12-03-2016 06:17 AM - edited 03-12-2019 01:37 AM
I have a 5512-X in my home lab and have what i am sure is a simple enough issue. All I want to do is get on the box to upload new image and failing at the first hurdle it seems. ASA is in transparent mode.
Management Interface of ASA
interface Management0/0
nameif MGMT
security-level 100
ip address 10.44.0.60 255.255.255.0
management-only
I have my laptop on the same subnet (IP 10.44.0.20) and can ping the management IP however I cannot telnet or SSH to the ASA MGMT interface.
Looking at the logs I see the inbound connection -
%ASA-6-302013: Built inbound TCP connection 40 for MGMT:10.44.0.20/14805 (10.44.0.20/14805) to identity:10.44.0.60/23 (10.44.0.60/23)
I have the following also on the device
ciscoasa(config-if)# sh run ssh
ssh 10.44.0.20 255.255.255.255 MGMT
ssh timeout 5
ciscoasa(config-if)# sh run telnet
telnet 10.44.0.20 255.255.255.255 MGMT
telnet timeout 5
ciscoasa(config-if)#
Is this because i am routing back out the management interface? At a bit of a loss
Thanks
Solved! Go to Solution.
12-03-2016 08:58 AM
What error do you get at the laptop when you try to initiate ssh connection? I would also look at the aaa server configuration on the firewall to make sure it's properly configured for authentication
12-03-2016 08:58 AM
What error do you get at the laptop when you try to initiate ssh connection? I would also look at the aaa server configuration on the firewall to make sure it's properly configured for authentication
12-03-2016 09:01 AM
Apologies I clicked correct answer by mistake. Not sure how to undo this.
I get no error, my putty window just remains empty. I get no prompts for credentials at all. I tried telnetting from windows client also and it just says connecting... then times out. I have had a thought that I wil try when I fire it back up later, possibly same security intra interface comman can't recall exact format off top of my head.
12-03-2016 09:26 AM
I don't think same security is needed in your situation because you are directly connected to management interface that's if you were coming in from another firewall interface and don't want to create an ACL. Also did you generate rsa key for ssh? Looked at aaa? Can you also look at packet tracer flow? Are you able to ping your pc from firewall?
12-03-2016 10:18 AM
Can ping no problem between mgmt interface and laptop. I did create rsa key, I also can't telnet so can't be rsa. Will do some further testing soon
12-03-2016 11:00 AM
Can you try to use another interface on the firewall for ssh or telnet? If that works then you know it's something with the management interface.Sometimes management interfaces could be hard to work with. You can give it a shot and it will help you narrow down troubleshooting.
12-03-2016 11:47 AM
This was an odd one. The switch ports my laptop and mgmt interface were connected to were just left at the default config (e.g none..) so technically in vlan 1. I added some config on the ports, basic hard set to access port and a different vlan. Works now...
All I wanted was to connect to the ASA to stick a new image on it so wasn't really bothered much about the finer details of my lab at this moment in time. Anyways, now i can crack on.
Thanks a lot for your help, appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide