• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2320
  • Last Modified:

Cisco ASA 5505 remote management

Hi everyone,

I want to access my Cisco ASA 5505 remotely from the internet. So just administer the device without having the need to connect to a server on premises and then access the cisco with the address 192.168.2.1 for example. I want to use 99.99.99.99:20000 for example where 99.99.99.99 is the public IP of the customer.

I have found this guide http://www.techrepublic.com/blog/networking/eight-easy-steps-to-cisco-asa-remote-access-setup/1201 but I think this is the set-up vpn on the cisco?
I would also like to use the GUI for this to see which commands are linked to it and learn both.

Thanks in advance!!
0
Silencer001
Asked:
Silencer001
5 Solutions
 
Istvan KalmarCommented:
Hi,

you not need vpn, you need to enable ssh, and http :

http 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 outside

you need to create domain:
 domain-name example.com

you need to create key:
crypto key generate rsa
you need to enable ASDM:
http server enable 20000
asdm image disk0:/asdm-631.bin

dor flash tells, which asdm installed

you need to configure aaa:

aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa local authentication attempts max-fail 3
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Also, you may want to restrict the admin access to certain IPs ... allowing the whole internet to get in to your ASA's SSH and ASDM ports might not be the best idea ...  (that's the http/ssh lines with the 0.0.0.0 above)
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
tomagoCommented:
Most secure way to do it is via VPN.  Have the ASA assign a specific IP to your VPN username when you connect and only allow SSH/Telnet/ASDM from that specific IP.

As Garry-G pointed out... allowing every IP access to the SSH/Telnet/ASDM ports is a bad idea.  Considering all ASAs come with 2 AnyConnect Premium licenses, there is no reason not to setup VPN and telnet/ssh through that.
0
 
Silencer001Author Commented:
Ahhh ok now I see. So I use my webbrowser to connect to the Cisco ASA and gain VPN access (DHCP assigns myself a fixed IP and management is allowed from this IP-address.

But then when I am inside of the network, I also need to have this IP address to have access to the router? I don't have a management PC so use my own laptop our rdp to a server and gain access from there...

Is it secure to just allow access internally for the whole range?
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Guess that depends on how much you trust your coworkers ;) You still have a protected SSL connection to the admin interface, with username/password, so it's not like everybody can just connect to the firewall and mess it up ... plus, with physical access, a specific IP address isn't really that much protection either ...
0
 
Istvan KalmarCommented:
here is that you need:

Configuring Management Access Over a VPN Tunnel

If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.

To specify an interface as a mangement-only interface, enter the following command:

hostname(config)# management access management_interface

where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.

You can define only one management-access interface.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html
0

Featured Post

Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

Tackle projects and never again get stuck behind a technical roadblock.
Join Now