Cisco ASA 5505 remote management

Posted on 2011-10-23
Last Modified: 2012-05-12
Hi everyone,

I want to access my Cisco ASA 5505 remotely from the internet. So just administer the device without having the need to connect to a server on premises and then access the cisco with the address for example. I want to use for example where is the public IP of the customer.

I have found this guide but I think this is the set-up vpn on the cisco?
I would also like to use the GUI for this to see which commands are linked to it and learn both.

Thanks in advance!!
Question by:Silencer001
    LVL 34

    Assisted Solution

    by:Istvan Kalmar

    you not need vpn, you need to enable ssh, and http :

    http outside
    ssh outside

    you need to create domain:

    you need to create key:
    crypto key generate rsa
    you need to enable ASDM:
    http server enable 20000
    asdm image disk0:/asdm-631.bin

    dor flash tells, which asdm installed

    you need to configure aaa:

    aaa authentication http console LOCAL
    aaa authentication telnet console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    aaa local authentication attempts max-fail 3
    LVL 17

    Assisted Solution

    Also, you may want to restrict the admin access to certain IPs ... allowing the whole internet to get in to your ASA's SSH and ASDM ports might not be the best idea ...  (that's the http/ssh lines with the above)
    LVL 57

    Accepted Solution

    LVL 5

    Assisted Solution

    Most secure way to do it is via VPN.  Have the ASA assign a specific IP to your VPN username when you connect and only allow SSH/Telnet/ASDM from that specific IP.

    As Garry-G pointed out... allowing every IP access to the SSH/Telnet/ASDM ports is a bad idea.  Considering all ASAs come with 2 AnyConnect Premium licenses, there is no reason not to setup VPN and telnet/ssh through that.

    Author Comment

    Ahhh ok now I see. So I use my webbrowser to connect to the Cisco ASA and gain VPN access (DHCP assigns myself a fixed IP and management is allowed from this IP-address.

    But then when I am inside of the network, I also need to have this IP address to have access to the router? I don't have a management PC so use my own laptop our rdp to a server and gain access from there...

    Is it secure to just allow access internally for the whole range?
    LVL 17

    Expert Comment

    Guess that depends on how much you trust your coworkers ;) You still have a protected SSL connection to the admin interface, with username/password, so it's not like everybody can just connect to the firewall and mess it up ... plus, with physical access, a specific IP address isn't really that much protection either ...
    LVL 34

    Assisted Solution

    by:Istvan Kalmar
    here is that you need:

    Configuring Management Access Over a VPN Tunnel

    If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.

    To specify an interface as a mangement-only interface, enter the following command:

    hostname(config)# management access management_interface

    where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.

    You can define only one management-access interface.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now