Problemas con telnet en Asa

Pregunta respondida
Jul 16th, 2012

Hola,

estoy revisando y sacando log a la ghora de hacer telnet en la interfaz outside e inside y no hay manera. Lo tengo todo permitido y hasta en algún caso he llegado a probar con un permit any any y no hya manera. Me suele salir este log, alguien sabe como solventarlo??

gracias.

%ASA-4-402117: IPSEC: Received a non-IPsec (protocol) packet from

remote_IP to local_IP.

I have this problem too.
0 votos
Correct Answer by Julio Carvajal about hace 2 años 11 meses

Buenas Rafael,

El problema es el nivel de seguridad, por defecto no puedes hacerle telnet a la interfaz con el nivel de seguridad mas bajo en este caso 0.

Porfavor cambiala a 50, 100 o algo en el medio de estos para que veas el cambio,

Saludos,

Julio

Julio Carvajal Dom, 07/22/2012 - 15:22

Buenas Rafael,

Telnet a la interfaz con el nivel de seguridad mas bajo por defecto y por seguridad es denegado por el ASA.

Ahora bien al inside interface deberia de funcionar, podrias documentar la configuracion del ASA?

Gracias,

Julio

Rafael Romero Diaz Lun, 07/23/2012 - 07:44

Hola Julio,

gracias por contestar y disculpa la tardanza pero ando muy muy liado y este tema no es prioritario. Te paso la config.He obviado algunas cosas que hacen referencia al cliente por temas de privacidad.

Yo intento hacer telnet desde un switch que esta conectado via g0/1.x en este caso la .82 que es la ip de transito, es decir, me intento conectar desde la ip origen 192.168.0.2 a la .1  hago ping pero no telnet. te paso tb un pantallazo.

mil gracias.!!!

saludos.

ASA Version 8.2(5)

!

names

name 10.161.90.0 Vlan-Datos

name 10.161.80.0 Vlan-Voip

!

interface Ethernet0/0

description Interface Outside

nameif outside

security-level 0

ip address 172.30.17.35 255.255.255.240

!

interface Ethernet0/1

description Lan

nameif inside

security-level 100

no ip address

!

interface Ethernet0/1.80

vlan 80

nameif VLAN_VOZ

security-level 100

ip address 10.161.80.1 255.255.254.0

!

interface Ethernet0/1.82

vlan 82

nameif transito-asa-cpe

security-level 0

ip address 192.168.0.1 255.255.255.252

!

interface Ethernet0/1.90

vlan 90

nameif VLAN_DATOS

security-level 100

ip address 10.161.90.1 255.255.254.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_5

network-object Vlan-Voip 255.255.254.0

network-object Vlan-Datos 255.255.254.0

network-object 192.168.1.0 255.255.255.0

network-object Tunel-macrolan-admin-Fjd 255.255.255.252

network-object Tunel-Wimax-Admin-Fjd 255.255.255.252

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_6

network-object Vlan-Voip 255.255.254.0

network-object Vlan-Datos 255.255.254.0

network-object Tunel-macrolan-admin-Fjd 255.255.255.252

network-object Tunel-Wimax-Admin-Fjd 255.255.255.252

network-object 192.168.0.0 255.255.255.252

object-group network DM_INLINE_NETWORK_7

object-group protocol DM_INLINE_PROTOCOL_4

protocol-object ip

protocol-object icmp

object-group network DM_INLINE_NETWORK_8

network-object Vlan-Datos 255.255.254.0

network-object 192.168.0.0 255.255.255.252

object-group network DM_INLINE_NETWORK_9

network-object Vlan-Voip 255.255.254.0

network-object Vlan-Datos 255.255.254.0

network-object 192.168.0.0 255.255.255.252

object-group protocol DM_INLINE_PROTOCOL_5

protocol-object ip

protocol-object udp

protocol-object tcp

protocol-object icmp

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object udp

service-object tcp

service-object tcp eq telnet

object-group network DM_INLINE_NETWORK_10

network-object Lan-Capio 255.255.0.0

network-object Lan-FJD 255.255.0.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_12

network-object Lan-Capio 255.255.0.0

network-object Lan-Telvent 255.255.255.0

network-object Lan-FJD 255.255.0.0

network-object Red-Consereria 255.255.255.128

network-object Red-Gestion-FJD 255.255.255.0

network-object 172.30.17.32 255.255.255.240

network-object Tunel-macrolan-admin-Fjd 255.255.255.252

network-object 192.168.1.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_6

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_7

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu VLAN_VOZ 1500

mtu transito-asa-cpe 1500

mtu VLAN_DATOS 1500

mtu management 1500

failover

failover lan unit primary

failover lan interface FAILOVER Ethernet0/3

failover key *****

failover replication http

failover link FAILOVER Ethernet0/3

failover interface ip FAILOVER 10.0.0.249 255.255.255.248 standby 10.0.0.250

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 10.205.65.253 netmask 255.0.0.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 access-list inside_nat_outbound

access-group outside_access_in in interface outside

access-group VLAN_VOZ_access_in in interface VLAN_VOZ

access-group transito-asa-cpe_access_in in interface transito-asa-cpe

access-group VLAN_DATOS_access_in in interface VLAN_DATOS

!

router ospf 1

router-id 1.1.1.1

network Vlan-Voip 255.255.254.0 area 0

network Vlan-Datos 255.255.254.0 area 0

network 192.168.0.0 255.255.255.252 area 0

area 0

log-adj-changes

!

route outside 0.0.0.0 0.0.0.0 192.168.0.2 1

route outside Lan 255.255.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL

aaa local authentication attempts max-fail 3

http server enable

http 192.168.1.0 255.255.255.0 management

http Lan 255.255.0.0 inside

http Lan 255.255.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet Lan-FJD 255.255.0.0 outside

telnet 192.168.0.0 255.255.255.252 transito-asa-cpe

telnet timeout 5

ssh Lan 255.255.0.0 outside

ssh timeout 5

console timeout 0

dhcpd address 10.161.80.3-10.161.80.254 VLAN_VOZ

!

dhcpd address 10.161.90.3-10.161.90.254 VLAN_DATOS

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password t9qcbhn6m3YQiO6a encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 1

Cryptochecksum:1cc83c45b04d8edb4b10f7d242ef323b

: end

Correct Answer
Julio Carvajal Lun, 07/23/2012 - 09:58

Buenas Rafael,

El problema es el nivel de seguridad, por defecto no puedes hacerle telnet a la interfaz con el nivel de seguridad mas bajo en este caso 0.

Porfavor cambiala a 50, 100 o algo en el medio de estos para que veas el cambio,

Saludos,

Julio

Rafael Romero Diaz Mar, 07/24/2012 - 00:13

Hola Julio,

Ahora sin tengo acceso. Muchisimas gracias por la ayuda y dedicar tu tiempo.

Saludos.

Rafa.

interface Ethernet0/1.82

vlan 82

nameif transito-asa-cpe

security-level 50

ip address 192.168.0.1 255.255.255.252

telnet 192.168.0.0 255.255.255.252 transito-asa-cpe

telnet 192.168.0.1

Trying 192.168.0.1 ... Open

User Access Verification

Username:

jaimeglez Jue, 01/17/2013 - 09:59

Hola.

Solo por complementar, por default TELNET es un protocolo sin encriptación y no es permitido por la interface con nivel de seguridad 0 a menos que este llegue bajo la proteccion de un tunel IPSEC, no SSL, solo IPSEC. por ese motivo se  genera ese log 

%ASA-4-402117: IPSEC: Received a non-IPsec (protocol) packet from remote_IP to local_IP.

Cambiando el nivel de seguridad distinto de 0 el comportamiento de la interface outside cambia y se permite TELNET sin la necesidad del protocolo IPSEC.

Acciones

This Discussion

Related Content