Question

Locked

ASA 5520 Security Appliance

By ckprem ·
I have configured by Security Apppliance ASA 5520 with the username and password .

Enable password was also configured .. ASA not added in AAA .

When i login the ASA it asks for the password .. never ask for the username ..

Can some one help me to list the commands that i need to add, as am new to configure ASA appliance .

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

ASA

by drumright In reply to ASA 5520 Security Applian ...

The answer you can find real easily:
1. How are you connecting to the ASA (Console Cable(blue cable that came with the device), ethernet (cat 5 plugged into ports 0-7 and connected directly to your PC used to connect to the ASA?, or another method?)
2. Ethernet connection = ssh, telnet, web gui IE,Mozilla, Chrome? (port 80 =http, port 443) =https )
3. Without a username required when logging in usually is a telnet connection (note: insecure connection password is sent in clear text, DO NOT USE IF CONNECTING OVER THE INTERNET!. SSL ONLY ON INTERNET CONNECTION.
TELNET NOTE: TELNET SESSIONS WILL USUALLY AUTHENTICATE FROM THE LOCAL AUTHENTICATION SERVER (ASA 5520) AND WILL REQUIRE THE DEFAULT SECURITY LEVEL TO SIGN IN (UNLESS YOU CHANGED THIS SETTING?) Use the default password you set for telnet sessions, if you did not set this then try Cisco's default password, I think it is Cisco for password. Should this not work use the login password you set, if that does not work use the enable password; why? you say, well it is possible you set requirements for telnet logins to use security level authentication 15 (full access or enable security level 7 by accident.)
However if you do use these passwords over telnet please make sure you are doing this on the internal lan. What app or utility are you using to connect? Putty? secureCRT? Telnet (CLI ex: DOS or cmd in xp then type telnet (Asa ip address)), web browser ?
Try using ssh to connect if you are connecting via ethernet, now if you are using the console cable then you use the conf t/line con 0-?/password command in the cli to set this password, if you did not do this at all, then try the default password you used the first time you connected, once logged in type: en "ENTER", you will be asked to input password, use the password you set for the enable password. Once you can enter enable mode, proceed to configure Terminal mode and set the passwords for the console, telnet (if you use it...), and the ssh passwords. Set the authentication level and the authentication server to use when allowing logins. login local = asa usernames and passwords, Radius (Microsoft internet authentication server that uses Active directory users accounts to authenticate, or ldap (server setup to handle ldap requests.)
enable "ENTER"
CONF T enter
line con 0 press Tab (this will drop down a line and display how many console sessions you can set this password for. it looks like Router#line con 0 (0 - 15) meaning if you want to set the password for all 15 sessions the same you type
line con 0 - 15 "ENTER"
RouterLine(0-15)
type password
you will be asked to input the password do so then press enter
follow the screen as it will want you to enter the password again
Once you have set the password you can type a ? and press enter
this will display a list of commands to use, read the descriptions and set the authentication server (do Local and create users on the asa)
authentication level (you will set this to at or below the level your user is set at, if not you will not be allowed to login as your authentication level will be to low and your session is dropped.)
Set the level 1 - 5
create a user and give that user security level 7 - 15 if you plan on using the login for management purposes.
Now you can also tell the ASA to allow specific ip addresses to connect remotely, or deny specific as well as any ip address to connect, whatever you do don't reject any any for remote login you will never get in again unless connected with a console cable.
Once you have set a login level for the line console or telnet, or ssh.
Set a user with the required authentication level as the line or protocols (telnet, ssh), or set the user to 15 and given the user a password. Allowed the required login protocol for your ip address, ip range, or subnet (internal usually), try to connect.
if you are able to hit the login screen, use the password you set to login, and do a sh run, sh start, sh arp, and you like what you see, go ahead and do a copy run start.
this will copy the running configuration (the changes you made) to the startup config (default config before changes) Now if the device gets powered down it will restart with your changes saved and applied. However if you don't like your changes or you are disconnected and cannot reconnect if you did not copy run start, shut ASA down, turn it back on and all the changes you made are gone. You can start over and try again, practice makes perfect....

Collapse -

Reponse To Answer

by ckprem In reply to ASA

yes ..we do telnet ... But line con ..; this command is not available ... also as mentioned ... there is no AAA Server

Collapse -

ASA Configs

by IcebergTitanic In reply to ASA 5520 Security Applian ...

conf t
management inside
username AdminUserName password AdminPassword priv 15

Also, might want these
ssh 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 inside
crypto key generate rsa mod 2048

If you're new to ASA, you probably also want to enable your ASDM instead of trying to do command line. That's what the http line does.

Best practices is to use SSH rather than Telnet to access your firewall. You have to have an RSA encryption key for that, which is what the crypto line does. To kill the telnet access, enter the telnet line with "no" in front. (Example "no telnet 0.0.0.0 0.0.0.0 inside")

(This whole thing assumes you named your inside-facing interface/VLAN to be "inside". This would be a "nameif" command on the interface, or on the VLAN assigned to the interface)

The line con vty 0 15 would be used on switches and routers, but is not in the ASAs. The ASAs operating system is slightly different than the IOS used by routers and switches.

Do make sure to save your config. "wr mem" is the quickest way.

Collapse -

Reponse To Answer

by ckprem In reply to ASA Configs

am logging through secure CRT through telnet ... I have configured the username xxxx password xxx with previlege as 15. ..

The enable password also set .... Not configured under AAA

When i try to telnet it asks for password and not username ..

What should i configure to let ask for username first and then password ???>

Pls suggest !

Collapse -

Oops! Forgot the most important part!

by IcebergTitanic In reply to ASA 5520 Security Applian ...

aaa authentication telnet console LOCAL

You may also need this if it's missing:

aaa auth enable console LOCAL

Collapse -

Reponse To Answer

by ckprem In reply to Oops! Forgot the most imp ...

first tried to enter aaa auth enable console local -- success

Second tried to enter aaa authentication telnet console LOCAL
- Got error message stating " aaa server group local does not exist"

Pls advise how to create aaa server group local .

Collapse -

Shouldn't need to create it

by IcebergTitanic In reply to ASA 5520 Security Applian ...

The server group LOCAL is the built-in user database. This is especially weird if the first command worked and the second didn't. Sure you didn't typo the second command?

I think that this is a CASE-SENSITIVE command...

So your first command should have been
aaa auth enable console LOCAL
and NOT
aaa auth enable console local

Try re-doing it with LOCAL in the commands.

Might have to have you post a sanitized config (change your IPs and password hashes prior to uploading)

Collapse -

all you need to do

by rjluvkc In reply to ASA 5520 Security Applian ...

asa#config t
asa#<config> password "yourpassword"
This will take care of that first password when you first telnet in.
You should see this when you telnet then:
User Access Verification

Password: (enter the one you created here)
Type help or '?' for a list of available commands.
asa> en (this is the line that will prompt you for enable pw after)
Password: *********
asa#
Hope this helps you out.

Back to Software Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums