Solved

ASDM Management from VPN

Posted on 2011-03-07
19
1,185 Views
Last Modified: 2012-05-11
Hi, I'm unable to manage my ASA when VPN'd in. I have allowed management access for the IP pool that is given to VPN users. Anywhere else I need to look?
0
Comment
Question by:radiosupport
  • 9
  • 9
19 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Did you enable management access on the inside?
And did you enable and allow http and or ssh from the ip pool?
0
 
LVL 3

Expert Comment

by:nickswanjan
Comment Utility
You need to specify another interface as a management-access interface.

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/access_management.html#wp1064497
0
 

Author Comment

by:radiosupport
Comment Utility
Management access is enabled on the inside and working OK. I also enabled HTTP and SSH from VPN pool.. So I still need to specify another interface?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Did you check the logging to see if anything shows up?
0
 

Author Comment

by:radiosupport
Comment Utility
Looks like it's dropping the packet for some reason.. I can't telnet to it either I've just discovered. It responds to ping OK though.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
You enabled http for the ip pool from the outside did you?

like http 1.2.3.0 255.255.255.0 outside
0
 

Author Comment

by:radiosupport
Comment Utility
Hi, yes I did.
0
 

Author Comment

by:radiosupport
Comment Utility
It doesn't work if you state inside OR outside..
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Could you post a sanitized config? Let's see if we are overlooking something.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:radiosupport
Comment Utility
------------------ show running-config ------------------

: Saved
:
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name COMPANY-radio.local
enable password <removed>
names
name 1.1.1.1
name 1.1.1.87
name 10.92.183.0
name 2.2.2.0
name 1.1.1.244
name 4.4.4.0
name 3.3.3.0
!
interface Vlan1
 description Inside
 nameif inside
 security-level 100
 ip address 1.1.1.3 255.255.255.0
 ospf cost 10
!
interface Vlan2
 description Outside
 nameif outside
 security-level 50
 ip address X.X.X.X 255.255.255.248
 ospf cost 10
!
interface Vlan3
 description WAP
 no forward interface Vlan1
 nameif WAP
 security-level 50
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd <removed>
boot system disk0:/asa803-k8.bin
no ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup WAP
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
 domain-name COMPANY-radio.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MyTCPServices tcp
 description Allow TCP inbound connections
 port-object eq smtp
 port-object eq pptp
 port-object eq https
 port-object eq www
 port-object eq echo
 port-object eq 3389
 port-object eq lotusnotes
 port-object eq ftp
 port-object eq ftp-data
 port-object eq 5900
 port-object eq 21552
object-group protocol MyProtocolServices
 protocol-object gre
object-group service MyUDPConnections udp
 port-object range 4500 4500
 port-object eq isakmp
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq www
 service-object udp eq www
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service Prontonet tcp
 description Prontonet
 port-object range 50011 50046
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list acl_out extended permit tcp any any eq smtp
access-list acl_out extended permit tcp any any eq ident
access-list acl_out extended permit tcp any any eq https
access-list acl_out extended permit object-group DM_INLINE_SERVICE_1 any any
access-list acl_out extended permit tcp any any object-group DM_INLINE_TCP_1
access-list acl_out extended permit tcp any any eq 8099
access-list acl_out remark RadioMonitor
access-list acl_out extended permit tcp any any eq 2222
access-list acl_out remark RadioMonitor
access-list acl_out extended permit tcp any any eq 8100
access-list acl_out remark Prontonet
access-list acl_out extended permit tcp any any eq 52000
access-list acl_out remark Prontonet
access-list acl_out extended permit tcp any any eq 52001
access-list acl_out extended permit tcp any any eq 8000 inactive
access-list acl_out extended deny ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp any any
access-list OriginalSol_splitTunnelAcl standard permit 1.1.1.0 255.255.255.0
access-list OriginalSol_splitTunnelAcl remark London
access-list OriginalSol_splitTunnelAcl standard permit SITE2 255.255.255.0
access-list OriginalSol_splitTunnelAcl remark SITE3
access-list OriginalSol_splitTunnelAcl standard permit SITE1 255.255.255.0
access-list global_mpc extended permit tcp any any eq pptp
access-list inside_nat0_outbound extended permit ip 1.1.1.0 255.255.255.0 Remoteaccess 255.255.255.0
access-list inside_nat0_outbound extended permit ip SITE2 255.255.255.0 1.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 1.1.1.0 255.255.255.0 SITE2 255.255.255.0
access-list inside_nat0_outbound extended permit ip SITE1 255.255.255.0 1.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 1.1.1.0 255.255.255.0 SITE1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 1.1.1.0 255.255.255.0 SITE3 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Remoteaccess 255.255.255.128
access-list outside_dyn_map extended permit ip 1.1.1.0 255.255.255.0 Remoteaccess 255.255.255.0
access-list inside_access_in_1 remark Send SMTP
access-list inside_access_in_1 extended permit tcp host OfficeServer any eq smtp
access-list inside_access_in_1 remark Block all other SMTP
access-list inside_access_in_1 extended deny tcp any any eq smtp
access-list inside_access_in_1 extended permit ip any any
access-list inside_access_in_1 extended deny ip any any inactive
access-list inside_access_in_1 extended permit ip any SITE2 255.255.255.0
access-list inside_access_in_1 extended permit ip SITE2 255.255.255.0 any
access-list waptoInside extended permit ip any any
access-list WAP_access_in extended permit ip any any
access-list WAPtoInside extended permit ip any any
access-list outside_1_cryptomap extended permit ip 1.1.1.0 255.255.255.0 SITE3 255.255.255.0
access-list VPN-Networks extended permit ip any 1.1.1.0 255.255.255.0
access-list VPN-Networks extended permit ip any SITE2 255.255.255.0
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu WAP 1500
ip local pool ippool2 2.2.2.1-2.2.2.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (WAP) 1 0.0.0.0 0.0.0.0

access-group acl_out in interface outside
access-group WAPtoInside in interface WAP
route outside 0.0.0.0 0.0.0.0 62.6.250.89 1
route inside SITE1 255.255.255.0 1.1.1.254 1
route inside SITE2 255.255.255.0 1.1.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
 webvpn
  svc ask none default svc
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
http server enable
http Remoteaccess 255.255.255.0 outside
http 1.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 match address outside_dyn_map
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 213.83.125.87
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn ciscoasa
 subject-name CN=ciscoasa
 no client-types
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 31
    308201cc 30820135 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
    2c311130 0f060355 04031308 63697363 6f617361 31173015 06092a86 4886f70d
    01090216 08636973 636f6173 61301e17 0d303830 36323232 31343031 365a170d
    31383036 32303231 34303136 5a302c31 11300f06 03550403 13086369 73636f61
    73613117 30150609 2a864886 f70d0109 02160863 6973636f 61736130 819f300d
    06092a86 4886f70d 01010105 0003818d 00308189 02818100 b2d34eae a32556ad
    2b9d1747 63aef9a7 aa2d8f42 b2579008 12d0ee99 4629b3d3 42219061 cbb13013
    abc856f0 e1e685cc 83e8789c fd42c820 84304924 8a4ff377 3e3d2dfd 44c69dfa
    41a53007 5f145916 ce9eaeac ec37a3d0 362d45a5 661ed30e dbe4ee8b cb718083
    365756e1 7e5dd819 956e9de2 cd6c4199 bd5a9ee4 1751a613 02030100 01300d06
    092a8648 86f70d01 01040500 03818100 3783b827 489193e6 4b769a50 8d827b77
    0802b366 e0f7d8d5 0fa6cb77 d9e97347 c4c8689d d6a44e08 8571033e f27afa13
    8c716e0e 8ef7e65a 0d16c99b 0d4714d3 82e31e77 91ed7eec 3d56924e 2d8d21a4
    9fd4af14 1df0a0bd e7280b2b c919cfa5 7114ba7a fbe8d9ad 1fc01d0a 1795e637
    df70fb44 81c5c720 f538604e 8ab43cb3
  quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 1.1.1.0 255.255.255.0 inside
telnet Remoteaccess 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.4-192.168.1.254 WAP
dhcpd dns 208.67.222.222 208.67.222.220 interface WAP
dhcpd enable WAP
!

threat-detection basic-threat
threat-detection statistics
ntp server 1.1.1.11 source inside
ssl encryption 3des-sha1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
 csd enable
 svc image disk0:/sslclient-win-1.1.0.154.pkg 1
 svc profiles Default disk0:/dap.xml
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec svc
 pfs enable
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value OriginalSol_splitTunnelAcl
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value ippool2
 webvpn
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc ask none default svc
group-policy COMPANY-Radio internal
group-policy COMPANY-Radio attributes
 dns-server value 208.67.222.222 208.67.220.220
 vpn-tunnel-protocol IPSec webvpn
 default-domain value COMPANY-radio.local
group-policy Coast internal
group-policy Coast attributes
 wins-server value 1.1.1.1
 dns-server value 1.1.1.1
 vpn-tunnel-protocol IPSec svc
 
class-map inspection_default
 match access-list global_mpc
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
  inspect ftp
!
service-policy global_policy global
smtp-server 1.1.1.1
prompt hostname context
Cryptochecksum:bfb70ce8cbf510ddccd6e491e5c38c8d
: end

0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
First thing I noticed: you're using the name Remoteaccess but I can't see it defined anywhere.
0
 

Author Comment

by:radiosupport
Comment Utility
Sorry, was slightly trigger happy. Defined at the top with this:

name 2.2.2.0 RemoteAccess
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ok.

You said: Looks like it's dropping the packet for some reason

Could you show some of those log entries, I would like to know the exact reason.
0
 

Author Comment

by:radiosupport
Comment Utility
Sorry, I had to leave office. Will try this when I get home tonight and report back. Thanks for help
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
No problem, I'll be waiting.
0
 

Author Comment

by:radiosupport
Comment Utility
Managed to get this; RemoteAccess's true IP pool is 10.9.64.0. 10.9.62.3 is the inside interface of the ASA. vpn.user is the name of the user VPN'd in.

%ASA-6-302013: Built inbound TCP connection 16933 for outside:10.9.64.1/53150 (10.9.64.1/53150) to NP Identity Ifc:10.9.62.3/443 (10.9.62.3/443) (vpn.user)
%ASA-6-302014: Teardown TCP connection 16933 for outside:10.9.64.1/53150 to NP Identity Ifc:10.9.62.3/443 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept (vpn.user)
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
Oh, one thing I asked before but didn't respond to..

It should be: http Remoteaccess 255.255.255.0 inside

Let's see what shows up (in the logs) then.
0
 

Author Comment

by:radiosupport
Comment Utility
That worked great, thanks.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Glad I could help.

And thanks for the points :)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now