|
|
|
|
05-13-2008, 11:32 PM
|
#1 |
Cisco ASA 5505 not permitting SSH/HTTPS
So to preface my situation:
I have already set this up device in one location and haven't had any issues connecting to it while on the local subnet or remotely. In fact, she's worked like a champ however I'm not having the same luck with the new unit. The only difference between the two units is the one that is successfully working is pulling DHCP from my ISP, while the new unit has a static IP address. Everything is working/getting forwarded properly with the exception of remote SSH/HTTPS (for ASDM). This is the current log error: 4 May 13 2008 17:52:36 106023 74.66.2.40 68.236.1.1 Deny tcp src outside:74.66.9.9/6439 dst inside:68.236.1.1/22 by access-group "outside_access_in" [0x0, 0x0] Although it wasnt required on the first unit I setup, I tried adding an ACL to permit traffic using: access-list outside_access_in extended permit tcp 0.0.0.0 0.0.0.0 interface outside eq ssh However, the new log error is: 2 May 13 2008 18:08:47 106016 Deny IP spoof from (74.66.9.9) to 68.236.1.1 on interface outside Ultimately I have removed that and below is my current running-config: : Saved : ASA Version 7.2(3) ! hostname ASA5505-L domain-name *****.com enable password /6PwnBEvY9QuBfqa encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.254 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 68.236.1.1 255.255.255.0 ! interface Vlan3 shutdown no forward interface Vlan1 nameif dmz security-level 50 ip address dhcp ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd /6PwnBEvY9QuBfqa encrypted ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns server-group DefaultDNS domain-name ****.com same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list outside_access_in extended permit tcp any interface outside eq domain access-list outside_access_in extended permit udp any interface outside eq domain access-list outside_access_in extended permit tcp any interface outside eq www access-list outside_access_in extended permit tcp any interface outside eq 3389 access-list outside_access_in extended permit tcp host 68.236.2.2 interface outside eq 211 access-list outside_access_in extended permit tcp host 68.161.3.3 interface outside eq 211 access-list outside_access_in extended permit tcp host 68.161.2.2 interface outside eq rtsp access-list outside_access_in extended permit tcp host 68.161.3.3 interface outside eq rtsp access-list outside_access_in extended permit tcp host 68.236.2.2 interface outside eq 1194 access-list outside_access_in extended permit tcp host 68.236.3.3 interface outside eq 1194 pager lines 24 logging enable logging asdm notifications mtu inside 1500 mtu outside 1500 mtu dmz 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-523.bin asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface domain 192.168.1.149 domain netmask 255.255.255.255 static (inside,outside) udp interface domain 192.168.1.149 domain netmask 255.255.255.255 static (inside,outside) tcp interface 3389 192.168.1.149 3389 netmask 255.255.255.255 static (inside,outside) tcp interface www 192.168.1.149 www netmask 255.255.255.255 static (inside,outside) tcp interface 211 192.168.1.149 211 netmask 255.255.255.255 static (inside,outside) tcp interface rtsp 192.168.1.149 rtsp netmask 255.255.255.255 static (inside,outside) tcp interface 1194 192.168.1.149 1194 netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 68.236.191.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http 0.0.0.0 255.255.255.255 outside http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 1 ssh 192.168.1.0 255.255.255.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 30 ssh version 2 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:1c740a779931f42e1aa73f8cebfc5136 : end asdm image disk0:/asdm-523.bin asdm history enable aphex |
|
|
|
|
05-16-2008, 12:39 AM
|
#2 |
|
Junior Member
Join Date: Mar 2007
Posts: 3
|
How to configure EID3000
|
|
|
|
 |
| Thread Tools | Search this Thread |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Cisco 6509, SUP2, IPv6, upgrade IOS failed | fabianV | Hardware | 0 | 07-06-2009 04:33 PM |
| Cisco 871 and NAT | Beachguy | General Help Related Topics | 0 | 05-19-2009 09:03 PM |
| Intermittent 100% Backplane Utilisation on Cisco 6500 | pkcwu | Hardware | 0 | 11-13-2008 12:13 AM |
| Immediate Cisco ICM Engineer Opportunity | StevenFalcon | Hardware | 0 | 03-07-2007 04:17 PM |
| Connecting Cisco to Cellular | maria | Hardware | 0 | 11-09-2006 10:03 AM |
