09-03-2010 04:36 AM - edited 03-11-2019 11:34 AM
Hello
I've trayed to configure on the asa 8.3 authentication from outside by virtual telnet /proxy-auth/ with radius server inside.
During the try to get access by the outside interface asa on my pc /cmd telnet 10.14.3.280/ can't open a dos window with prompt to logon, after that I have a /my pc - 10.14.32.1/:
"C:\>telnet 10.14.32.80
Connecting To 10.14.32.80...Could not open connection to the host, on port 23: C
onnect failed"
the same on the asa console a log:
"%ASA-2-106001: Inbound TCP connection denied from 10.14.32.1/1078 to 10.14.32.80/23 flags SYN on interface outside"
co hitcnt to acls:
ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list IFS_UAUTH_RADIUS; 1 elements; name hash: 0x7e35116f
access-list IFS_UAUTH_RADIUS line 1 extended permit tcp any host 10.14.32.80 (hitcnt=0) 0xe61531cc
access-list ACL-IN; 1 elements; name hash: 0x44d1c580
access-list ACL-IN line 1 extended permit tcp any host 10.14.32.80 eq telnet (hitcnt=0) 0xc9a1e426
somple configuration from my lab /bolded important/:
##
ASA Version 8.3(1)
!
hostname ciscoasa
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.14.32.81 255.255.240.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-10.14.32.80
host 10.14.32.80
access-list UAUTH_RADIUS extended permit tcp any host 10.14.32.80
access-list ACL-IN extended permit tcp any host 10.14.32.80 eq telnet
pager lines 24
logging enable
logging console informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network obj-10.14.32.80
nat (inside,outside) static 10.14.32.80
access-group ACL-IN in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.1.250
aaa authentication match UAUTH_RADIUS outside RADIUS
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet 10.14.32.80
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bfee68864f004e63872ca49497066fa3
: end
##
any idea what is wrong with config?
/regards Piter
09-03-2010 05:37 AM
Hi Piotr,
There is a bug filed for this problem in ASA 8.3 (CSCth82006) that hasn't been fixed yet. You can try to enable the 'same-security-traffic permit intra-interface' command, which seems to be a workaround for the bug.
Hope that helps.
-Mike
09-03-2010 06:13 AM
thx. It's realy work with this command
/regards Piter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide