09-02-2012 03:52 AM - edited 02-21-2020 04:44 AM
Hi all
i have in my network firewall ASA 5510 but the problem i cannot login to my firewall thru telnet or ssh even ASDM or bowser this is my configuration
:
ASA Version 8.2(5)
!
hostname Amco-ASA
domain-name amco.com
enable password JSI3.TL9MINmP28U encrypted
passwd JSI3.TL9MINmP28U encrypted
names
!
interface Ethernet0/0
description Polarisnet Internet Link
nameif outside
security-level 0
ip address 213.x.x.14 255.255.255.252
!
interface Ethernet0/1
description Mobily Internet Link
shutdown
nameif outside1
security-level 0
ip address 86.51.11.74 255.255.255.252
!
interface Ethernet0/2
description DMZ Server connected
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/3
description Lan Network Connected
nameif inside
security-level 100
ip address 192.168.1.11 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name amco.com
access-list lan-no-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list dmz-no-nat extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list out-to-in extended permit tcp any host 213.x.x.19 eq 3389
access-list out-to-in extended permit tcp any host 213.x.x.17 eq www
access-list out-to-in extended permit tcp any host 213.x.x.18 eq www
pager lines 24
logging asdm informational
mtu outside 1500
mtu outside1 1500
mtu DMZ 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14x0
global (outside) 1 interface
nat (DMZ) 0 access-list dmz-no-nat
nat (DMZ) 1 172.16.1.0 255.255.255.0
nat (inside) 0 access-list lan-no-nat
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 213.x.x.17 192.168.1.4 netmask 255.255.255.255
static (inside,outside) 213.x.x.18 192.168.1.16 netmask 255.255.255.255
static (DMZ,outside) 213.x.x.19 172.16.1.3 netmask 255.255.255.255
access-group out-to-in in interface outside
route outside 0.0.0.0 0.0.0.0 213.x.x.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 213.x.32.134
!
dhcpd address 192.168.1.51-192.168.1.2x inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username nasa password IqBVv2.6j.KCDncy encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:c9b7f48e092e4b7d07a62b20e19660cd
: end
Amco-ASA#
09-02-2012 05:51 AM
You need to move your post to the Security Community forum. They would be able to answer your question.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
09-02-2012 06:44 AM
i move it thanks.
09-02-2012 07:22 AM
A couple commands affect the ability to login:
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
telnet 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 outside
So, the above say:
1. use LOCAL authentication for ssh and console. You have username "nasa" setup so that 's OK. BUT you do not have AAA authentication for telnet or http. First off, I'd ditch telent altogether. Makes no sense to manage a security device using an insecure transport.for http you need a line like "aaa authentication http console LOCAL"
2. turn on http server - required to use ASDM (https actually). You have no ASDM image specified so that will be a problem. I would look for a command like "asdm image disk0:
3. restrict ASDM access to a client connecting to the management interface. (once you have #2 above corrected ASDM should work assuming your client has a route to the ASA management interface).
4. telnet is allowed from any client coming in to outside interface. This is not recommended since it a. uses insecure telnet and b. allows it from the public! Still it should be functional, if insecure, as long as you are accessing public interface.
5. ssh is allowed from any client, also to public interface. Again, not a best practice but it should work if you are trying to access your ASA's public IP.
10-01-2012 12:42 PM
First thanks for helping a lot
I'm trying to make all the steps you advice but still I cannot login thru web (HTTP) or SDM but SSH working now
perfectly
i will give you snap shot about the new configuration :
Amco-ASA# show run
: Saved
:
ASA Version 8.2(5)
!
hostname Amco-ASA
domain-name amcomideast.com
enable password /bmNTYoTDVbw27DY encrypted
passwd JSI3.TL9MINmP28U encrypted
names
!
interface Ethernet0/0
description Polarisnet Internet Link
nameif outside
security-level 0
ip address xx.xx.40.14 255.255.255.252
!
interface Ethernet0/1
description Mobily Internet Link
shutdown
nameif outside1
security-level 0
ip address xx.xxAmco-ASA# show run
: Saved
:
ASA Version 8.2(5)
!
hostname Amco-ASA
domain-name amcomideast.com
enable password /bmNTYoTDVbw27DY encrypted
passwd JSI3.TL9MINmP28U encrypted
names
!
interface Ethernet0/0
description Polarisnet Internet Link
nameif outside
security-level 0
ip address xxx.xxx.40.14 255.255.255.252
!
interface Ethernet0/1
description Mobily Internet Link
shutdown
nameif outside1
security-level 0
ip address 86.51.11.74 255.255.255.252
!
interface Ethernet0/2
description DMZ Server connected
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/3
description Lan Network Connected
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
regex domainlist3 "\.youtube\.com"
regex domainlist4 "\.facebook\.com"
regex block1 "facebook.com"
regex block2 "\.facebook\.com"
ftp mode passive
dns server-group DefaultDNS
domain-name amcomideast.com
access-list lan-no-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 2 55.255.255.0
access-list lan-no-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list dmz-no-nat extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 2 55.255.255.0
access-list out-to-in extended permit tcp any host xxx.xxx.40.19 eq 3389
access-list out-to-in extended permit tcp any host xxx.xxx.40.17 eq www
access-list out-to-in extended permit tcp any host xxx.xxx.40.18 eq www
access-list out-to-in extended permit tcp any interface outside range h323 3230
access-list out-to-in extended permit tcp any interface outside eq 3243
access-list out-to-in extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 2 55.255.255.0
access-list out-to-in extended permit icmp 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz-to-in extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 25 5.255.255.0
access-list OUTSIDE-IN extended permit tcp any interface outside range 3230 3277
access-list OUTSIDE-IN extended permit udp any interface outside range 3230 3277
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu outside1 1500
mtu DMZ 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (DMZ) 0 access-list dmz-no-nat
nat (DMZ) 1 172.16.1.0 255.255.255.0
nat (inside) 0 access-list lan-no-nat
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.5.0 255.255.255.0
static (inside,outside) tcp interface h323 192.168.1.40 h323 netmask 255.255.255 .255
static (inside,outside) tcp interface 3230 192.168.1.40 3230 netmask 255.255.255 .255
static (inside,outside) tcp interface 3243 192.168.1.40 3243 netmask 255.255.255 .255
static (inside,outside) udp interface 3230 192.168.1.40 3230 netmask 255.255.255 .255
static (inside,outside) udp interface 3277 192.168.1.40 3277 netmask 255.255.255 .255
static (inside,outside) xxx.xxx.40.17 192.168.1.4 netmask 255.255.255.255
static (inside,outside) xxx.xxx.40.18 192.168.1.16 netmask 255.255.255.255
static (DMZ,outside) xxx.xxx.40.19 172.16.1.10 netmask 255.255.255.255
access-group out-to-in in interface outside
access-group dmz-to-in in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxx.xxx.40.13 1
route inside 192.168.1.0 255.255.255.0 192.168.200.2 1
route inside 192.168.5.0 255.255.255.0 192.168.200.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.200.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns xxx.xxx.32.134
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username amco password SIQ4ybqbSk3tR2yZ encrypted privilege 15
username nasa password IqBVv2.6j.KCDncy encrypted privilege 15
!
class-map type regex match-any DomainLogList
match regex domainlist4
class-map type regex match-any DomainBlockList
match regex domainlist3
match regex domainlist4
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map type inspect http match-all LogDomainsClass
match request header host regex class DomainLogList
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
class BlockDomainsClass
reset log
class LogDomainsClass
log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http http_inspection_policy
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a8261089e6958875d4434ac0f23d67d9
: end
.11.74 255.255.255.252
!
interface Ethernet0/2
description DMZ Server connected
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/3
description Lan Network Connected
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
regex domainlist3 "\.youtube\.com"
regex domainlist4 "\.facebook\.com"
regex block1 "facebook.com"
regex block2 "\.facebook\.com"
ftp mode passive
dns server-group DefaultDNS
domain-name amcomideast.com
access-list lan-no-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 2 55.255.255.0
access-list lan-no-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list dmz-no-nat extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 2 55.255.255.0
access-list out-to-in extended permit tcp any host xxx.xxx.40.19 eq 3389
access-list out-to-in extended permit tcp any host xxx.xxx.40.17 eq www
access-list out-to-in extended permit tcp any host xxx.xxx.40.18 eq www
access-list out-to-in extended permit tcp any interface outside range h323 3230
access-list out-to-in extended permit tcp any interface outside eq 3243
access-list out-to-in extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 2 55.255.255.0
access-list out-to-in extended permit icmp 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz-to-in extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 25 5.255.255.0
access-list OUTSIDE-IN extended permit tcp any interface outside range 3230 3277
access-list OUTSIDE-IN extended permit udp any interface outside range 3230 3277
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu outside1 1500
mtu DMZ 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (DMZ) 0 access-list dmz-no-nat
nat (DMZ) 1 172.16.1.0 255.255.255.0
nat (inside) 0 access-list lan-no-nat
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.5.0 255.255.255.0
static (inside,outside) tcp interface h323 192.168.1.40 h323 netmask 255.255.255 .255
static (inside,outside) tcp interface 3230 192.168.1.40 3230 netmask 255.255.255 .255
static (inside,outside) tcp interface 3243 192.168.1.40 3243 netmask 255.255.255 .255
static (inside,outside) udp interface 3230 192.168.1.40 3230 netmask 255.255.255 .255
static (inside,outside) udp interface 3277 192.168.1.40 3277 netmask 255.255.255 .255
static (inside,outside) xxx.xxx.40.17 192.168.1.4 netmask 255.255.255.255
static (inside,outside) xxx.xxx.40.18 192.168.1.16 netmask 255.255.255.255
static (DMZ,outside) xxx.xxx.40.19 172.16.1.10 netmask 255.255.255.255
access-group out-to-in in interface outside
access-group dmz-to-in in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxx.xxx.40.13 1
route inside 192.168.1.0 255.255.255.0 192.168.200.2 1
route inside 192.168.5.0 255.255.255.0 192.168.200.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.200.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns xxx.xxx.32.134
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username amco password SIQ4ybqbSk3tR2yZ encrypted privilege 15
username nasa password IqBVv2.6j.KCDncy encrypted privilege 15
!
class-map type regex match-any DomainLogList
match regex domainlist4
class-map type regex match-any DomainBlockList
match regex domainlist3
match regex domainlist4
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map type inspect http match-all LogDomainsClass
match request header host regex class DomainLogList
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
class BlockDomainsClass
reset log
class LogDomainsClass
log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http http_inspection_policy
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a8261089e6958875d4434ac0f23d67d9
: end
10-01-2012 12:51 PM
You're welcome.
Please also provide output of these commands:
show version
dir disk0:
to assist in resolving.
10-06-2012 09:59 AM
Amco-ASA# show version
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
Amco-ASA up 3 days 5 hours
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: Ethernet0/0 : address is 649e.f335.6272, irq 9
1: Ext: Ethernet0/1 : address is 649e.f335.6273, irq 9
2: Ext: Ethernet0/2 : address is 649e.f335.6274, irq 9
3: Ext: Ethernet0/3 : address is 649e.f335.6275, irq 9
4: Ext: Management0/0 : address is 649e.f335.6271, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number: JMX1606X17C
Running Activation Key: 0x1403d37a 0x485f5b1c 0xf071ed4c 0xa2dcc864 0x410505a8
Configuration register is 0x1
Configuration last modified by enable_15 at 07:49:30.393 UTC Sat Oct 6 2012
-------------------------------------------------------------------------------------------------------------------
Amco-ASA# dir disk0:
Directory of disk0:/
96 -rwx 15390720 09:51:30 Feb 11 2012 asa825-k8.bin
97 -rwx 16280544 11:56:28 Feb 11 2012 asdm-645.bin
3 drwx 4096 00:03:28 Jan 01 2003 log
10 drwx 4096 00:03:42 Jan 01 2003 crypto_archive
11 drwx 4096 00:03:44 Jan 01 2003 coredumpinfo
99 -rwx 12998641 11:52:50 Feb 11 2012 csd_3.5.2008-k9.pkg
100 drwx 4096 11:52:52 Feb 11 2012 sdesktop
101 -rwx 6487517 11:52:56 Feb 11 2012 anyconnect-macosx-i386-2.5.2014-k9.pkg
102 -rwx 6689498 11:53:00 Feb 11 2012 anyconnect-linux-2.5.2014-k9.pkg
103 -rwx 4678691 11:53:02 Feb 11 2012 anyconnect-win-2.5.2014-k9.pkg
255320064 bytes total (192176128 bytes free)
10-06-2012 10:14 AM
Those look OK.
Can you confirm that you are trying to login from a client on network 192.168.1.0? The configuration line:
http 192.168.1.0 255.255.255.0 inside
restricts your ASDM clients to thatn network.
What are you using to attempt ASDM login? Are you using an already installed ASDM launcher or going via a browser to https://192.168.1.1/admin
What is the result when you try? Here is a document with a remedy for the most common problems:
10-08-2012 10:34 PM
This is a bit difficult to do with the mobile interface since I can refer back to your original post for details. But here is my attempt to answer your questions.
You have enabled control via http ( which is ASDM) only via the management interface. But the management interface has no IP address so ASDM can not work.
Then - you have enabled telnet access only on the outside interface. But the behavior of ASA is to not allow telnet through the outside interface. So no telnet access.
And you have enabled ssh only through the outside interface. So have you attempted ssh from an address outside the ASA?
HTH
Rick
Sent from Cisco Technical Support iPhone App
10-08-2012 11:55 PM
You are trying to ssh via the outside interface which has an acl out-to-in applied, is this correct?
In acl out-to-in there is no permit statement for ssh.
Console into ASA and get a colleague to ssh and check the logs at the same time that might provide a hint. Also don't forget to create a crypto key otherwise ssh will not work.
I concur with what Richard is saying about ASDM and Telnet.
Vineet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide