Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 8.3 vitrual telnet + authen, %ASA-2-106001: Inbound TCP connection denied ..


I've trayed to configure on the asa 8.3 authentication from outside by virtual telnet /proxy-auth/ with radius server inside.

During the try to get access by the outside interface asa on my pc /cmd telnet can't open a dos window with prompt to logon, after that I have a /my pc  -
Connecting To not open connection to the host, on port 23: C
onnect failed"

the same on the asa console a log:

"%ASA-2-106001: Inbound TCP connection denied from to flags SYN  on interface outside"

co hitcnt to acls:

ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list IFS_UAUTH_RADIUS; 1 elements; name hash: 0x7e35116f
access-list IFS_UAUTH_RADIUS line 1 extended permit tcp any host (hitcnt=0) 0xe61531cc
access-list ACL-IN; 1 elements; name hash: 0x44d1c580
access-list ACL-IN line 1 extended permit tcp any host eq telnet (hitcnt=0) 0xc9a1e426

somple configuration from my lab /bolded important/:


ASA Version 8.3(1)
hostname ciscoasa
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
object network obj_any
object network obj-

access-list UAUTH_RADIUS extended permit tcp any host
access-list ACL-IN extended permit tcp any host eq telnet

pager lines 24
logging enable
logging console informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network obj_any
nat (inside,outside) dynamic interface
object network obj-
nat (inside,outside) static

access-group ACL-IN in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host
aaa authentication match UAUTH_RADIUS outside RADIUS

http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
: end

any idea what is wrong with config?

/regards Piter

Everyone's tags (1)
Cisco Employee

Re: ASA 8.3 vitrual telnet + authen, %ASA-2-106001: Inbound TCP

Hi Piotr,

There is a bug filed for this problem in ASA 8.3 (CSCth82006) that hasn't been fixed yet. You can try to enable the 'same-security-traffic permit intra-interface' command, which seems to be a workaround for the bug.

Hope that helps.


New Member

Re: ASA 8.3 vitrual telnet + authen, %ASA-2-106001: Inbound TCP

thx. It's realy work with this command

/regards Piter

CreatePlease to create content