02-05-2009 08:55 AM - edited 03-11-2019 07:46 AM
Hi,
I am trying to telnet and ssh to the asa from the inside routed subnet, then its not happening. but when i do telnet from the directly connected subnet of the asa it works.
does its the constraint of asa or anything can be done on this?
02-05-2009 09:25 AM
It all depends how you have configured in asa to allowing sources for ssh and telnet.
can you post the output of
show run | inc telnet
show run | inc ssh
(edit)
as well as provide the source ip of your routed subnet ou are telneting from usually you can see the error and source IP in ASDM..
If you could provide this info we could assist better.
Regards
02-05-2009 08:06 PM
Hi,
Please find the configuration of the firewall. The routed network from the inside zone is 10.205.41.0/25. The hos t ip address in this subnet is 10.205.41.101
route Internal_Firewall 10.205.41.0 255.255.255.128 10.205.40.39 1
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server
http server enable
http 10.205.41.160 255.255.255.248 Admin_zone
http 10.205.41.0 255.255.255.128 Internal_Firewall
telnet 10.205.41.160 255.255.255.248 Admin_zone
telnet 10.205.41.0 255.255.255.128 Internal_Firewall
telnet timeout 30
ssh 10.205.41.160 255.255.255.248 Admin_zone
ssh 10.205.41.101 255.255.255.255 Internal_Firewall
ssh timeout 5
ssh version 2
Please find the access log of the same activities attached for your reference.
Regards
02-06-2009 10:23 AM
Im not clearly geting your logical setup in relation to where you are trying to ssh from and to , also there seems to be a TCP RESET-I which tells me you are not initiating the ssh towards the right firewall interface, or Im missing something.
You have
route Internal_Firewall 10.205.41.0 255.255.255.128 10.205.40.39 1
but looking at your logs:
Inbound TCP connection denied from 10.205.41.101/3392 to 10.205.41.165/80 flags SYN on interface Internal_Firewall
you are trying to http from 10.205.41.0/25 network by source 10.205.41.101/25 to firewall interface or destination IP 10.205.41.165/29 which if Im not mistaken 165 could be an interface IP address of firewall for network 10.205.41.160/29
if you want to ssh/telnet/https to the firewall from a hosts behind a routed network through one of your firewall interfaces those hosts have to telnet/ssh/or https to towards the interface in the firewall they reside under.
Meaning , if 10.205.41.101/25 wants to ssh/http/telnet to firewall it needs to do it towards the firewall interface ip this network is being routed under. The same applies for sources under 10.205.41.160/29 telneting or ssh through firewall interface they are under.
02-07-2009 01:37 AM
Hi,
I am not trying to telnet/ssh/hhtp to the management interface but i am trying to the interface which is connected to the routed interface. The ip address is 10.205.40.38/28, this is the inside interface of the firewall getting connected to the network where in the routed area 10.205.41.101/25 exists.
When i telnet to the internal interface of the firewall it drops the connection.
Regards,
02-09-2009 05:01 AM
Hi,
I am a bit confused. Your log shows a deny to 10.205.41.165 but you mentioned that you are trying to http,ssh,telnet to 10.205.40.38. Is that correct? Can you ping 10.205.40.38 from 10.205.41.101?
02-09-2009 06:21 AM
Hi,
Yes I can ping from 10.205.41.101 to 10.205.40.38, but when i telnet or ssh or http, it drops the connection.
Regards,
02-09-2009 06:28 AM
Could you please poste your firewall config? I am still a bit confused about the log since it is reporting deny to a different address and not 10.205.40.38.
regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide