cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
909
Views
0
Helpful
2
Replies

CISCO ASA 5510 - Issue with Telnet/SSH/ADSM access after NAMEIF change

artemis88
Level 1
Level 1

All,

 

I'm in a bit of an odd situation.  I had to change over the primary nameif on a Cisco ASA 5510 running 8.2(5) DeviceManager 6.4(5)

 

Currently everything works as intended (natting, vpns, ninjas) except for internal access services including telnet and ADSM.

 

Right now SSH works from the Outside interface but alas I cannot seem to access through telnet/SSH or ADSM through the local LAN into the device.

I'm assuming I'm just missing a small piece of the puzzle.  If anyone has any information I would be much obliged.

I have tried the following :

1.  reset http (no http server enable   and http server enable)

2.  Lab'd up a Cisco ASA 5505 (same OS version) with similar (almost exact with differences on how the ports are designated).  And was able to telnet directly to the box from a computer directly attached to the system.

Note :    Local IP :   10.100.1.0/24       Remote Access IP :  10.1.0.0/23

Here is an obfuscated Config

 

ENMASA# show run
: Saved
:
ASA Version 8.2(5) 
!
hostname *obfuscated*
domain-name *obfuscated*
enable password *obfuscated* encrypted
passwd *obfuscated* encrypted
names
name *obfuscated* SBSServerEXT description SBSServerEXT
name 10.100.1.200 SBSServerINT description SBSServerINT
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address *obfuscated* 255.255.255.240 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.100.1.253 255.255.255.0 
!
interface Ethernet0/2
 nameif OutsideFireBox
 security-level 0
 no ip address
!
interface Ethernet0/3
 shutdown
 nameif SV-Remote
 security-level 90
 ip address 10.253.253.2 255.255.255.248 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup OutsideFireBox
dns domain-lookup management
dns server-group DefaultDNS
 domain-name *obfuscated*
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object 10.1.0.0 255.255.252.0
 network-object 10.3.0.0 255.255.252.0
 network-object 10.4.0.0 255.255.252.0
 network-object 10.5.0.0 255.255.252.0
 network-object 10.6.0.0 255.255.252.0
 network-object 10.7.0.0 255.255.252.0
 network-object 10.8.0.0 255.255.252.0
 network-object 10.9.0.0 255.255.252.0
 network-object 10.51.0.0 255.255.255.0
object-group service DPM tcp
 port-object eq 5718
 port-object eq 5719
object-group service RemoteWebWorkPlace tcp
 port-object eq 4125
object-group service DM_INLINE_TCP_1 tcp
 group-object DPM
 group-object RemoteWebWorkPlace
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq ftp
 port-object eq www
 port-object eq pop3
 port-object eq smtp
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq pptp 
 service-object gre 
 service-object esp 
 service-object udp eq 4500 
 service-object udp eq isakmp 
object-group network DM_INLINE_NETWORK_2
 network-object 10.1.0.0 255.255.252.0
 network-object 10.3.0.0 255.255.252.0
 network-object 10.4.0.0 255.255.252.0
 network-object 10.5.0.0 255.255.252.0
 network-object 10.51.0.0 255.255.255.0
 network-object 10.6.0.0 255.255.252.0
 network-object 10.7.0.0 255.255.252.0
 network-object 10.8.0.0 255.255.252.0
 network-object 10.9.0.0 255.255.252.0
object-group network DM_INLINE_NETWORK_4
 network-object 10.1.0.0 255.255.252.0
 network-object 10.51.0.0 255.255.255.0
 network-object 10.9.0.0 255.255.252.0
object-group network DM_INLINE_NETWORK_5
 network-object 10.1.0.0 255.255.252.0
 network-object 10.51.0.0 255.255.255.0
 network-object 10.9.0.0 255.255.252.0
access-list Outside_1_cryptomap extended permit ip 10.100.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 inactive 
access-list Inside_nat0_outbound extended permit ip 10.100.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 
access-list Outside_access_in extended permit tcp any host SBSServerEXT object-group DM_INLINE_TCP_1 
access-list Outside_access_in remark Bolton Menk vpn
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any 
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_2 
access-list SV-Remote_access_in extended permit ip object-group DM_INLINE_NETWORK_5 10.100.1.0 255.255.255.0 
access-list SV-Remote_access_in extended permit ip any any 
access-list SV-Remote_access_in extended permit ip object-group DM_INLINE_NETWORK_5 host 10.253.253.2 
access-list Inside_nat0_outbound_1 extended permit ip 10.100.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu OutsideFireBox 1500
mtu SV-Remote 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 0 access-list Inside_nat0_outbound_1
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) SBSServerEXT SBSServerINT netmask 255.255.255.255 
access-group Outside_access_in in interface Outside
access-group SV-Remote_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 *obfuscated* 10
route Inside 10.1.0.0 255.255.252.0 10.100.1.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.0.0.0 SV-Remote
http 10.0.0.0 255.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet SBSServerINT 255.255.255.255 Inside
telnet 10.0.0.0 255.0.0.0 Inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 Outside
ssh 10.100.1.0 255.255.255.0 Inside
ssh 10.0.0.0 255.0.0.0 SV-Remote
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 10
ssh version 2
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!             
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 Outside

class-map global-class
 match access-list global_mpc
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect pptp 
  inspect icmp 
 class global-class
  csc fail-close
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
Cryptochecksum:*obfuscated*

 

Thank you,

 

 

Providing an Obfuscated show run for help.

2 Replies 2

aevans
Level 1
Level 1

Hi Attemis88,

 

I am not able to see which interface nameif it is that you changed, can you confirm this?

 

I have a hunch it is the "Inside" if that is the case try the following command with the new nameif name. where xxxx is the new nameif name

 

management-access xxxxx

 

Let me know how you get on

You are correct.  It was the Inside Interface.  

 

I have kept the 

"management-access inside " statement

Any other suggestions?

I should reiterate - I have had that statement since the change-over still no ability to SHH/TELNET/ADSM through the local interface.

Thank you,

 

Review Cisco Networking for a $25 gift card