cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
552
Views
0
Helpful
7
Replies

telnet from routed ip subet to asa 5580

santoshm_75
Level 1
Level 1

Hi,

I am trying to telnet and ssh to the asa from the inside routed subnet, then its not happening. but when i do telnet from the directly connected subnet of the asa it works.

does its the constraint of asa or anything can be done on this?

7 Replies 7

JORGE RODRIGUEZ
Level 10
Level 10

It all depends how you have configured in asa to allowing sources for ssh and telnet.

can you post the output of

show run | inc telnet

show run | inc ssh

(edit)

as well as provide the source ip of your routed subnet ou are telneting from usually you can see the error and source IP in ASDM..

If you could provide this info we could assist better.

Regards

Jorge Rodriguez

Hi,

Please find the configuration of the firewall. The routed network from the inside zone is 10.205.41.0/25. The hos t ip address in this subnet is 10.205.41.101

route Internal_Firewall 10.205.41.0 255.255.255.128 10.205.40.39 1

aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

aaa authorization exec authentication-server

http server enable

http 10.205.41.160 255.255.255.248 Admin_zone

http 10.205.41.0 255.255.255.128 Internal_Firewall

telnet 10.205.41.160 255.255.255.248 Admin_zone

telnet 10.205.41.0 255.255.255.128 Internal_Firewall

telnet timeout 30

ssh 10.205.41.160 255.255.255.248 Admin_zone

ssh 10.205.41.101 255.255.255.255 Internal_Firewall

ssh timeout 5

ssh version 2

Please find the access log of the same activities attached for your reference.

Regards

Im not clearly geting your logical setup in relation to where you are trying to ssh from and to , also there seems to be a TCP RESET-I which tells me you are not initiating the ssh towards the right firewall interface, or Im missing something.

You have

route Internal_Firewall 10.205.41.0 255.255.255.128 10.205.40.39 1

but looking at your logs:

Inbound TCP connection denied from 10.205.41.101/3392 to 10.205.41.165/80 flags SYN on interface Internal_Firewall

you are trying to http from 10.205.41.0/25 network by source 10.205.41.101/25 to firewall interface or destination IP 10.205.41.165/29 which if Im not mistaken 165 could be an interface IP address of firewall for network 10.205.41.160/29

if you want to ssh/telnet/https to the firewall from a hosts behind a routed network through one of your firewall interfaces those hosts have to telnet/ssh/or https to towards the interface in the firewall they reside under.

Meaning , if 10.205.41.101/25 wants to ssh/http/telnet to firewall it needs to do it towards the firewall interface ip this network is being routed under. The same applies for sources under 10.205.41.160/29 telneting or ssh through firewall interface they are under.

Jorge Rodriguez

Hi,

I am not trying to telnet/ssh/hhtp to the management interface but i am trying to the interface which is connected to the routed interface. The ip address is 10.205.40.38/28, this is the inside interface of the firewall getting connected to the network where in the routed area 10.205.41.101/25 exists.

When i telnet to the internal interface of the firewall it drops the connection.

Regards,

Hi,

I am a bit confused. Your log shows a deny to 10.205.41.165 but you mentioned that you are trying to http,ssh,telnet to 10.205.40.38. Is that correct? Can you ping 10.205.40.38 from 10.205.41.101?

Hi,

Yes I can ping from 10.205.41.101 to 10.205.40.38, but when i telnet or ssh or http, it drops the connection.

Regards,

Could you please poste your firewall config? I am still a bit confused about the log since it is reporting deny to a different address and not 10.205.40.38.

regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: