Asa 5510 and telnet

Answered Question
Jul 16th, 2012

Hi,

We have a problem with doing telnet to inside and outside interface. When we try to do, We received this message. Wha have permit any any in both interface but we can´t doing telnet.

Somebody know what we have doing  to solve it??

Version Asa is 8.2.5 model 5510

thanks.

%ASA-4-402117: IPSEC: Received a non-IPsec (protocol) packet from

remote_IP to local_IP.

I have this problem too.
0 votes
Correct Answer by Ramraj.Sivagnanam about 2 years 9 months ago

Hi Bro

You cannot telnet to an outside interface that has security-level 0. You can only ssh, to an outside interface with security-level 0. In general, if any interface that has a security level of 0 or lower than any other interface, then the PIX/ASA does not allow telnet to that interface.

However, if you’re still adamant that you’d like to telnet to the outside interface, then this can be achieved but the steps are too many, too much of an hassle. Well, in order to enable a Telnet session to the outside interface, configure IPsec on the outside interface to include IP traffic that is generated by the Cisco FW and enable Telnet on the outside interface.

It is not recommended to access the security appliance through a Telnet session. The authentication credential information, such as password, are sent as clear text. The Telnet server and client communication happens only with the clear text. Cisco recommends using SSH for a more secured data communication.

For further details on this, please do refer to this URL http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml

domain-name cisco.com

ssh version 2

crypto key generate rsa modulus 768

ssh 202.188.5.0 255.255.255.0 outside

telnet 192.168.10.13 255.255.255.255 inside

P/S: If you do find this comment useful, please do rate them nicely :-)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Vincenzo Errante Mon, 07/16/2012 - 03:22

hi,

add these line:

telnet inside

telnet outside

regards

V

Vincenzo Errante Mon, 07/16/2012 - 03:52

please attach your config

Rafael Romero Diaz Mon, 07/16/2012 - 03:56

Hi,

thanks for your soon answer.

But, we have the same issue.

We wrote the command  telnet 192.168.0.0 255.255.0.0 outside

Attached please find a picture.

if you need more config please let us know.

Thanks.

Vincenzo Errante Mon, 07/16/2012 - 04:05

i see in the picture other subnet in telnet access: 10.161.0.0/16 not 192.168.0.0 255.255.0.0

Rafael Romero Diaz Mon, 07/16/2012 - 04:09

Sorry , it is a mistake, the correct is

telnet 10.161.0.0 255.255.0.0 outside

Vincenzo Errante Mon, 07/16/2012 - 04:13

what is the ip address of RDP-FJD ?

Vincenzo Errante Mon, 07/16/2012 - 04:17

second:

do you have user o group enable to telnet?

exaple:

aaa authentication telnet LOCAL

Rafael Romero Diaz Mon, 07/16/2012 - 04:34

RDP-FJD is 10.161.1.71

We haven´t group. We try to enter the sentence that you tell us but no run...

thanks

Vincenzo Errante Mon, 07/16/2012 - 05:08

well,

you cannot configure telnet in outside interface or lowest interface, use ssh

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#telnet

Note: You can enable Telnet to the security appliance on all interfaces. However, the security appliance enforces that all Telnet traffic to the outside interface be protected by IPsec. In order to enable a Telnet session to the outside interface, configure IPsec on the outside interface to include IP traffic that is generated by the security appliance and enable Telnet on the outside interface.

Note: In general, if any interface that has a security level of 0 or lower than any other interface, then PIX/ASA does not allow Telnet to that interface.

Regards

Rafael Romero Diaz Mon, 07/16/2012 - 06:21

We try to doing like you tell us.

Thanks!!!.

Regards.

Correct Answer
Ramraj.Sivagnanam Fri, 07/20/2012 - 10:34

Hi Bro

You cannot telnet to an outside interface that has security-level 0. You can only ssh, to an outside interface with security-level 0. In general, if any interface that has a security level of 0 or lower than any other interface, then the PIX/ASA does not allow telnet to that interface.

However, if you’re still adamant that you’d like to telnet to the outside interface, then this can be achieved but the steps are too many, too much of an hassle. Well, in order to enable a Telnet session to the outside interface, configure IPsec on the outside interface to include IP traffic that is generated by the Cisco FW and enable Telnet on the outside interface.

It is not recommended to access the security appliance through a Telnet session. The authentication credential information, such as password, are sent as clear text. The Telnet server and client communication happens only with the clear text. Cisco recommends using SSH for a more secured data communication.

For further details on this, please do refer to this URL http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml

domain-name cisco.com

ssh version 2

crypto key generate rsa modulus 768

ssh 202.188.5.0 255.255.255.0 outside

telnet 192.168.10.13 255.255.255.255 inside

P/S: If you do find this comment useful, please do rate them nicely :-)

Rafael Romero Diaz Tue, 07/24/2012 - 00:59

Hi,

I tested this confuguración and it works.

interface Ethernet0/1.82

vlan 82

nameif transito-asa-cpe

security-level 50

ip address 192.168.0.1 255.255.255.252

domain-name cisco.com

ssh version 2

crypto key generate rsa modulus 768

ssh Lan-FJD 255.255.0.0 outside

telnet 192.168.0.0 255.255.255.252 transito-asa-cpe

Thank you very much for your help.

Cheers.

Actions

Login or Register to take actions

This Discussion

Posted July 16, 2012 at 2:22 AM
Stats:
Replies:12 Overall Rating:5
Views:2882 Votes:0
Shares:0
Tags: asa, 5520
+

Related Content