You are correct. It was the

artemis88 · ‎02-17-2015

All,

I'm in a bit of an odd situation. I had to change over the primary nameif on a Cisco ASA 5510 running 8.2(5) DeviceManager 6.4(5)

Currently everything works as intended (natting, vpns, ninjas) except for internal access services including telnet and ADSM.

Right now SSH works from the Outside interface but alas I cannot seem to access through telnet/SSH or ADSM through the local LAN into the device.

I'm assuming I'm just missing a small piece of the puzzle. If anyone has any information I would be much obliged.

I have tried the following :

1. reset http (no http server enable and http server enable)

2. Lab'd up a Cisco ASA 5505 (same OS version) with similar (almost exact with differences on how the ports are designated). And was able to telnet directly to the box from a computer directly attached to the system.

Note : Local IP : 10.100.1.0/24 Remote Access IP : 10.1.0.0/23

Here is an obfuscated Config

ENMASA# show run
: Saved
:
ASA Version 8.2(5)
!
hostname *obfuscated*
domain-name *obfuscated*
enable password *obfuscated* encrypted
passwd *obfuscated* encrypted
names
name *obfuscated* SBSServerEXT description SBSServerEXT
name 10.100.1.200 SBSServerINT description SBSServerINT
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address *obfuscated* 255.255.255.240
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.100.1.253 255.255.255.0
!
interface Ethernet0/2
nameif OutsideFireBox
security-level 0
no ip address
!
interface Ethernet0/3
shutdown
nameif SV-Remote
security-level 90
ip address 10.253.253.2 255.255.255.248
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup OutsideFireBox
dns domain-lookup management
dns server-group DefaultDNS
domain-name *obfuscated*
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 10.1.0.0 255.255.252.0
network-object 10.3.0.0 255.255.252.0
network-object 10.4.0.0 255.255.252.0
network-object 10.5.0.0 255.255.252.0
network-object 10.6.0.0 255.255.252.0
network-object 10.7.0.0 255.255.252.0
network-object 10.8.0.0 255.255.252.0
network-object 10.9.0.0 255.255.252.0
network-object 10.51.0.0 255.255.255.0
object-group service DPM tcp
port-object eq 5718
port-object eq 5719
object-group service RemoteWebWorkPlace tcp
port-object eq 4125
object-group service DM_INLINE_TCP_1 tcp
group-object DPM
group-object RemoteWebWorkPlace
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object tcp eq pptp
service-object gre
service-object esp
service-object udp eq 4500
service-object udp eq isakmp
object-group network DM_INLINE_NETWORK_2
network-object 10.1.0.0 255.255.252.0
network-object 10.3.0.0 255.255.252.0
network-object 10.4.0.0 255.255.252.0
network-object 10.5.0.0 255.255.252.0
network-object 10.51.0.0 255.255.255.0
network-object 10.6.0.0 255.255.252.0
network-object 10.7.0.0 255.255.252.0
network-object 10.8.0.0 255.255.252.0
network-object 10.9.0.0 255.255.252.0
object-group network DM_INLINE_NETWORK_4
network-object 10.1.0.0 255.255.252.0
network-object 10.51.0.0 255.255.255.0
network-object 10.9.0.0 255.255.252.0
object-group network DM_INLINE_NETWORK_5
network-object 10.1.0.0 255.255.252.0
network-object 10.51.0.0 255.255.255.0
network-object 10.9.0.0 255.255.252.0
access-list Outside_1_cryptomap extended permit ip 10.100.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 inactive
access-list Inside_nat0_outbound extended permit ip 10.100.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list Outside_access_in extended permit tcp any host SBSServerEXT object-group DM_INLINE_TCP_1
access-list Outside_access_in remark Bolton Menk vpn
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_2
access-list SV-Remote_access_in extended permit ip object-group DM_INLINE_NETWORK_5 10.100.1.0 255.255.255.0
access-list SV-Remote_access_in extended permit ip any any
access-list SV-Remote_access_in extended permit ip object-group DM_INLINE_NETWORK_5 host 10.253.253.2
access-list Inside_nat0_outbound_1 extended permit ip 10.100.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_4
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu OutsideFireBox 1500
mtu SV-Remote 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 0 access-list Inside_nat0_outbound_1
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) SBSServerEXT SBSServerINT netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group SV-Remote_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 *obfuscated* 10
route Inside 10.1.0.0 255.255.252.0 10.100.1.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.0.0.0 SV-Remote
http 10.0.0.0 255.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet SBSServerINT 255.255.255.255 Inside
telnet 10.0.0.0 255.0.0.0 Inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 Outside
ssh 10.100.1.0 255.255.255.0 Inside
ssh 10.0.0.0 255.0.0.0 SV-Remote
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 10
ssh version 2
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 Outside

class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect icmp
class global-class
csc fail-close
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:*obfuscated*

Thank you,

Providing an Obfuscated show run for help.

aevans · ‎02-17-2015

Hi Attemis88,

I am not able to see which interface nameif it is that you changed, can you confirm this?

I have a hunch it is the "Inside" if that is the case try the following command with the new nameif name. where xxxx is the new nameif name

management-access xxxxx

Let me know how you get on

artemis88 · ‎02-20-2015

You are correct. It was the Inside Interface.

I have kept the

"management-access inside " statement

Any other suggestions?

I should reiterate - I have had that statement since the change-over still no ability to SHH/TELNET/ADSM through the local interface.

Thank you,

CISCO ASA 5510 - Issue with Telnet/SSH/ADSM access after NAMEIF change