10-24-2013 09:00 AM - edited 03-11-2019 07:55 PM
Hi !
I would like to be able to telnet to my other routers on my LAN, but the service policy does not inspect Telnet. any idea how to ?
Thanks !
ciscoasa# sh run | inc inspect
class-map inspection-default
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ipsec-pass-thru
inspect pptp
inspect icmp
ciscoasa#
Solved! Go to Solution.
10-24-2013 11:59 AM
Hi,
The ASA keeps track of the state of the connection. So its interested in seeing the whole TCP conversions and in this case all the 3 steps of the TCP connection forming (TCP SYN -> TCP SYN ACK -> TCP ACK)
And since it only sees the initial SYN and the last ACK it blocks the connection unless we configure TCP State Bypass.
I would personally rather look for a possibility to alter the network setup so that there would be no hosts between the 2621 and the ASA. I guess for ASAs sake the setup might be simpler even if the default gateway of the PCW7 and the other host was either of the routers but this still wouldnt be the ideal setup.
- Jouni
10-24-2013 09:18 AM
Hi,
Where are you using Telnet from?
If you are doing this from the public network then I would suggest changing to SSH or use VPN Connection to your ASA and use Telnet through the VPN Client connection.
For Telnet to pass the ASA you dont need any special configurations. You just have to make sure that there is ACL rules allowing the traffic and the NAT is setup on the ASA to enable the traffic. The required NAT (if it is required at all) depends naturally on your setup and where you are connecting from.
- Jouni
10-24-2013 11:32 AM
I want to telnet to my local router from inside network, not from outside.
I want to telnet to my 2811 on 172.20.5.1 (fa0/1) from my PCW7 on 192.168.1.23
I can ping ok but no telnet. I noticed the TELNET is not inspected on the service policy.
Is defau;t policy rule apply on internal routing as well ?
I can telnet OK to 192168.1.172 and 192.168.1.173
The goal is to telnet to the 2610XM later witch has no connection to 192.168.1.0 network
10-24-2013 11:42 AM
Hi,
Well you might have some problems with the ASA if ASA is the default gateway for the PCW7
The connections to the directly connected network work just fine because the PCW7 connects to them directly.
For the other networks the host will send the traffic to the defaulte gateway which might be the ASA and in that case you would have asymmetric routing since
You would therefore have to configure TCP State Bypass on the ASA or connect to the Router 2811 using the directly connected networks IP address.
Here is one document about the TCP State Bypass
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml
I would generally avoid having hosts between ASA and a LAN Router when the ASA is the default gateway so you dont have to resort to tricks on the ASA to get some connections to work.
- Jouni
10-24-2013 11:53 AM
I see TCP SYN ACK on the syslog server when I try to telnet, so you might be right, How come I get this with a ASA and not with a regular router... ?
I will read your info and let you know,,, thank you.,
192.168.1.1 is the DGW of .23
10-24-2013 11:59 AM
Hi,
The ASA keeps track of the state of the connection. So its interested in seeing the whole TCP conversions and in this case all the 3 steps of the TCP connection forming (TCP SYN -> TCP SYN ACK -> TCP ACK)
And since it only sees the initial SYN and the last ACK it blocks the connection unless we configure TCP State Bypass.
I would personally rather look for a possibility to alter the network setup so that there would be no hosts between the 2621 and the ASA. I guess for ASAs sake the setup might be simpler even if the default gateway of the PCW7 and the other host was either of the routers but this still wouldnt be the ideal setup.
- Jouni
10-24-2013 11:59 AM
I would generally avoid having hosts between ASA and a LAN Router when the ASA is the default gateway so you dont have to resort to tricks on the ASA to get some connections to work.
Then I can use another VLAN from my ASA to run my PCW7 (.23) and BBVS (.12) and the problem would clear ? Leaving no PC whatsoever on 192.168.1.0 ? I can do that.
10-24-2013 12:02 PM
Hi,
Yes, if your ASA5505 license permits another Vlan interface then moving the hosts to that Vlan would essentially avoid the routing problem. (I speak about the license since the default ASA can only hold 3 Vlans of which one is restricted.)
This is because all traffic from the PCW7 would now have to go through ASA to other networks and back from them.
- Jouni
10-24-2013 12:06 PM
Security Plus license should allow me 20 VLAN ?
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 25
Dual ISPs : Enabled
VLAN Trunk Ports : 8
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5505 Security Plus license.
10-24-2013 12:11 PM
Hi,
Yes, with that license there should be no problem since it has support for the max Vlan amount of the ASA5505 unit and also supports Trunking.
Let us know if you get the situation sorted with the changes. If not will probably have to look at the ASA configurations if you are unable to connect to the routers/hosts
Please do remember to mark a reply as the correct answer if it has answered your question.
Feel free to ask more if needed though
- Jouni
10-24-2013 12:13 PM
Thank you. I will setup the new VLAN and let you know, thanks again.
10-25-2013 02:19 PM
Thanks alot, all is good !
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: