ASA ssh,telnet.jar smart tunnels problems

Similar Messages

• ASA SSH / Telnet

  I just configured my ASA so I can remote access via SSH but I can't seem to get it to work. I have my ASA (10.0.10.1) with my wireleess router (192.168.0.1) connected via the WAN port.  I should be able to access the ASA from my laptop (192.168.0.105) correct?
  Here is my current config:
  ASA Version 8.0(3)6
  hostname Firewall
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.10.1 255.255.255.240
  interface Vlan2
  nameif outside
  security-level 0
  ip address 24.234.XXX.XXX 255.255.XXX.XXX
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 8.8.8.8
  name-server 8.8.4.4
  pager lines 24
  logging enable
  logging asdm warnings
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any outside
  asdm image disk0:/asdm-603.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 24.234.118.193 1
  route inside 192.168.0.0 255.255.255.0 10.0.1.10 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet timeout 5
  ssh 192.168.0.0 255.255.255.0 inside
  ssh timeout 15
  console timeout 0
  dhcpd address 10.0.10.2-10.0.10.12 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  ntp server 64.147.116.229 source outside prefer
  username woodjl1650 password slFkVmxAtfauhVaf encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
    message-length maximum client auto
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:2f1bd939ffb4683ec5c0b4265bd32951
  : end

  I think you missunderstood me
  To me it seems you have the following setup
  - - 10.0.10.0/24 - - 192.168.0.0/24
  And you are telling on the ASA that the network 192.168.0.0/24 is located behind the IP address 10.0.10.1 which to my understanding would be the interface IP address of the Router towards the ASA.
  Now what I mean with the NAT is that I think your router is possibly doing a Dynamic NAT or Dynamic PAT between network 192.168.0.0/24 and 10.0.10.0/24 and therefore the router would block the PING.
  What makes me think the router is doing NAT is because the PING doesnt work AND the fact that almost every basic router will by default do NAT between its LAN and WAN interfaces.
  But again, I dont know how the router is configured but I dont see any problem on the ASA preventing from PINGing the network behind the router
  You can add "icmp permit any inside" if you want but not sure if it will help in this case.
  - Jouni

• ASA: Smart Tunnel and proxy problem

  Hello
  I are having problem that some of my external users that has a proxy setup on theres end can't use the smart tunnel.
  They get proxy warning when they click on a bookmark.
  If I skipp using Smart tunnel the user can't start the citrix app, get corrupted ica file.
  Is it a common problem if so is there a soultion ?
  KR
  Daniel

  Hi Daniel,
  "Smart tunnel supports only proxies placed between computers running Microsoft Windows and the security appliance. Smart tunnel uses the Internet Explorer configuration (that is, the one intended for system-wide use in Windows). If the remote computer requires a proxy server to reach the ASA,
  the URL of the terminating end of the connection must be in the list of URLs excluded from proxy services
  . If the proxy configuration specifies that traffic destined for the ASA goes through a proxy, all smart tunnel traffic goes through the proxy."
  You can get more information from following link:-
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_clientless_ssl.html#wp1321610
  HTH!!
  Regards,
  Naresh

• ASA Smart Tunnel with OS X 10.7

  Hello,
     I've recently configured SSL VPN on an ASA failover pair running 8.4(2). The smart tunnel policy allows RDP clients (native MS client on Windows, MS Client and CoRD on Mac). Early testing looked good for both Windows and Mac. But then I had a mac user who reported that the "Application Access" button did not display in the navigation pane, and hence they can't get to where to launch Mac smart tunnel applications. The difference between those that worked and the one that doesn't is OS X v10.6 (works), OS X v10.7 (doesn't work).
     Doing a little research, I found that JRE isn't installed by default in OS X 10.7, and I found the following link:
  http://support.apple.com/kb/DL1421. After installation, and verifying that "enable applet plug-in and Web Start applications" was checked and trying again, the same results. "Application Access" is missing from the navigation bar, and hence smart tunnel apps can't be launched.
     Does anyone have an idea on what could be going wrong here?
  Thanks!
  Kurt

  Kurt,
  I just found your thread here.
  Which browser are you using on the Mac?
  I have found that with Mac OS 10.7 (lion) there are issues with the smart tunnel applet with Safari and Chrome
  However, it works as expected with Firefox.
  I actually get a Safari Web Content crash report when I try to connect with Safari.
  I have been monitoring this since 10.7 was released, I haven't opened a ticket with TAC because it appeard to be an Apple / Safari issue since the applet works with Firefox.
  I installed the latest Java update for 10.7 today and there was no change in behavior.
  I guess it's time to open a TAC ticket.

• Smart tunnel used for access other than native application?

  Dear all,
  i have a question about smart tunnel. my situation is, i need to  access to the server on certain IP address that using a port (example : port 5007) that is native for the application. that application is customized application just for my company.
  Question is :
  1. can i use smart tunnel to access the application for that particular port (ex : port 5007, 8476) ?
  2. i have so many grup servers (other than group server A) with so many costumized application with native port . is there any other way for me to access to that IP without using smart tunnel? because this project requirement is
  Clientless application access using application/Agent in user's PC, such as RDP, SSH & Native Application and ohers.
  Group Server A
  IP                                     Port
  10.194.24.99
  5007, 80, 9593, 9594, 9595
  10.194.22.99
  82
  192.9.1.99
  23, 449, 8470, 8476, 9470, 9476, 992
  My ASA is 9.1.3 and my ASDM is 7.1.3
  Please kindly to help, any reponse i appreciated
  source : http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/tunnel.pdf

  See http://www.mozilla.org/projects/netlib/PortBanning.html
  * http://kb.mozillazine.org/network.security.ports.banned.override

• Smart Tunnel not working correctly

  I have setup Smart Tunnelling on an ASA5505.
  Situation is PC --->  Proxy [bluecoat] ---> Internet ---> ASA
  I can connect to the front end clientless VPN side ok and I then click on start smart tunnelling.  It starts up (at least it says so) but when I access one of the programs in the list (mstsc.exe) the [Tunnel] traffic does not go via the Proxy but tries to go direct instead.  Wireshark shows traffic being sent to the ASA VPN IP instead of via the proxy (trace is filtered to ASA subnet).  Although encrypted the trace only shows traffic when I start a connection from mstsc.exe.
  ASA version is 8.4(3), Java is build 1.6.0_26-b03
  Any tips on what maybe going on?

  Automatic proxy setting or manual? Manual is supported.

• Pcomm over smart tunnel

  I wonder if anybody tried to run ibm pcomm application over smart tunnel to connect to the mainframe. It is telnet like software. I am trying to make it work but I think I am missing something. By the way I can RDP to Wintel on the same subnet. It works fine using port forwarding but to confusing for end users. Thank you in advance.

  Are you referencing the correct process in the Smart Tunnel list?

• Ssh, telnet, ftp & tftp services stop working

  I have a new SunV245 running Solaris 9 that when I start the server up everything works good, but after 8-12 hours the network type services quit working (ssh, telnet, ftp, & tftp) however I can still ping the interfaces so the network is there. I reboot and everything starts working again. Has anyone seen this before? Is there some kind of power save option that could be shutting the inetd type services down?

  Cat and Maximo,
  > Let me try to get that straight. Your BM does static NAT for your
  > mailserver (and other boxes), and suddenly UDP and ICMP from these
  > natted servers through the BM still works, but TCP doesn't?
  Yes. That's what it looks like.
  > Can you still do TCP *to* the BM from the natted devices when that
  > happens? As you say your proxy continues to work, it sounds as if TCP in
  > general on the server continues to work, but does it also work from the
  > mailserver?
  Everyone browsing via BM proxy continues with no interuption.
  The mail server can telnet to any other server on the internal LAN but
  nothing past BM. DNS continues working for the mail server too.
  > If really nothing changed, this might be a (succesful) DOS attack of
  > some sort. I wonder if a LAN trace could reveal anything of interest.
  Do you mean port scan the BM server?
  I know that "nothing has changed" is a loaded statement. The only thing
  (that I know of) that has changed relatively recently is the addition of
  the Squid server. It has been running behind the BM server for about 3
  weeks. Recently I added a filter exception allowing the Squid server to
  access higher ports (dyn/tcp).
  But, as I noted before, I think removing ipflt should eliminate any
  doubts there. Is there some way Squid could be corrupting something there?
  The problem was compounded this morning (saturday). I came in today so I
  would have the network essentially to myself. But, to my surprise,
  everything was ok.
  Cat, You're right. This server is no spring chicken. It is an IBM
  Netfinity 3000. Its probably 3 or 4 years old (maybe more). I will think
  about this as a hardware problem but I just wish the thing would die
  altogether and get it over with. :o)
  Thanks,
  Brian

• Smart Playlist Problems (Since Ver 5)

  I have come across a problem, which I believe started when I installed Version 5.
  I have many SMART playlists set up that are really for my iPod usage. They are set to pick certain tracks that have not been heard in xxx amount of days, and usually set to a certain number of songs, or a particular amount of time.
  The ones I use most often:
  SLEEP MUSIC - a playlist of random songs not played in the last 5 days limited to 90 minutes. I listen to this when I go to bed.
  WORK MUSIC - a playlist of 100 random songs not played in the last 5 days. I play this through my inMotion dock at work.
  Previously, all the smart playlists worked fine. When the songs were played, the playlist would update on the iPod and the next time I would enter that playlist on the iPod, the tracks would be different.
  It still works this way as long as I don't connect my iPod to my PC and sync with iTunes. If I do, it always resets the iPod playlists to the songs that appear in the iTunes library. I rarely use these playlists on the PC, so they almost always stay the same.
  It seems like in previous versions, iPod would update the iTunes library and the smart playlists would also be updated in iTunes, so that the iPod versions of the playlists would continue to be random. But now, if the playlist is different on the iPod, it will not transfer over to iTunes. Instead, the iTunes playlist is copied back over to my iPod, and I keep getting the same playlists over and over.
  This is a major annoyance, as I usually sync my iPod every day since I am constantly updating my library.
  I've also noticed that when I synch my iPod, it is copying over songs that are already there, and it always seems to be copying songs I recently played in the iTunes library.
  I know that if the tag info is changed, or I add album art to a track, it will be copied over to the iPod again, but I am not making any changes to these tracks, just playing them in iTunes. I don't know if this is related to the smart playlist problem or not.
  I thought about unchecking LIVE UPDATE on those playlists that cause a problem, but that doesn't work, as now I'd ALWAYS have the same playlist.
  So, my next thought is to use the "Only update selected playlists" option in the preferences to exclude those playlists that have this problem. If I do this, will new music I add still be copied over to my iPod?
  Has anyone else encountered these problems?
  FYI - I have not updated to the latest iPod update because of smart playlist problems people were having. I have version 1.1 on my 60GB photo. Would updating perhaps fix this problem?
  My bottom-line thought on this is that iTunes updates the iPod, but the iPod no longer updates the iTunes library as it previously did. My reasons for thinking this are 1) The playlist problems I am having as stated above, and 2) I notice when I change the ratings on the iPod, they are not changed in iTunes. I am going to do a test and change the rating on a track on the iPod, then I will synch my iPod to see if the track is updated in iTunes, or the file is copied back to the iPod with the old rating.

  Reagrding tracks being copied over again, I've seen another post in iPod Lounge where that person indicated the same thing. He stated that the play count was not being updated between the iPod and iTunes, but that the tracks were being copied over again. This sounds like a good explanation of this problem.
  I have now noticed many of the tracks which I know I have played in the past show a "0" play count. Are the play counts kept in the iTunes library files (iTunes.xml and iTunes.itl)?
  I always save the library files, so that when I reinstall iTunes I can just copy these 2 files back to their proper locations and I have my entire library intact - playlists and all. My music library is on a different drive.
  Anyway, I KNOW I have played these tracks on the iPod, and yet they show unplayed on iTunes. This is probably another symptom of the re-copying tracks problem.

• Smart Form problem with address layout

  Hello everyone,
  I need your help please for a smart form problem. We need the address layout for great britain with street1, street2 etc. but currently street2 is alligned before street1.
  We are using the FM ADDRESS_INTO_PRINTFORM (SAP standard address node) and according to the documenation the layout for GB is different as we see it currently.
  We have checked the sold-to and all contact persons, they have as country GB and language EN maintained.
  In customizing for address screen layout there is nothing chosen (tested to set up Europe, but did not change anything).
  For the customizing 'specify my countries...' we have maintained GB as country with the address layout key 006, vehicle country key GB and language key EN.
  For the described setting shouldn't there be designed the address in our smart forms according to 006? Anyhting in customizing we missed?
  Thanks a lot for your answers.
  Torsten

  Hi,
  Try to use line priority of FM, below is a brief of documentation. You can read it more in FM documentation:
  Control Parameters
  See also the parameter documentation.
  ADDRESS_TYPE - Address type (from 3.0C)
  There are three types of address:
  Address type '1': addresses of firms or organizations; the address
  structure which is used in most SAP applications as 'Address'.
  Address type '2': address of a person
  Address type '3': work address, usually the address of a contact person
  in a company
  The default value SPACE for the address type is handled like type '1',
  and is needed for the upwards-compatibility of the function module.
  Which parameters are used for which address type is explained in the
  ADDRESS_TYPE parameter documentation.
  The three character "address layout key" of the recipient country (LAND1) controls which of the available country-specific routines is used to format addresses for the country in question. This key is stored in field T005-ADDRS and is entered in Customizing under Global settings -> Set countries -> Define countries, on the detail screen under "Address layout key".
  Keys for customer routines in the SAP enhancement SZAD0001 can be
  maintained via the transaction SM30 (extended table maintenance),table
  name T005A, in the customer name range, and be assigned in country customizing.
  The address attributes are passed in the structures ADDRESS1 (type 1), ADDRESS2 (type 2), ADDRESS3 (type 3) or ADRSWA_IN (type SPACE).
  NUMBER_OF_LINES (ADRSWA_IN-ANZZL)
  The number of lines available for the address layout. If the number of
  lines is not sufficient for the complete layout of an address, then
  lines are consecutively suppressed according to the rules of the country in question. Use the parameter LINE_PRIORITY (ADRSWA_IN-PRIOR) overrules the standard sequence in which the output lines are to be suppressed.
  LINE_PRIORITY (ADRSWA_IN-PRIOR)
  If not equal to SPACE, this field overwrites the standard sequence in
  which the lines are suppressed if the available number of lines ANZZL is
  insufficient.
  The standard sequence is defined as follows:
  Type 1:   'AP43HRT7I86LC2BS5O'       (GB:  'APRT4327I86CBS5LO')
  Type 2:   'APHRT7I86LCBS5O'          (GB:  'PRT7I86CBS5LO')
  Type 3:   'APF43HR7I86TLC2BSND5O'    (GB:  'APRT4327I86CBS5LNDIO')
  where (if they occupy a line of their own):
  A = Title
  P = Mandatory empty line 1
  F = Function of the contact person in the company
  4 = Name 4
  3 = Name 3
  H = Different city
  R = Region
  T = District
  L = Name of country
  C = Postal code
  T = District
  7 = Street 3 (field STR_SUPPL2)
  I = Street 5 (field LOCATION)
  8 = Street 4 (field STR_SUPPL3)
  6 = Street 2 (field STR_SUPPL1)
  L = Country
  C = Postal code
  2 = Name 2
  B = PO Box
  S = Street or PO Box
  5 = c/o name
  N = Name (and title) of a person
  D = Department
  O = City
  Which of these attributes are available for maintenance can vary. All
  fields exist in Business Address Services.
  STREET_HAS_PRIORITY (ADRSWA_IN-WAREN)
  'X': Street has priority over PO Box (delivery address for example)
  ' ': PO Box has priority over street. This is the default value.
  regards,

• Telnet GUI client giving problems for one userid.

  Hi,
  I have written a GUI program to get userid and password to connect to a Telnet session. The purpose of the program is just to check if the user is a valid user and start another application if the user is a valid user. This application works well and is installed for manay users at my work place. But, this program doesn't work well only for one user. That user tried to use this program by changing is password. He tried to login using this GUI in other terminals. Only this user is having problems logging in in any terminal. But, he is able to open a telnet session without any problems if he doesn't use the GUI. I tried to print the characters that are returned by the server. But, it prints all the characters without any problem. The application hangs at the point, when it has to read the $ prompt after logging in. I also, checked if this user has been set with any other properties for his userid than other users. But, he is having the same privelages like all other users.
  Any help in fixing this problem is appreciated.
  Thanks in advance.

  You need to be more specific about what your program does, for us to suggest some troubleshooting techniques.
  One possibility:
  Your program takes the user's id and password, and if it can authenticate the user, it launches the telnet program (at which point, your user needs to authenticate himself again at telnet's login prompt. In other words, your program provides access to telnet.
  If that is the case, then your user may have changed his password on the remote host, but neglected to change his password on the GUI. I doubt this is the case, but the point I wanted to make is perhaps your GUI is having problems authenticating the user.
  Check to make sure the string the user typed matches the string you have on file. (See below for more on this.)
  The other possibility is:
  Your GUI takes the user's id and password, launches a telnet session, and tries to log in the user via proxy. If it works, the telnet session
  is returned back to the user. If it fails, an appropriate error message is returned. Your program is essentially a front end to telnet.
  If that is the case, then you're likely to have a problem transmitting the password string. Perhaps the user's new password has a character Java and telnet interpret differently.
  First thing to check is literally have your GUI output the string to the telnet session. Don't ask the user to type it in, just ask him what it is. If the password is "fido" (hypothetically), then have your GUI do the equivalent of out.write( "fido" );
  If it bombs, you know you can't transmit that particular string, and the short term solution is to change the password again. If it works, have the user type in the password, but instead of sending it to telnet, just system.out.println( inputtedPassword ); instead. See if Java does any unintentional formatting when reading it in.
  In other words, treat input and output as two seperate cases, and test accordingly.
  When you think about it, that particular password is the key. In fact, if you told us what the password is (don't tell us who you are or where you're connecting from), some Java Guru might see it and say "Oh, you can't do a double backslash like that!"
  Anyways, I'm sure you've solved the problem, I just posted this explaination for the benefit of others who are curious about how to troubleshoot something like this.

• Jar file creation problem

  I have create the jar file, but it show the following error mesage since i start to run it.
  Java Virtual Machine Laugcher
  Failed to load the main class manifest attribute from
  E:\j2sdk1.4.2\bin\test.jar
  What the problem for this?
  my manifest.mf file contain the information
  Manifest-Version: 1.0
  Main-Class: mysystem.MainFrame
  note, my directory is javac mysystem/MainFrame.java to run

  Open the jar in WinZip (or any other).
  the mysystem directory should be in the root..

• Rescue CD/distribution that enables ssh/telnet on boot?

  Hi all,
  I am looking for a distribution/live cd that enables ssh/telnet (or something similar) on boot. The reason I need this: I am trying to get data from a broken all-in-one PC (only the monitor appears broken), and do not have access to a monitor.
  I have searched google for this, and it looks like this particular livecd may not exist, and that I may have to create my own livecd (something I have never done before...).
  I figured I'd ask here first, in case anyone knew of such a livecd.
  Thanks

  WonderWoofy wrote:
  I never said you were rude, but I am giving you a viable solution.  It is not like you are going to have to do this over and over again, you simply need access to your headless machine (hopefully just once anyway).
  I did exactly what I am proposing to you when I installed Arch on my headless server.  So I know it can be done, and it is probably one of the simplest of solutions... by that I mean you could be moving data off your drive by now.
  Insert Archiso and press power button
  ...give it some time to boot...
  # passwd <desired password>
  # systemctl start sshd
  PROFIT!
  I tried this earlier, but it did not seem to work. I'll move the PC downstairs and hook it up straight to the router instead of my current usage of powerline ethernet (seems harder to find the IP with nmap), and try the arch iso again.
  The good news is that I know it boots from the CD, from looking at the various lights and listening to the hdd/drive sounds. xD

• Os x smart tunnel for java

  We have a webpage that uses java, and we are unable to make it work on web vpn on mac os. On the windows side, we added the following to the webvpn smart tunnel and it works:
  smart-tunnel list banner WebStart javaws.exe platform windows
  smart-tunnel list banner JavaWindows javaw.exe platform windows
  Does anyone know the path for mac os x?

  The VPN client for Mac OS runs on any Power Macintosh or compatible computer with Mac OS Version 7.6 to 9.x, and Open Transport Version 1.1.1 or later.
  Have available an application that can translate a BinHex (.hqx) archive, such as StuffIt. Your web browser might perform the translation automatically for you.
  http://www.cisco.com/en/US/docs/security/vpn5000/client/windows_mac/client52/user/guide/Install.html#wp1023928

• Ssl smart tunnel and vmware client

  Has anyone gotten the vmware client(for either server or VI) to work using a smart tunnel on webvpn? I set up a smart tunnel for vmware.exe, but it does not seem to connect. I am running 8.0.4. Also, has anyone been able to smart tunnel explorer.exe?

  The AnyConnect VPN Client is not compatible with virtualization software, such as VMWare.