cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
744
Views
0
Helpful
11
Replies

ASA 5505 need to add Telnet on Delault Policy Rule

John Bachman
Level 1
Level 1

Hi !

I would like to be able to telnet to my other routers on my LAN, but the service policy does not inspect Telnet. any idea how to ?

Thanks !                  

ciscoasa# sh run | inc inspect

class-map inspection-default

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ipsec-pass-thru

  inspect pptp

  inspect icmp

ciscoasa#

1 Accepted Solution

Accepted Solutions

Hi,

The ASA keeps track of the state of the connection. So its interested in seeing the whole TCP conversions and in this case all the 3 steps of the TCP connection forming (TCP SYN -> TCP SYN ACK -> TCP ACK)

And since it only sees the initial SYN and the last ACK it blocks the connection unless we configure TCP State Bypass.

I would personally rather look for a possibility to alter the network setup so that there would be no hosts between the 2621 and the ASA. I guess for ASAs sake the setup might be simpler even if the default gateway of the PCW7 and the other host was either of the routers but this still wouldnt be the ideal setup.

- Jouni

View solution in original post

11 Replies 11

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Where are you using Telnet from?

If you are doing this from the public network then I would suggest changing to SSH or use VPN Connection to your ASA and use Telnet through the VPN Client connection.

For Telnet to pass the ASA you dont need any special configurations. You just have to make sure that there is ACL rules allowing the traffic and the NAT is setup on the ASA to enable the traffic. The required NAT (if it is required at all) depends naturally on your setup and where you are connecting from.

- Jouni

I want to telnet to my local router from inside network, not from outside.

I want to telnet to my 2811 on 172.20.5.1 (fa0/1) from my PCW7 on 192.168.1.23

I can ping ok but no telnet. I noticed the TELNET is not inspected on the service policy.

Is defau;t policy rule apply on internal routing as well ?

I can telnet OK to 192168.1.172 and 192.168.1.173

The goal is to telnet to the 2610XM later witch has no connection to 192.168.1.0 network

Hi,

Well you might have some problems with the ASA if ASA is the default gateway for the PCW7

The connections to the directly connected network work just fine because the PCW7 connects to them directly.

For the other networks the host will send the traffic to the defaulte gateway which might be the ASA and in that case you would have asymmetric routing since

  • TCP SYN would go to default gateway ASA and from there to the Router
  • Router would reply with TCP SYN ACKto host PCW7 directly since the Router sees the hosts subnet directly connected.
  • The host would again send TCP ACK to the default gateway which ASA would block since it didnt see the TCP SYN ACK

You would therefore have to configure TCP State Bypass on the ASA or connect to the Router 2811 using the directly connected networks IP address.

Here is one document about the TCP State Bypass

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

I would generally avoid having hosts between ASA and a LAN Router when the ASA is the default gateway so you dont have to resort to tricks on the ASA to get some connections to work.

- Jouni

I see TCP SYN ACK on the syslog server when I try to telnet, so you might be right, How come I get this with a ASA and not with a regular router... ?

I will read your info and let you know,,, thank you.,

192.168.1.1 is the DGW of .23

Hi,

The ASA keeps track of the state of the connection. So its interested in seeing the whole TCP conversions and in this case all the 3 steps of the TCP connection forming (TCP SYN -> TCP SYN ACK -> TCP ACK)

And since it only sees the initial SYN and the last ACK it blocks the connection unless we configure TCP State Bypass.

I would personally rather look for a possibility to alter the network setup so that there would be no hosts between the 2621 and the ASA. I guess for ASAs sake the setup might be simpler even if the default gateway of the PCW7 and the other host was either of the routers but this still wouldnt be the ideal setup.

- Jouni

I would generally avoid having hosts between ASA and a LAN Router when the ASA is the default gateway so you dont have to resort to tricks on the ASA to get some connections to work.

Then I can use another VLAN from my ASA to run my PCW7  (.23) and BBVS (.12) and the problem would clear ? Leaving no PC whatsoever on 192.168.1.0 ? I can do that.

Hi,

Yes, if your ASA5505 license permits another Vlan interface then moving the hosts to that Vlan would essentially avoid the routing problem. (I speak about the license since the default ASA can only hold 3 Vlans of which one is restricted.)

This is because all traffic from the PCW7 would now have to go through ASA to other networks and back from them.

- Jouni

Security Plus license should allow me 20 VLAN ?

Licensed features for this platform:

Maximum Physical Interfaces  : 8        

VLANs                        : 20, DMZ Unrestricted

Inside Hosts                 : Unlimited

Failover                     : Active/Standby

VPN-DES                      : Enabled  

VPN-3DES-AES                 : Enabled  

SSL VPN Peers                : 2        

Total VPN Peers              : 25       

Dual ISPs                    : Enabled  

VLAN Trunk Ports             : 8        

Shared License               : Disabled

AnyConnect for Mobile        : Disabled 

AnyConnect for Linksys phone : Disabled 

AnyConnect Essentials        : Disabled 

Advanced Endpoint Assessment : Disabled 

UC Phone Proxy Sessions      : 2        

Total UC Proxy Sessions      : 2        

Botnet Traffic Filter        : Disabled 

             

This platform has an ASA 5505 Security Plus license.

Hi,

Yes, with that license there should be no problem since it has support for the max Vlan amount of the ASA5505 unit and also supports Trunking.

Let us know if you get the situation sorted with the changes. If not will probably have to look at the ASA configurations if you are unable to connect to the routers/hosts

Please do remember to mark a reply as the correct answer if it has answered your question.

Feel free to ask more if needed though

- Jouni

Thank you. I will setup the new VLAN and let you know, thanks again.

Thanks alot, all is good !

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: