ASA 8.3 vitrual telnet + authen, %ASA-2-106001: Inbound TCP connection denied ..

Unanswered Question
Sep 3rd, 2010
User Badges:

Hello


I've trayed to configure on the asa 8.3 authentication from outside by virtual telnet /proxy-auth/ with radius server inside.

During the try to get access by the outside interface asa on my pc /cmd telnet 10.14.3.280/ can't open a dos window with prompt to logon, after that I have a /my pc  - 10.14.32.1/:
"C:\>telnet 10.14.32.80
Connecting To 10.14.32.80...Could not open connection to the host, on port 23: C
onnect failed"


the same on the asa console a log:

"%ASA-2-106001: Inbound TCP connection denied from 10.14.32.1/1078 to 10.14.32.80/23 flags SYN  on interface outside"


co hitcnt to acls:

ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list IFS_UAUTH_RADIUS; 1 elements; name hash: 0x7e35116f
access-list IFS_UAUTH_RADIUS line 1 extended permit tcp any host 10.14.32.80 (hitcnt=0) 0xe61531cc
access-list ACL-IN; 1 elements; name hash: 0x44d1c580
access-list ACL-IN line 1 extended permit tcp any host 10.14.32.80 eq telnet (hitcnt=0) 0xc9a1e426


somple configuration from my lab /bolded important/:


##

ASA Version 8.3(1)
!
hostname ciscoasa
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.14.32.81 255.255.240.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-10.14.32.80
host 10.14.32.80

access-list UAUTH_RADIUS extended permit tcp any host 10.14.32.80
access-list ACL-IN extended permit tcp any host 10.14.32.80 eq telnet

pager lines 24
logging enable
logging console informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network obj-10.14.32.80
nat (inside,outside) static 10.14.32.80

access-group ACL-IN in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.1.250
aaa authentication match UAUTH_RADIUS outside RADIUS

http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet 10.14.32.80
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bfee68864f004e63872ca49497066fa3
: end
##


any idea what is wrong with config?


/regards Piter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mirober2 Fri, 09/03/2010 - 05:37
User Badges:
  • Cisco Employee,

Hi Piotr,


There is a bug filed for this problem in ASA 8.3 (CSCth82006) that hasn't been fixed yet. You can try to enable the 'same-security-traffic permit intra-interface' command, which seems to be a workaround for the bug.


Hope that helps.


-Mike

Actions

This Discussion

Related Content