure telnet and b. allows it from the public! Still it should be functional, if insecure, as long as you are accessing public interface.

5. ssh is allowed from any client, also to public interface. Again, not a best practice but it should work if you are trying to access your ASA's public IP.

First thanks for helping a lot

I'm trying to make all the steps you advice but still I cannot login thru web (HTTP) or SDM  but SSH working now

perfectly

i will give you snap shot about the new configuration :

Amco-ASA# show run

: Saved

:

ASA Version 8.2(5)

!

hostname Amco-ASA

domain-name amcomideast.com

enable password /bmNTYoTDVbw27DY encrypted

passwd JSI3.TL9MINmP28U encrypted

names

!

interface Ethernet0/0

description Polarisnet Internet Link

nameif outside

security-level 0

ip address xx.xx.40.14 255.255.255.252

!

interface Ethernet0/1

description Mobily Internet Link

shutdown

nameif outside1

security-level 0

ip address xx.xxAmco-ASA# show run

: Saved

:

ASA Version 8.2(5)

!

hostname Amco-ASA

domain-name amcomideast.com

enable password /bmNTYoTDVbw27DY encrypted

passwd JSI3.TL9MINmP28U encrypted

names

!

interface Ethernet0/0

description Polarisnet Internet Link

nameif outside

security-level 0

ip address xxx.xxx.40.14 255.255.255.252

!

interface Ethernet0/1

description Mobily Internet Link

shutdown

nameif outside1

security-level 0

ip address 86.51.11.74 255.255.255.252

!

interface Ethernet0/2

description DMZ Server connected

nameif DMZ

security-level 50

ip address 172.16.1.1 255.255.255.0

!

interface Ethernet0/3

description Lan Network Connected

nameif inside

security-level 100

ip address 192.168.200.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

regex domainlist3 "\.youtube\.com"

regex domainlist4 "\.facebook\.com"

regex block1 "facebook.com"

regex block2 "\.facebook\.com"

ftp mode passive

dns server-group DefaultDNS

domain-name amcomideast.com

access-list  lan-no-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0  2                                                                                         55.255.255.0

access-list lan-no-nat extended permit ip  192.168.1.0 255.255.255.0  192.168.3.0                                                                                          255.255.255.0

access-list dmz-no-nat extended permit ip  172.16.1.0 255.255.255.0 192.168.1.0  2                                                                                         55.255.255.0

access-list out-to-in extended permit tcp any host xxx.xxx.40.19 eq 3389

access-list out-to-in extended permit tcp any host xxx.xxx.40.17 eq www

access-list out-to-in extended permit tcp any host xxx.xxx.40.18 eq www

access-list out-to-in extended permit tcp any interface outside range h323 3230

access-list out-to-in extended permit tcp any interface outside eq 3243

access-list  out-to-in extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0  2                                                                                         55.255.255.0

access-list out-to-in extended permit icmp  192.168.3.0 255.255.255.0  192.168.1.0                                                                                          255.255.255.0

access-list dmz-to-in extended permit ip 172.16.1.0  255.255.255.0 192.168.1.0  25                                                                                         5.255.255.0

access-list OUTSIDE-IN extended permit tcp any  interface outside range 3230  3277                                                                                       

access-list OUTSIDE-IN extended permit udp any interface outside  range 3230  3277                                                                                       

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu outside1 1500

mtu DMZ 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (DMZ) 0 access-list dmz-no-nat

nat (DMZ) 1 172.16.1.0 255.255.255.0

nat (inside) 0 access-list lan-no-nat

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 192.168.5.0 255.255.255.0

static  (inside,outside) tcp interface h323 192.168.1.40 h323 netmask  255.255.255                                                                                         .255

static (inside,outside) tcp interface 3230 192.168.1.40 3230  netmask  255.255.255                                                                                         .255

static (inside,outside) tcp interface 3243 192.168.1.40 3243  netmask  255.255.255                                                                                         .255

static (inside,outside) udp interface 3230 192.168.1.40 3230  netmask  255.255.255                                                                                         .255

static (inside,outside) udp interface 3277 192.168.1.40 3277  netmask  255.255.255                                                                                         .255

static (inside,outside) xxx.xxx.40.17 192.168.1.4 netmask 255.255.255.255

static (inside,outside) xxx.xxx.40.18 192.168.1.16 netmask 255.255.255.255

static (DMZ,outside) xxx.xxx.40.19 172.16.1.10 netmask 255.255.255.255

access-group out-to-in in interface outside

access-group dmz-to-in in interface DMZ

route outside 0.0.0.0 0.0.0.0 xxx.xxx.40.13 1

route inside 192.168.1.0 255.255.255.0 192.168.200.2 1

route inside 192.168.5.0 255.255.255.0 192.168.200.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authorization exec LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.200.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd dns xxx.xxx.32.134

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username amco password SIQ4ybqbSk3tR2yZ encrypted privilege 15

username nasa password IqBVv2.6j.KCDncy encrypted privilege 15

!

class-map type regex match-any DomainLogList

match regex domainlist4

class-map type regex match-any DomainBlockList

match regex domainlist3

match regex domainlist4

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

class-map type inspect http match-all LogDomainsClass

match request header host regex class DomainLogList

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map type inspect http http_inspection_policy

parameters

class BlockDomainsClass

  reset log

class LogDomainsClass

  log

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect http http_inspection_policy

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:a8261089e6958875d4434ac0f23d67d9

: end

.11.74 255.255.255.252

!

interface Ethernet0/2

description DMZ Server connected

nameif DMZ

security-level 50

ip address 172.16.1.1 255.255.255.0

!

interface Ethernet0/3

description Lan Network Connected

nameif inside

security-level 100

ip address 192.168.200.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

regex domainlist3 "\.youtube\.com"

regex domainlist4 "\.facebook\.com"

regex block1 "facebook.com"

regex block2 "\.facebook\.com"

ftp mode passive

dns server-group DefaultDNS

domain-name amcomideast.com

access-list  lan-no-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0  2                                                                                         55.255.255.0

access-list lan-no-nat extended permit ip  192.168.1.0 255.255.255.0  192.168.3.0                                                                                          255.255.255.0

access-list dmz-no-nat extended permit ip  172.16.1.0 255.255.255.0 192.168.1.0  2                                                                                         55.255.255.0

access-list out-to-in extended permit tcp any host xxx.xxx.40.19 eq 3389

access-list out-to-in extended permit tcp any host xxx.xxx.40.17 eq www

access-list out-to-in extended permit tcp any host xxx.xxx.40.18 eq www

access-list out-to-in extended permit tcp any interface outside range h323 3230

access-list out-to-in extended permit tcp any interface outside eq 3243

access-list  out-to-in extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0  2                                                                                         55.255.255.0

access-list out-to-in extended permit icmp  192.168.3.0 255.255.255.0  192.168.1.0                                                                                          255.255.255.0

access-list dmz-to-in extended permit ip 172.16.1.0  255.255.255.0 192.168.1.0  25                                                                                         5.255.255.0

access-list OUTSIDE-IN extended permit tcp any  interface outside range 3230  3277                                                                                       

access-list OUTSIDE-IN extended permit udp any interface outside  range 3230  3277                                                                                       

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu outside1 1500

mtu DMZ 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (DMZ) 0 access-list dmz-no-nat

nat (DMZ) 1 172.16.1.0 255.255.255.0

nat (inside) 0 access-list lan-no-nat

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 192.168.5.0 255.255.255.0

static  (inside,outside) tcp interface h323 192.168.1.40 h323 netmask  255.255.255                                                                                         .255

static (inside,outside) tcp interface 3230 192.168.1.40 3230  netmask  255.255.255                                                                                         .255

static (inside,outside) tcp interface 3243 192.168.1.40 3243  netmask  255.255.255                                                                                         .255

static (inside,outside) udp interface 3230 192.168.1.40 3230  netmask  255.255.255                                                                                         .255

static (inside,outside) udp interface 3277 192.168.1.40 3277  netmask  255.255.255                                                                                         .255

static (inside,outside) xxx.xxx.40.17 192.168.1.4 netmask 255.255.255.255

static (inside,outside) xxx.xxx.40.18 192.168.1.16 netmask 255.255.255.255

static (DMZ,outside) xxx.xxx.40.19 172.16.1.10 netmask 255.255.255.255

access-group out-to-in in interface outside

access-group dmz-to-in in interface DMZ

route outside 0.0.0.0 0.0.0.0 xxx.xxx.40.13 1

route inside 192.168.1.0 255.255.255.0 192.168.200.2 1

route inside 192.168.5.0 255.255.255.0 192.168.200.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authorization exec LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.200.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd dns xxx.xxx.32.134

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username amco password SIQ4ybqbSk3tR2yZ encrypted privilege 15

username nasa password IqBVv2.6j.KCDncy encrypted privilege 15

!

class-map type regex match-any DomainLogList

match regex domainlist4

class-map type regex match-any DomainBlockList

match regex domainlist3

match regex domainlist4

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

class-map type inspect http match-all LogDomainsClass

match request header host regex class DomainLogList

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map type inspect http http_inspection_policy

parameters

class BlockDomainsClass

  reset log

class LogDomainsClass

  log

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect http http_inspection_policy

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:a8261089e6958875d4434ac0f23d67d9

: end

You're welcome.

Please also provide output of these commands:

show version

dir disk0:

to assist in resolving.

Amco-ASA# show version

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders

System image file is "disk0:/asa825-k8.bin"

Config file at boot was "startup-config"

Amco-ASA up 3 days 5 hours

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: Ethernet0/0         : address is 649e.f335.6272, irq 9

1: Ext: Ethernet0/1         : address is 649e.f335.6273, irq 9

2: Ext: Ethernet0/2         : address is 649e.f335.6274, irq 9

3: Ext: Ethernet0/3         : address is 649e.f335.6275, irq 9

4: Ext: Management0/0       : address is 649e.f335.6271, irq 11

5: Int: Not used            : irq 11

6: Int: Not used            : irq 5

Licensed features for this platform:

Maximum Physical Interfaces    : Unlimited

Maximum VLANs                  : 50

Inside Hosts                   : Unlimited

Failover                       : Disabled

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

Security Contexts              : 0

GTP/GPRS                       : Disabled

SSL VPN Peers                  : 2

Total VPN Peers                : 250

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

This platform has a Base license.

Serial Number: JMX1606X17C

Running Activation Key: 0x1403d37a 0x485f5b1c 0xf071ed4c 0xa2dcc864 0x410505a8

Configuration register is 0x1

Configuration last modified by enable_15 at 07:49:30.393 UTC Sat Oct 6 2012

-------------------------------------------------------------------------------------------------------------------

Amco-ASA# dir disk0:

Directory of disk0:/

96     -rwx  15390720    09:51:30 Feb 11 2012  asa825-k8.bin

97     -rwx  16280544    11:56:28 Feb 11 2012  asdm-645.bin

3      drwx  4096        00:03:28 Jan 01 2003  log

10     drwx  4096        00:03:42 Jan 01 2003  crypto_archive

11     drwx  4096        00:03:44 Jan 01 2003  coredumpinfo

99     -rwx  12998641    11:52:50 Feb 11 2012  csd_3.5.2008-k9.pkg

100    drwx  4096        11:52:52 Feb 11 2012  sdesktop

101    -rwx  6487517     11:52:56 Feb 11 2012  anyconnect-macosx-i386-2.5.2014-k9.pkg

102    -rwx  6689498     11:53:00 Feb 11 2012  anyconnect-linux-2.5.2014-k9.pkg

103    -rwx  4678691     11:53:02 Feb 11 2012  anyconnect-win-2.5.2014-k9.pkg

255320064 bytes total (192176128 bytes free)

Those look OK.

Can you confirm that you are trying to login from a client on network 192.168.1.0? The configuration line:

     http 192.168.1.0 255.255.255.0 inside

restricts your ASDM clients to thatn network.

What are you using to attempt ASDM login?  Are you using an already installed ASDM launcher or going via a browser to https://192.168.1.1/admin

What is the result when you try? Here is a document with a remedy for the most common problems:

https://supportforums.cisco.com/docs/DOC-15016

Richard Burts
Hall of Fame
Hall of Fame

This is a bit difficult to do with the mobile interface since I can refer back to your original post for details. But here is my attempt to answer your questions.

You have enabled control via http ( which is ASDM) only via the management interface. But the management interface has no IP address so ASDM can not work.

Then - you have enabled telnet access only on the outside interface. But the behavior of ASA is to not allow telnet through the outside interface. So no telnet access.

And you have enabled ssh only through the outside interface. So have you attempted ssh from an address outside the ASA?

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick

vineet.sheoran
Level 1
Level 1

You are trying to ssh via the outside interface which has an acl out-to-in applied, is this correct?

In acl out-to-in there is no permit statement for ssh.

Console into ASA and get a colleague to ssh and check the logs at the same time that might provide a hint. Also don't forget to create a crypto key otherwise ssh will not work.

I concur with what Richard is saying about ASDM and Telnet.

Vineet

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: