Asa 5510 and telnet

Answered Question
Jul 16th, 2012

Hi,

We have a problem with doing telnet to inside and outside interface. When we try to do, We received this message. Wha have permit any any in both interface but we can´t doing telnet.

Somebody know what we have doing  to solve it??

Version Asa is 8.2.5 model 5510

thanks.

%ASA-4-402117: IPSEC: Received a non-IPsec (protocol) packet from

remote_IP to local_IP.

I have this problem too.
0 votes
Correct Answer by Ramraj.Sivagnanam about 1 year 9 months ago

Hi Bro

You cannot telnet to an outside interface that has security-level 0. You can only ssh, to an outside interface with security-level 0. In general, if any interface that has a security level of 0 or lower than any other interface, then the PIX/ASA does not allow telnet to that interface.

However, if you’re still adamant that you’d like to telnet to the outside interface, then this can be achieved but the steps are too many, too much of an hassle. Well, in order to enable a Telnet session to the outside interface, configure IPsec on the outside interface to include IP traffic that is generated by the Cisco FW and enable Telnet on the outside interface.

It is not recommended to access the security appliance through a Telnet session. The authentication credential information, such as password, are sent as clear text. The Telnet server and client communication happens only with the clear text. Cisco recommends using SSH for a more secured data communication.

For further details on this, please do refer to this URL http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml

domain-name cisco.com

ssh version 2

crypto key generate rsa modulus 768

ssh 202.188.5.0 255.255.255.0 outside

telnet 192.168.10.13 255.255.255.255 inside

P/S: If you do find this comment useful, please do rate them nicely :-)

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
CSCO11185425 Mon, 07/16/2012 - 03:56

Hi,

thanks for your soon answer.

But, we have the same issue.

We wrote the command  telnet 192.168.0.0 255.255.0.0 outside

Attached please find a picture.

if you need more config please let us know.

Thanks.

Vincenzo Errante Mon, 07/16/2012 - 04:05

i see in the picture other subnet in telnet access: 10.161.0.0/16 not 192.168.0.0 255.255.0.0

CSCO11185425 Mon, 07/16/2012 - 04:09

Sorry , it is a mistake, the correct is

telnet 10.161.0.0 255.255.0.0 outside

Vincenzo Errante Mon, 07/16/2012 - 04:17

second:

do you have user o group enable to telnet?

exaple:

aaa authentication telnet LOCAL

CSCO11185425 Mon, 07/16/2012 - 04:34

RDP-FJD is 10.161.1.71

We haven´t group. We try to enter the sentence that you tell us but no run...

thanks

Vincenzo Errante Mon, 07/16/2012 - 05:08

well,

you cannot configure telnet in outside interface or lowest interface, use ssh

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#telnet

Note: You can enable Telnet to the security appliance on all interfaces. However, the security appliance enforces that all Telnet traffic to the outside interface be protected by IPsec. In order to enable a Telnet session to the outside interface, configure IPsec on the outside interface to include IP traffic that is generated by the security appliance and enable Telnet on the outside interface.

Note: In general, if any interface that has a security level of 0 or lower than any other interface, then PIX/ASA does not allow Telnet to that interface.

Regards

Correct Answer
Ramraj.Sivagnanam Fri, 07/20/2012 - 10:34

Hi Bro

You cannot telnet to an outside interface that has security-level 0. You can only ssh, to an outside interface with security-level 0. In general, if any interface that has a security level of 0 or lower than any other interface, then the PIX/ASA does not allow telnet to that interface.

However, if you’re still adamant that you’d like to telnet to the outside interface, then this can be achieved but the steps are too many, too much of an hassle. Well, in order to enable a Telnet session to the outside interface, configure IPsec on the outside interface to include IP traffic that is generated by the Cisco FW and enable Telnet on the outside interface.

It is not recommended to access the security appliance through a Telnet session. The authentication credential information, such as password, are sent as clear text. The Telnet server and client communication happens only with the clear text. Cisco recommends using SSH for a more secured data communication.

For further details on this, please do refer to this URL http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml

domain-name cisco.com

ssh version 2

crypto key generate rsa modulus 768

ssh 202.188.5.0 255.255.255.0 outside

telnet 192.168.10.13 255.255.255.255 inside

P/S: If you do find this comment useful, please do rate them nicely :-)

CSCO11185425 Tue, 07/24/2012 - 00:59

Hi,

I tested this confuguración and it works.

interface Ethernet0/1.82

vlan 82

nameif transito-asa-cpe

security-level 50

ip address 192.168.0.1 255.255.255.252

domain-name cisco.com

ssh version 2

crypto key generate rsa modulus 768

ssh Lan-FJD 255.255.0.0 outside

telnet 192.168.0.0 255.255.255.252 transito-asa-cpe

Thank you very much for your help.

Cheers.

Actions

Login or Register to take actions

This Discussion

Posted July 16, 2012 at 2:22 AM
Stats:
Replies:12 Avg. Rating:5
Views:2270 Votes:0
Shares:0
Tags: asa, 5520
+

Related Content

Discussions Leaderboard