ASA 5510

siclines1234 · ‎06-16-2010

I am trying to telnet between two locations and i am unable to inbound telnet to the ASA

router. I can outbound to the other location.

I created access rules in the ACL on the ASA for the source and destination. But I still see the IP being denied in the log.

Is there another place I need to input those IPs to allow access?

Should I clear the ASDM cache?

Thanks for your help,
Jackie

Federico Coto Fajardo · ‎06-16-2010

Hi,

If you create the appropiate rules to allow telnet traffic through the ASA, it should work.

Make sure that the rule that permits telnet is above any deny rule (blocking telnet), remember the ACLs are read in sequential order.

Please post the output of:

sh run access-group

sh run access-list

Federico.

siclines1234 · ‎06-16-2010

sh run access-group

access-group inside_access_in in interface inside
access-group Phone_access_in in interface Phone
access-group outside_access_in in interface outside

sh run access-list

access-list outside_access_in extended permit tcp any host 70.33.178.167 eq https
access-list outside_access_in extended permit tcp any host 70.33.178.166 object-group DM_INLINE_TCP_4
access-list outside_access_in extended permit tcp any host 70.33.178.165 object-group DM_INLINE_TCP_0
access-list outside_access_in extended permit tcp any host 70.33.178.166 object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any host 70.33.178.170 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host 70.33.178.171 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any host 70.33.178.173 object-group DM_INLINE_TCP_5
access-list outside_access_in extended permit tcp any host 70.33.178.168 eq pptp
access-list outside_access_in extended permit gre any host 70.33.178.168
access-list outside_access_in extended permit object-group TCPUDP any host 70.33.178.174 eq sip
access-list outside_access_in extended permit tcp any host 70.33.178.174 object-group HUD
access-list outside_access_in extended permit udp any host 70.33.178.174 object-group IAX2
access-list outside_access_in extended permit udp any host 70.33.178.174 object-group RTP
access-list outside_access_in extended permit udp any host 70.33.178.174 eq tftp
access-list outside_access_in extended permit tcp any host 70.33.178.172 eq https
access-list outside_access_in extended permit tcp any host 70.33.178.169 object-group RDP
access-list outside_access_in extended permit tcp any host 70.33.178.179 object-group RDP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any host 66.160.11.132
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host 66.160.11.132 any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 66.160.11.132
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 host 66.160.11.132 host 70.33.178.164
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 host 66.160.11.129 any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any host 66.160.11.129
access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit gre host 192.168.10.23 any
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_1 192.168.20.0 255.255.255.0
access-list Phone_access_in extended permit ip any any
access-list Phone_access_in extended permit icmp any any
access-list Phone_access_in extended permit tcp any any eq https
access-list Phone_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Phone_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list Phone_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list Phone_nat0_outbound extended permit ip any 192.168.10.128 255.255.255.128
access-list Phone_nat0_outbound extended permit ip any 192.168.30.0 255.255.255.0
access-list Phone_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_5 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_1_cryptomap extended permit object-group DM_INLINE_PROTOCOL_4 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_1_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0

edadios · ‎06-16-2010

What code are you using?

Please include the source and destination for the telnet that is not working.

Please include which translation(nat/static) you are expecting to be used by the traffic, I believe you are saying it is from internet to the inside of firewall right?

Since your access-list has object groups, please include the details of the objects so that we can see if there may be issue there.

Please include any log you get for the source or destination when you try to do the traffic flow that does not work .

Maybe you can also use packet tracer (available on code 7.2 and later) to simulate the traffic, and see where it fails :

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/p_72.html#wp1724426

Regards,