Question

  • Creator
    Topic
  • #2207603

    ASA 5520 Security Appliance

    Locked

    by ckprem ·

    I have configured by Security Apppliance ASA 5520 with the username and password .

    Enable password was also configured .. ASA not added in AAA .

    When i login the ASA it asks for the password .. never ask for the username ..

    Can some one help me to list the commands that i need to add, as am new to configure ASA appliance .

All Answers

  • Author
    Replies
    • #2888691

      Clarifications

      by ckprem ·

      In reply to ASA 5520 Security Appliance

      Clarifications

    • #2888647

      ASA

      by drumright ·

      In reply to ASA 5520 Security Appliance

      The answer you can find real easily:
      1. How are you connecting to the ASA (Console Cable(blue cable that came with the device), ethernet (cat 5 plugged into ports 0-7 and connected directly to your PC used to connect to the ASA?, or another method?)
      2. Ethernet connection = ssh, telnet, web gui IE,Mozilla, Chrome? (port 80 =http, port 443) =https )
      3. Without a username required when logging in usually is a telnet connection (note: insecure connection password is sent in clear text, DO NOT USE IF CONNECTING OVER THE INTERNET!. SSL ONLY ON INTERNET CONNECTION.
      TELNET NOTE: TELNET SESSIONS WILL USUALLY AUTHENTICATE FROM THE LOCAL AUTHENTICATION SERVER (ASA 5520) AND WILL REQUIRE THE DEFAULT SECURITY LEVEL TO SIGN IN (UNLESS YOU CHANGED THIS SETTING?) Use the default password you set for telnet sessions, if you did not set this then try Cisco’s default password, I think it is Cisco for password. Should this not work use the login password you set, if that does not work use the enable password; why? you say, well it is possible you set requirements for telnet logins to use security level authentication 15 (full access or enable security level 7 by accident.)
      However if you do use these passwords over telnet please make sure you are doing this on the internal lan. What app or utility are you using to connect? Putty? secureCRT? Telnet (CLI ex: DOS or cmd in xp then type telnet (Asa ip address)), web browser ?
      Try using ssh to connect if you are connecting via ethernet, now if you are using the console cable then you use the conf t/line con 0-?/password command in the cli to set this password, if you did not do this at all, then try the default password you used the first time you connected, once logged in type: en “ENTER”, you will be asked to input password, use the password you set for the enable password. Once you can enter enable mode, proceed to configure Terminal mode and set the passwords for the console, telnet (if you use it…), and the ssh passwords. Set the authentication level and the authentication server to use when allowing logins. login local = asa usernames and passwords, Radius (Microsoft internet authentication server that uses Active directory users accounts to authenticate, or ldap (server setup to handle ldap requests.)
      enable “ENTER”
      CONF T enter
      line con 0 press Tab (this will drop down a line and display how many console sessions you can set this password for. it looks like Router#line con 0 (0 – 15) meaning if you want to set the password for all 15 sessions the same you type
      line con 0 – 15 “ENTER”
      RouterLine(0-15)
      type password
      you will be asked to input the password do so then press enter
      follow the screen as it will want you to enter the password again
      Once you have set the password you can type a ? and press enter
      this will display a list of commands to use, read the descriptions and set the authentication server (do Local and create users on the asa)
      authentication level (you will set this to at or below the level your user is set at, if not you will not be allowed to login as your authentication level will be to low and your session is dropped.)
      Set the level 1 – 5
      create a user and give that user security level 7 – 15 if you plan on using the login for management purposes.
      Now you can also tell the ASA to allow specific ip addresses to connect remotely, or deny specific as well as any ip address to connect, whatever you do don’t reject any any for remote login you will never get in again unless connected with a console cable.
      Once you have set a login level for the line console or telnet, or ssh.
      Set a user with the required authentication level as the line or protocols (telnet, ssh), or set the user to 15 and given the user a password. Allowed the required login protocol for your ip address, ip range, or subnet (internal usually), try to connect.
      if you are able to hit the login screen, use the password you set to login, and do a sh run, sh start, sh arp, and you like what you see, go ahead and do a copy run start.
      this will copy the running configuration (the changes you made) to the startup config (default config before changes) Now if the device gets powered down it will restart with your changes saved and applied. However if you don’t like your changes or you are disconnected and cannot reconnect if you did not copy run start, shut ASA down, turn it back on and all the changes you made are gone. You can start over and try again, practice makes perfect….

      • #2809068

        Reponse To Answer

        by ckprem ·

        In reply to ASA

        yes ..we do telnet … But line con ..; this command is not available … also as mentioned … there is no AAA Server

    • #2809016

      ASA Configs

      by icebergtitanic ·

      In reply to ASA 5520 Security Appliance

      conf t
      management inside
      username AdminUserName password AdminPassword priv 15

      Also, might want these
      ssh 0.0.0.0 0.0.0.0 inside
      http 0.0.0.0 0.0.0.0 inside
      crypto key generate rsa mod 2048

      If you’re new to ASA, you probably also want to enable your ASDM instead of trying to do command line. That’s what the http line does.

      Best practices is to use SSH rather than Telnet to access your firewall. You have to have an RSA encryption key for that, which is what the crypto line does. To kill the telnet access, enter the telnet line with “no” in front. (Example “no telnet 0.0.0.0 0.0.0.0 inside”)

      (This whole thing assumes you named your inside-facing interface/VLAN to be “inside”. This would be a “nameif” command on the interface, or on the VLAN assigned to the interface)

      The line con vty 0 15 would be used on switches and routers, but is not in the ASAs. The ASAs operating system is slightly different than the IOS used by routers and switches.

      Do make sure to save your config. “wr mem” is the quickest way.

      • #2808913

        Reponse To Answer

        by ckprem ·

        In reply to ASA Configs

        am logging through secure CRT through telnet … I have configured the username xxxx password xxx with previlege as 15. ..

        The enable password also set …. Not configured under AAA

        When i try to telnet it asks for password and not username ..

        What should i configure to let ask for username first and then password ???>

        Pls suggest !

    • #2808910

      Oops! Forgot the most important part!

      by icebergtitanic ·

      In reply to ASA 5520 Security Appliance

      aaa authentication telnet console LOCAL

      You may also need this if it’s missing:

      aaa auth enable console LOCAL

      • #2876857

        Reponse To Answer

        by ckprem ·

        In reply to Oops! Forgot the most important part!

        first tried to enter aaa auth enable console local — success

        Second tried to enter aaa authentication telnet console LOCAL
        – Got error message stating ” aaa server group local does not exist”

        Pls advise how to create aaa server group local .

    • #2876661

      Shouldn’t need to create it

      by icebergtitanic ·

      In reply to ASA 5520 Security Appliance

      The server group LOCAL is the built-in user database. This is especially weird if the first command worked and the second didn’t. Sure you didn’t typo the second command?

      I think that this is a CASE-SENSITIVE command…

      So your first command should have been
      aaa auth enable console LOCAL
      and NOT
      aaa auth enable console local

      Try re-doing it with LOCAL in the commands.

      Might have to have you post a sanitized config (change your IPs and password hashes prior to uploading)

    • #2876620

      all you need to do

      by rjluvkc ·

      In reply to ASA 5520 Security Appliance

      asa#config t
      asa# password “yourpassword”
      This will take care of that first password when you first telnet in.
      You should see this when you telnet then:
      User Access Verification

      Password: (enter the one you created here)
      Type help or ‘?’ for a list of available commands.
      asa> en (this is the line that will prompt you for enable pw after)
      Password: *********
      asa#
      Hope this helps you out.

Viewing 5 reply threads