Solved

ASDM Management from VPN

Posted on 2011-03-07
19
1,216 Views
Last Modified: 2012-05-11
Hi, I'm unable to manage my ASA when VPN'd in. I have allowed management access for the IP pool that is given to VPN users. Anywhere else I need to look?
0
Comment
Question by:radiosupport
  • 9
  • 9
19 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35056336
Did you enable management access on the inside?
And did you enable and allow http and or ssh from the ip pool?
0
 
LVL 3

Expert Comment

by:nickswanjan
ID: 35056387
You need to specify another interface as a management-access interface.

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/access_management.html#wp1064497
0
 

Author Comment

by:radiosupport
ID: 35056423
Management access is enabled on the inside and working OK. I also enabled HTTP and SSH from VPN pool.. So I still need to specify another interface?
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35056443
Did you check the logging to see if anything shows up?
0
 

Author Comment

by:radiosupport
ID: 35056457
Looks like it's dropping the packet for some reason.. I can't telnet to it either I've just discovered. It responds to ping OK though.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35056516
You enabled http for the ip pool from the outside did you?

like http 1.2.3.0 255.255.255.0 outside
0
 

Author Comment

by:radiosupport
ID: 35056710
Hi, yes I did.
0
 

Author Comment

by:radiosupport
ID: 35056718
It doesn't work if you state inside OR outside..
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35056881
Could you post a sanitized config? Let's see if we are overlooking something.
0
 

Author Comment

by:radiosupport
ID: 35057001
------------------ show running-config ------------------

: Saved
:
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name COMPANY-radio.local
enable password <removed>
names
name 1.1.1.1
name 1.1.1.87
name 10.92.183.0
name 2.2.2.0
name 1.1.1.244
name 4.4.4.0
name 3.3.3.0
!
interface Vlan1
 description Inside
 nameif inside
 security-level 100
 ip address 1.1.1.3 255.255.255.0
 ospf cost 10
!
interface Vlan2
 description Outside
 nameif outside
 security-level 50
 ip address X.X.X.X 255.255.255.248
 ospf cost 10
!
interface Vlan3
 description WAP
 no forward interface Vlan1
 nameif WAP
 security-level 50
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd <removed>
boot system disk0:/asa803-k8.bin
no ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup WAP
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
 domain-name COMPANY-radio.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MyTCPServices tcp
 description Allow TCP inbound connections
 port-object eq smtp
 port-object eq pptp
 port-object eq https
 port-object eq www
 port-object eq echo
 port-object eq 3389
 port-object eq lotusnotes
 port-object eq ftp
 port-object eq ftp-data
 port-object eq 5900
 port-object eq 21552
object-group protocol MyProtocolServices
 protocol-object gre
object-group service MyUDPConnections udp
 port-object range 4500 4500
 port-object eq isakmp
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq www
 service-object udp eq www
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service Prontonet tcp
 description Prontonet
 port-object range 50011 50046
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list acl_out extended permit tcp any any eq smtp
access-list acl_out extended permit tcp any any eq ident
access-list acl_out extended permit tcp any any eq https
access-list acl_out extended permit object-group DM_INLINE_SERVICE_1 any any
access-list acl_out extended permit tcp any any object-group DM_INLINE_TCP_1
access-list acl_out extended permit tcp any any eq 8099
access-list acl_out remark RadioMonitor
access-list acl_out extended permit tcp any any eq 2222
access-list acl_out remark RadioMonitor
access-list acl_out extended permit tcp any any eq 8100
access-list acl_out remark Prontonet
access-list acl_out extended permit tcp any any eq 52000
access-list acl_out remark Prontonet
access-list acl_out extended permit tcp any any eq 52001
access-list acl_out extended permit tcp any any eq 8000 inactive
access-list acl_out extended deny ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp any any
access-list OriginalSol_splitTunnelAcl standard permit 1.1.1.0 255.255.255.0
access-list OriginalSol_splitTunnelAcl remark London
access-list OriginalSol_splitTunnelAcl standard permit SITE2 255.255.255.0
access-list OriginalSol_splitTunnelAcl remark SITE3
access-list OriginalSol_splitTunnelAcl standard permit SITE1 255.255.255.0
access-list global_mpc extended permit tcp any any eq pptp
access-list inside_nat0_outbound extended permit ip 1.1.1.0 255.255.255.0 Remoteaccess 255.255.255.0
access-list inside_nat0_outbound extended permit ip SITE2 255.255.255.0 1.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 1.1.1.0 255.255.255.0 SITE2 255.255.255.0
access-list inside_nat0_outbound extended permit ip SITE1 255.255.255.0 1.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 1.1.1.0 255.255.255.0 SITE1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 1.1.1.0 255.255.255.0 SITE3 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Remoteaccess 255.255.255.128
access-list outside_dyn_map extended permit ip 1.1.1.0 255.255.255.0 Remoteaccess 255.255.255.0
access-list inside_access_in_1 remark Send SMTP
access-list inside_access_in_1 extended permit tcp host OfficeServer any eq smtp
access-list inside_access_in_1 remark Block all other SMTP
access-list inside_access_in_1 extended deny tcp any any eq smtp
access-list inside_access_in_1 extended permit ip any any
access-list inside_access_in_1 extended deny ip any any inactive
access-list inside_access_in_1 extended permit ip any SITE2 255.255.255.0
access-list inside_access_in_1 extended permit ip SITE2 255.255.255.0 any
access-list waptoInside extended permit ip any any
access-list WAP_access_in extended permit ip any any
access-list WAPtoInside extended permit ip any any
access-list outside_1_cryptomap extended permit ip 1.1.1.0 255.255.255.0 SITE3 255.255.255.0
access-list VPN-Networks extended permit ip any 1.1.1.0 255.255.255.0
access-list VPN-Networks extended permit ip any SITE2 255.255.255.0
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu WAP 1500
ip local pool ippool2 2.2.2.1-2.2.2.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (WAP) 1 0.0.0.0 0.0.0.0

access-group acl_out in interface outside
access-group WAPtoInside in interface WAP
route outside 0.0.0.0 0.0.0.0 62.6.250.89 1
route inside SITE1 255.255.255.0 1.1.1.254 1
route inside SITE2 255.255.255.0 1.1.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
 webvpn
  svc ask none default svc
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
http server enable
http Remoteaccess 255.255.255.0 outside
http 1.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 match address outside_dyn_map
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 213.83.125.87
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn ciscoasa
 subject-name CN=ciscoasa
 no client-types
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 31
    308201cc 30820135 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
    2c311130 0f060355 04031308 63697363 6f617361 31173015 06092a86 4886f70d
    01090216 08636973 636f6173 61301e17 0d303830 36323232 31343031 365a170d
    31383036 32303231 34303136 5a302c31 11300f06 03550403 13086369 73636f61
    73613117 30150609 2a864886 f70d0109 02160863 6973636f 61736130 819f300d
    06092a86 4886f70d 01010105 0003818d 00308189 02818100 b2d34eae a32556ad
    2b9d1747 63aef9a7 aa2d8f42 b2579008 12d0ee99 4629b3d3 42219061 cbb13013
    abc856f0 e1e685cc 83e8789c fd42c820 84304924 8a4ff377 3e3d2dfd 44c69dfa
    41a53007 5f145916 ce9eaeac ec37a3d0 362d45a5 661ed30e dbe4ee8b cb718083
    365756e1 7e5dd819 956e9de2 cd6c4199 bd5a9ee4 1751a613 02030100 01300d06
    092a8648 86f70d01 01040500 03818100 3783b827 489193e6 4b769a50 8d827b77
    0802b366 e0f7d8d5 0fa6cb77 d9e97347 c4c8689d d6a44e08 8571033e f27afa13
    8c716e0e 8ef7e65a 0d16c99b 0d4714d3 82e31e77 91ed7eec 3d56924e 2d8d21a4
    9fd4af14 1df0a0bd e7280b2b c919cfa5 7114ba7a fbe8d9ad 1fc01d0a 1795e637
    df70fb44 81c5c720 f538604e 8ab43cb3
  quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 1.1.1.0 255.255.255.0 inside
telnet Remoteaccess 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.4-192.168.1.254 WAP
dhcpd dns 208.67.222.222 208.67.222.220 interface WAP
dhcpd enable WAP
!

threat-detection basic-threat
threat-detection statistics
ntp server 1.1.1.11 source inside
ssl encryption 3des-sha1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
 csd enable
 svc image disk0:/sslclient-win-1.1.0.154.pkg 1
 svc profiles Default disk0:/dap.xml
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec svc
 pfs enable
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value OriginalSol_splitTunnelAcl
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value ippool2
 webvpn
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc ask none default svc
group-policy COMPANY-Radio internal
group-policy COMPANY-Radio attributes
 dns-server value 208.67.222.222 208.67.220.220
 vpn-tunnel-protocol IPSec webvpn
 default-domain value COMPANY-radio.local
group-policy Coast internal
group-policy Coast attributes
 wins-server value 1.1.1.1
 dns-server value 1.1.1.1
 vpn-tunnel-protocol IPSec svc
 
class-map inspection_default
 match access-list global_mpc
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
  inspect ftp
!
service-policy global_policy global
smtp-server 1.1.1.1
prompt hostname context
Cryptochecksum:bfb70ce8cbf510ddccd6e491e5c38c8d
: end

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35057131
First thing I noticed: you're using the name Remoteaccess but I can't see it defined anywhere.
0
 

Author Comment

by:radiosupport
ID: 35057175
Sorry, was slightly trigger happy. Defined at the top with this:

name 2.2.2.0 RemoteAccess
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35057325
Ok.

You said: Looks like it's dropping the packet for some reason

Could you show some of those log entries, I would like to know the exact reason.
0
 

Author Comment

by:radiosupport
ID: 35057589
Sorry, I had to leave office. Will try this when I get home tonight and report back. Thanks for help
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35057692
No problem, I'll be waiting.
0
 

Author Comment

by:radiosupport
ID: 35058006
Managed to get this; RemoteAccess's true IP pool is 10.9.64.0. 10.9.62.3 is the inside interface of the ASA. vpn.user is the name of the user VPN'd in.

%ASA-6-302013: Built inbound TCP connection 16933 for outside:10.9.64.1/53150 (10.9.64.1/53150) to NP Identity Ifc:10.9.62.3/443 (10.9.62.3/443) (vpn.user)
%ASA-6-302014: Teardown TCP connection 16933 for outside:10.9.64.1/53150 to NP Identity Ifc:10.9.62.3/443 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept (vpn.user)
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35058290
Oh, one thing I asked before but didn't respond to..

It should be: http Remoteaccess 255.255.255.0 inside

Let's see what shows up (in the logs) then.
0
 

Author Comment

by:radiosupport
ID: 35058577
That worked great, thanks.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35059586
Glad I could help.

And thanks for the points :)
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VPN Connection WIndows 10 5 62
Windows 2012 R2 Anywhere Access and PCI compliance 5 34
IPsec VPN - which encryption? 5 39
Voice VLANs across Metro-E 4 13
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question