I have a question about my ASA 5520, it worked well till two weeks ago, and suddenly cannot be accessed by SSH/Telnet/TFTP....only can use the Consoel port to access it now, but other VPN/ACL setting working well. [code] If I enabled the outside access for SSH like below, it works well for outside port.ssh 0.0.0.0 0.0.0.0 outside.
View 3 Replies5508 controller is at the headquarters which can be normally pinged, telnetted, http'd and tftp'ed....at the remote site, controller can be pinged and http'ed but cannot be telnetted and tftp'ed.there is a complete tracert from the remote site pc all the way to the controller.from a switch at a remote site, the controller can be telnetted. but from a pc on the remote site (which belongs to a remote site vlan), it is unable to telnet and tftp the controller.all active components can be telnetted from the remote site, such as the core switches and routers at the headquearters, except the controller.upgraded the controller code to 7.2.xxx in headquarters but still unable to telnet and tftp the controller from remote site.is there any more settings on the controller for telnet and tftp?what could be the problem why the controller is not available for telnet and tftp from the remote site?
View 12 Replies View RelatedI have been trying to get a PIX 501 firewall reset and have been having the hardest time. Im a student and this is my first experience with a firewall. I have been going through the steps here URL,I cant seem to connect to the tftp server, I have several nic's on my computer and tried them both and even plugged the firewall to the router and tried to use the gateway to connect but it doesn't seem to want to even ping for me.
View 4 Replies View RelatedI have a problem with ASDM connection to ASA 5520 cluster. When I'm trying to connect the ASDM shows: "Contacting the device. Please wait..." and nothing happen. The http server is enabled with default port. Both cluster members after restart.
Cisco Adaptive Security Appliance Software Version 8.4(1) Device Manager Version 6.4(1)
So I have a client with an ASA 5520 running version 9.0 (was on 8.4) that I am trying to get either IPSec or SSL VPN configured on. I got everything setup and tried to connect. However, I couldn't connect to either. I fired up the real time monitoring and didn't see any syslog messages referring to a VPN build up. I also enabled SSH/Telnet on the outside interface and cannot connect to the ASA outside interface. I can ping the outside interface and can ping the internet from the ASA. I did set up a test ACL on the ASA and ran packet tracer on it and the results came back fine.
There is an IPS in the ASA as well, but I disabled the ACL for that and still am having these issues. Part of me wonders if the ISP has something set up to block inbound traffic. This should be a business class connection.
Our firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
My 2nd is that I have debug enabled on my rules but am not logging anything.
I have a ASA 5520 which is intended to use as a VPN for clients using PDA, I think the PDA is a very old product that the VPN only support CHAP/ MS- CHAP, but seems it cannot connect the VPN, it will prompt "invalid username and password" (but in fact the username and password is valid when using PAP), below is the log i captured from the ASDM when the PDA is connecting the VPN. when i tried to connect it in windows PC, I also have the same issue if the VPN setting is using MS-CHAP, if I choose PAP, it can connect with no problem. But the PDA has no option of PAP. [code]
View 0 Replies View Relatedow to backup Cisco ASA-5510 from a Linux server via TFTP?I do know how to backup a switch or a router. Basically creating an access list such as:
access-list 55 remark PERMIT hosts requesting TFTP access
access-list 55 permit host 172.16.0.27
and allowing access to
tftp-server nvram:startup-config 55
all this inside the router or the switch. From the Linux box just running a simple command such as:
tftp 172.16.0.3 -c get startup-config newbackup.conf
where 172.16.0.3 is the IP address of the switch and newbackup.conf is the name of the config file stored on the Linux machine.So, how do I do that with an ASA box? how to backup ASA from inside it.
I have a Cisco 5505 that had its disk erased (erase:disk0) and now I am trying to load a new image (822 or 813) from a tftp server.
From the ROMMON prompt I have configured the relevant parameters and run a tftp command.
The tftp transfer seems to complete successfully but then it gets stuck on "...loading".
I have tried different versions of IOS and I always experience the same problem, even though, with older versions of IOS (7.x), the device manages to reboot itself but then it crashes with the following error:
"Error : Uncompression of the image failed. invalid compressed data--format violated"
Could it be an hardware related-issue or a licensing problem maybe? or am I missing anything obvious?
also, with regards to the license: once restored, how do I get my 50 users license back?
I was trying to upgrade from 8.3.1 to 8.3.2. but I am unable to copy via tftp to the ASA flash or disk0:
ASA5520# copy tftp: flash:
Address or name of remote host []? 10.88.127.153
Source filename []? asa831-k8.bin
Destination filename [asa831-k8.bin]?
[code]....
Half way thru writing to the disk, it goes for a reboot. There is more than enought space on the disk0. I tried copying via a Compact Flash, but the ASA is not detecting the Compact Flash (which I thinks should be disk1). I tried copying a asdm file, even that also went for a reboot.I am stuck now, unable to upgrade
With regarding to the firewall ASA5520, i'm using it in my network, all the confiuration are properly configured and working but with the use of proxy address in internet explorer(e.:206.53.155.129/3128) all the blocked contents as easily accessible simply it bypass all the network through firewall.so will u guide me to block the proxy servers.
View 1 Replies View Relatedaccessing my cisco ASA, last night we were doing VA on our ASA, after that iam not able to access it through ssh nor telnet. its not giving me any error.. i tried from different system also. SSH & telnet allowed from inside to 0.0.0.0 i have re-generated rsa keys when it was working. ASA version is 8.2 now when i connect telent is giving me blank prompt. i can login using ASDM.
View 5 Replies View RelatedI am not able to telnet or ssh to ASA running 8.2.5(33). [code] I am able to ping inside interface of the ASA. Telnet gets stuck at Trying
View 2 Replies View RelatedI have an early model PIX-515 that hasn't been used in a long time but I want to get it working again in a lab environment. I am at loss right now on how to get into it though.
CONSOLE:
I've tried connecting from the PC's serial port to the units console port using Cisco's blue cable with no avail. All I get is a cursor but no response. I've tried using 9600,8,none,1,none as settings and I can sucessfully console a Cisco 1700 router with those same settings in Putty no problem, but it doesn't work with this Pix. I've also tried using other possible common speeds like 1200,1400,4800,19200, 38400, 57600 and 115200 in case the firewall was set to use those and that didn't work either.
[code]...
I setup a site-to-site VPN tunnel at the remote ASA5505. I am able to asdm to the outside interface but not ssh. I switch to telnet and still not allow me to access. I added an ACL to allow telnet any to the outside interface but still not working. In ASDM I see the log Here is the second issue. When I want to change the telnet back to ssh using ASDM I got the following error.
View 2 Replies View RelatedI can't telnet from a host(Ubuntu 12.10) in our DMZ to an outside MX on port TCP 587. Inspection for ESMTP not enabled. Port 587 enabled for host in DMZ to any.
View 12 Replies View RelatedI have two asa 5520 firewalls. one at my primary data center connected to our production Internet feed, and one at my fail over data center connected to a backup internet feed. I was wondering if there was an easy way to keep the firewall rules in sync between the two firewalls. We have failover with our isp that will move our public facing address block from our primary site to our dr site in the event of a disaster so the ip addresses will not change if we were to have to fail over to the DR site. currently i just have to do any changes that i make on the fail over server but would like a way to at least simi-automat this if not fully automat this so that i can eliminate the possibility of human error of a change happening at primary but never getting don at DR.
View 1 Replies View RelatedWhen users are VPN connected their telnet sessions timeout after an hour of inactivity. Looking at the connections on the firewall they are showing as idle. Is there a configuration change or something else that has to be modified?
View 2 Replies View RelatedI am unable to Telnet/SSH/RDP from my inside network to my DMZ. I am not sure where the problem lies, I am able to use VNC from the inside to the DMZ (ports 5800, 5900), and also establish connection on Ports (26700-26899). I have a computer connected directly to the DMZ and those services work to all networks on the DMZ.I have attached Logs of successful VNC connections, unsuccessful RDP and Telnet sessions, and the running config.
View 23 Replies View RelatedI have a vpn ssl remote access with a fw asa 5510 version 8.02. When users use any connect vpn ssl they in the Lan can access to the servers,but they can not access using ssh or telnet to inside fw asa.
aaa authentication ssh console LOCAL
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
After enabling AAA FWSM lost opportunity telnet session. FWSM version 3.2(5). In the logs show that resets itself FWSM telnet session.
Conf.,aaa-server TACACS+ (management) host 192.2.151.111
key aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
[Code] .....
I am using a Cisco 2801 Router and currently have Telnet enabled on all interfaces. How do I change that so it is enabled from all inside networks, but not on the outside interface?
View 12 Replies View RelatedI have a cisco asa 5520. i need to forward telnet to a router on the inside interface. Here is what i have done so far but it doesnt seem to be working.
I have created an access-list that looks like this:
access-list 102 extended permit tcp any host 10.10.60.2 eq telnet
But when do this it still doesnt forward my request to the router at 10.10.60.2 . So just to explain what im trying to do. I use Putty, i am putting the outside interface IP into putty, selecting telnet and opening the session. i need the outside interface to see this request and know to forward port 23 to the router on the inside interface with IP 10.10.60.2. The ASA is running version: asa842-k8.bin
I got 2 x 5520 ASAs configured in active/standby mode and they are connected to 2 x 4500 switches in which too configured for failover.Telnet to ASAs is allowed only via subnet 172.18.0.0./24
I can only ping and telnet to the active ASA from subnet 172.18.0.0./24 but not the standby But i can ping and telnet to both the active and standby ASAs within the 4500 switches.
i am using open suse 11.3 as OS.. when i try to connect to any mail server over smtp using telnet, their is either a connection time out or server not found error msg..
View 16 Replies View RelatedI want to disable the telnet option/feature on ASA 5510
i tried no telnet alone it wont work as i didnt configured any telnet at all.
I am having some troubles finding information about how to configure firewall policies (rules, chains, etc.) via telnet on a RV016. The reason for that is that i keep getting some log entries "connection refused - policy violation" and "blocked" even with my firewall wide open (only allow rules on all interfaces, SPI and block wan request disabled, multicast and https enabled, etc.... ). Also, with these exact same rules, i can only connect via PPTP with the firewall disabled. The minute i tick the enable option the tunnel never gets to authentication phase. I then started reading OpenRG manual and many things are quite similar, but some other entries are missing from that manual (maybe some changes made by cisco?). I am trying to figure out some service ids, chains (e.g. the rv016 has some rules redirecting to chains 10, 100, 200 but i can not find them anywhere), and so on. I have only one rv016 and about 60 connections to it so i can not experiment that much without having the whole company on my neck with internet problems.
View 2 Replies View Relatedhow do i change the telnet and enable and vpn user password on asa 5570.
View 4 Replies View RelatedI have a network with 3 sites that are on different subnets. Each site has an ASA Right now, I am only able to connect to the ASA that is connected to the subnet I am connected to.I want to be able to connect to the ASA that are on the remote subnets on the address of the inside interface.The sites are connected all together by site-to-site VPN.Is there any way I can achieve that without opening the outside interface directly on the Internet?
View 2 Replies View RelatedI have a asa5520 with five Internet IP.One for the internet interface and the others are static maped to dmz hosts. It runs rightly until yesterday.Now it will lose the connection to the gateway many times everyday and the dmz hosts can not connect to internet any time. configuration(simplified):
!
interface GigabitEthernet0/0
nameif internet
security-level 0
[Code]....
I called ISP to check,when ISP clear their router's ARP, the asa will lose the connection at the same time and then the ISP's router couldn't learn the ASA's MAC. After I 'clear arp' manually,The ISP's router can learn the ASA's MAC and the connection recovered,but the DMZ's cann't access internet still (of course,There is no problem between DMZ and ASA ,I ping the internet gateway from DMZ host and can not get any reply.).
We have 2 x ASA5520 and I upgraded this to 8.2.2 last year, I see 8.2.5 and now 8.4 is out. If we are having no issues, is it best just to leave it as it is? I can see a couple of features I may find useful in 8.2.5, but 8.4 seems like a huge jump and a risky one too.
View 1 Replies View RelatedI have one firewall ASA5520, are very slow
View 3 Replies View RelatedI am trying to introduce an ASA5520 to my network based on the following diagram: ISP Internet ------> ASA5520 ------- > Cisco Router ------> LAN. The problem is I cannot ping the ASA from the LAN. I can ping it from inside the router. I already allow ICMP within ASA. If i remove the cisco router and replace it by a swich, I can ping the ASA with NO problem.
View 5 Replies View Related