Question
-
CreatorTopic
-
September 9, 2011 at 8:36 pm #2207603
ASA 5520 Security Appliance
Lockedby ckprem · about 12 years, 6 months ago
I have configured by Security Apppliance ASA 5520 with the username and password .
Enable password was also configured .. ASA not added in AAA .
When i login the ASA it asks for the password .. never ask for the username ..
Can some one help me to list the commands that i need to add, as am new to configure ASA appliance .
Topic is locked -
CreatorTopic
All Answers
-
AuthorReplies
-
-
September 9, 2011 at 8:36 pm #2888691
Clarifications
by ckprem · about 12 years, 6 months ago
In reply to ASA 5520 Security Appliance
Clarifications
-
September 10, 2011 at 1:36 pm #2888647
ASA
by drumright · about 12 years, 6 months ago
In reply to ASA 5520 Security Appliance
The answer you can find real easily:
1. How are you connecting to the ASA (Console Cable(blue cable that came with the device), ethernet (cat 5 plugged into ports 0-7 and connected directly to your PC used to connect to the ASA?, or another method?)
2. Ethernet connection = ssh, telnet, web gui IE,Mozilla, Chrome? (port 80 =http, port 443) =https )
3. Without a username required when logging in usually is a telnet connection (note: insecure connection password is sent in clear text, DO NOT USE IF CONNECTING OVER THE INTERNET!. SSL ONLY ON INTERNET CONNECTION.
TELNET NOTE: TELNET SESSIONS WILL USUALLY AUTHENTICATE FROM THE LOCAL AUTHENTICATION SERVER (ASA 5520) AND WILL REQUIRE THE DEFAULT SECURITY LEVEL TO SIGN IN (UNLESS YOU CHANGED THIS SETTING?) Use the default password you set for telnet sessions, if you did not set this then try Cisco’s default password, I think it is Cisco for password. Should this not work use the login password you set, if that does not work use the enable password; why? you say, well it is possible you set requirements for telnet logins to use security level authentication 15 (full access or enable security level 7 by accident.)
However if you do use these passwords over telnet please make sure you are doing this on the internal lan. What app or utility are you using to connect? Putty? secureCRT? Telnet (CLI ex: DOS or cmd in xp then type telnet (Asa ip address)), web browser ?
Try using ssh to connect if you are connecting via ethernet, now if you are using the console cable then you use the conf t/line con 0-?/password command in the cli to set this password, if you did not do this at all, then try the default password you used the first time you connected, once logged in type: en “ENTER”, you will be asked to input password, use the password you set for the enable password. Once you can enter enable mode, proceed to configure Terminal mode and set the passwords for the console, telnet (if you use it…), and the ssh passwords. Set the authentication level and the authentication server to use when allowing logins. login local = asa usernames and passwords, Radius (Microsoft internet authentication server that uses Active directory users accounts to authenticate, or ldap (server setup to handle ldap requests.)
enable “ENTER”
CONF T enter
line con 0 press Tab (this will drop down a line and display how many console sessions you can set this password for. it looks like Router#line con 0 (0 – 15) meaning if you want to set the password for all 15 sessions the same you type
line con 0 – 15 “ENTER”
RouterLine(0-15)
type password
you will be asked to input the password do so then press enter
follow the screen as it will want you to enter the password again
Once you have set the password you can type a ? and press enter
this will display a list of commands to use, read the descriptions and set the authentication server (do Local and create users on the asa)
authentication level (you will set this to at or below the level your user is set at, if not you will not be allowed to login as your authentication level will be to low and your session is dropped.)
Set the level 1 – 5
create a user and give that user security level 7 – 15 if you plan on using the login for management purposes.
Now you can also tell the ASA to allow specific ip addresses to connect remotely, or deny specific as well as any ip address to connect, whatever you do don’t reject any any for remote login you will never get in again unless connected with a console cable.
Once you have set a login level for the line console or telnet, or ssh.
Set a user with the required authentication level as the line or protocols (telnet, ssh), or set the user to 15 and given the user a password. Allowed the required login protocol for your ip address, ip range, or subnet (internal usually), try to connect.
if you are able to hit the login screen, use the password you set to login, and do a sh run, sh start, sh arp, and you like what you see, go ahead and do a copy run start.
this will copy the running configuration (the changes you made) to the startup config (default config before changes) Now if the device gets powered down it will restart with your changes saved and applied. However if you don’t like your changes or you are disconnected and cannot reconnect if you did not copy run start, shut ASA down, turn it back on and all the changes you made are gone. You can start over and try again, practice makes perfect….-
September 14, 2011 at 2:45 am #2809068
-
-
September 14, 2011 at 9:58 am #2809016
ASA Configs
by icebergtitanic · about 12 years, 6 months ago
In reply to ASA 5520 Security Appliance
conf t
management inside
username AdminUserName password AdminPassword priv 15Also, might want these
ssh 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 inside
crypto key generate rsa mod 2048If you’re new to ASA, you probably also want to enable your ASDM instead of trying to do command line. That’s what the http line does.
Best practices is to use SSH rather than Telnet to access your firewall. You have to have an RSA encryption key for that, which is what the crypto line does. To kill the telnet access, enter the telnet line with “no” in front. (Example “no telnet 0.0.0.0 0.0.0.0 inside”)
(This whole thing assumes you named your inside-facing interface/VLAN to be “inside”. This would be a “nameif” command on the interface, or on the VLAN assigned to the interface)
The line con vty 0 15 would be used on switches and routers, but is not in the ASAs. The ASAs operating system is slightly different than the IOS used by routers and switches.
Do make sure to save your config. “wr mem” is the quickest way.
-
September 15, 2011 at 7:58 am #2808913
Reponse To Answer
by ckprem · about 12 years, 6 months ago
In reply to ASA Configs
am logging through secure CRT through telnet … I have configured the username xxxx password xxx with previlege as 15. ..
The enable password also set …. Not configured under AAA
When i try to telnet it asks for password and not username ..
What should i configure to let ask for username first and then password ???>
Pls suggest !
-
-
September 15, 2011 at 8:11 am #2808910
Oops! Forgot the most important part!
by icebergtitanic · about 12 years, 6 months ago
In reply to ASA 5520 Security Appliance
aaa authentication telnet console LOCAL
You may also need this if it’s missing:
aaa auth enable console LOCAL
-
September 17, 2011 at 12:42 am #2876857
Reponse To Answer
by ckprem · about 12 years, 6 months ago
In reply to Oops! Forgot the most important part!
first tried to enter aaa auth enable console local — success
Second tried to enter aaa authentication telnet console LOCAL
– Got error message stating ” aaa server group local does not exist”Pls advise how to create aaa server group local .
-
-
September 19, 2011 at 11:20 am #2876661
Shouldn’t need to create it
by icebergtitanic · about 12 years, 6 months ago
In reply to ASA 5520 Security Appliance
The server group LOCAL is the built-in user database. This is especially weird if the first command worked and the second didn’t. Sure you didn’t typo the second command?
I think that this is a CASE-SENSITIVE command…
So your first command should have been
aaa auth enable console LOCAL
and NOT
aaa auth enable console localTry re-doing it with LOCAL in the commands.
Might have to have you post a sanitized config (change your IPs and password hashes prior to uploading)
-
September 19, 2011 at 3:25 pm #2876620
all you need to do
by rjluvkc · about 12 years, 6 months ago
In reply to ASA 5520 Security Appliance
asa#config t
asa#password “yourpassword”
This will take care of that first password when you first telnet in.
You should see this when you telnet then:
User Access VerificationPassword: (enter the one you created here)
Type help or ‘?’ for a list of available commands.
asa> en (this is the line that will prompt you for enable pw after)
Password: *********
asa#
Hope this helps you out.
-
-
AuthorReplies