Solved: SSH/Telnet to MGMT Interface

GRANT3779 · ‎12-03-2016

I have a 5512-X in my home lab and have what i am sure is a simple enough issue. All I want to do is get on the box to upload new image and failing at the first hurdle it seems. ASA is in transparent mode.

Management Interface of ASA

interface Management0/0
nameif MGMT
security-level 100
ip address 10.44.0.60 255.255.255.0
management-only

I have my laptop on the same subnet (IP 10.44.0.20) and can ping the management IP however I cannot telnet or SSH to the ASA MGMT interface.

Looking at the logs I see the inbound connection -

%ASA-6-302013: Built inbound TCP connection 40 for MGMT:10.44.0.20/14805 (10.44.0.20/14805) to identity:10.44.0.60/23 (10.44.0.60/23)

I have the following also on the device

ciscoasa(config-if)# sh run ssh
ssh 10.44.0.20 255.255.255.255 MGMT
ssh timeout 5

ciscoasa(config-if)# sh run telnet
telnet 10.44.0.20 255.255.255.255 MGMT
telnet timeout 5
ciscoasa(config-if)#

Is this because i am routing back out the management interface? At a bit of a loss

Thanks

cofee · ‎12-03-2016

What error do you get at the laptop when you try to initiate ssh connection? I would also look at the aaa server configuration on the firewall to make sure it's properly configured for authentication

View solution in original post

cofee · ‎12-03-2016

What error do you get at the laptop when you try to initiate ssh connection? I would also look at the aaa server configuration on the firewall to make sure it's properly configured for authentication

GRANT3779 · ‎12-03-2016

Apologies I clicked correct answer by mistake. Not sure how to undo this.

I get no error, my putty window just remains empty. I get no prompts for credentials at all. I tried telnetting from windows client also and it just says connecting... then times out. I have had a thought that I wil try when I fire it back up later, possibly same security intra interface comman can't recall exact format off top of my head.

cofee · ‎12-03-2016

I don't think same security is needed in your situation because you are directly connected to management interface that's if you were coming in from another firewall interface and don't want to create an ACL. Also did you generate rsa key for ssh? Looked at aaa? Can you also look at packet tracer flow? Are you able to ping your pc from firewall?

GRANT3779 · ‎12-03-2016

Can ping no problem between mgmt interface and laptop. I did create rsa key, I also can't telnet so can't be rsa. Will do some further testing soon

cofee · ‎12-03-2016

Can you try to use another interface on the firewall for ssh or telnet? If that works then you know it's something with the management interface.Sometimes management interfaces could be hard to work with. You can give it a shot and it will help you narrow down troubleshooting.

GRANT3779 · ‎12-03-2016

This was an odd one. The switch ports my laptop and mgmt interface were connected to were just left at the default config (e.g none..) so technically in vlan 1. I added some config on the ports, basic hard set to access port and a different vlan. Works now...

All I wanted was to connect to the ASA to stick a new image on it so wasn't really bothered much about the finer details of my lab at this moment in time. Anyways, now i can crack on.

Thanks a lot for your help, appreciated.