Solved

Remote ASDM access on Cisco ASA 5505

Posted on 2012-03-17
14
825 Views
Last Modified: 2012-06-27
I have a Cisco ASA 5505 firewall on which I have setup a remote access VPN.   I would like to be able to access and configure the firewall while conencted over the remote access vpn.   I have set the management interface to inside and I have added the external IP range to the list of allowed IP addresses.

I have two other VPN's setup and I have set them up the same way and I have no problem accessing them over the VPN.  I even tried resetting the firewall to factory defaults and rebuilding with the same results
0
Comment
Question by:qvfps
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 37734212
Have you tried the below.

ciscoasa# config terminal
ciscoasa(config)# management-access inside
ciscoasa(config)# end

If you tried, or still does not work, Please post sanitized config.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37734971
Is anything showing in the logs when you try to connect?
And, like Iruiz52 said, could you post a sanitized config?
0
 
LVL 76

Expert Comment

by:arnold
ID: 37735009
http://www.pyeung.com/pages/cisco/cisco-asa-vpn-asdm.html
The issue likely is that the router is preventing the inter/intra interface such that the VPN connected system attempt to access the Asa prevents the access.
same-security-traffic permit inter-interface which should allow VPN connection traffic to then comeback via the inside interface.

Ther are other options to allow remote management.
0
 

Author Comment

by:qvfps
ID: 37736370
Below is a sanatized config.  I can connect to the VPN and access computers on the network with no problem.   After I have connected to the VPN I have checked my IP address and it is in the 192.168.2.xxx range.   When I try and use a web browser to access the ASDM i just get a page not found error.  If I conncet to a computer on the network I can then open a web browser and goto the same address with no problem.

: Saved
:
ASA Version 8.4(2)8
!
hostname My-FW
domain-name MyCo.com
enable password adsfjasldfjasldfj
passwd aldsfjasldfjaslfj encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.5 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address AAA.AAA.AAA.BBB 255.255.255.248
!
ftp mode passive
dns server-group DefaultDNS
 domain-name MyCo.com
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.0.0_18
 subnet 192.168.0.0 255.255.192.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool IPPool1 192.168.2.100-192.168.2.165 mask 255.255.255.192
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.0_18 NETWORK_OBJ_192.168.0.0_18
!
object network obj_any
 nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 AAA.AAA.AAA.AAA 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN1 internal
group-policy VPN1 attributes
 dns-server value 192.168.5.12 8.8.8.8
 vpn-tunnel-protocol ikev1
 default-domain value MyCo.com
username user1 password adsfasdfasfsadfads encrypted privilege 0
username user1 attributes
 vpn-group-policy VPN1
tunnel-group VPN1 type remote-access
tunnel-group VPN1 general-attributes
 address-pool IPPool1
 default-group-policy VPN1
tunnel-group VPN1 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:asfq345wfsdgfq4rfsdgfdsfg
: end
no asdm history enable
0
 
LVL 76

Expert Comment

by:arnold
ID: 37737615
Add the same security entry and that should resolve the issue. Traffic coming over a VPN to the inside interface is being denied the return path back into the inside interface and to the ASDM.
0
 

Author Comment

by:qvfps
ID: 37750399
I tried adding same-security-traffic permit inter-interface to the config but I still cannot manage the firewall from the remote access VPN.   I have two others configured and neither one permits same security traffic.
0
 
LVL 76

Expert Comment

by:arnold
ID: 37750538
Do all use the gateway ip as the management ip or do some have a separate ip as the management ip?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:qvfps
ID: 37750546
they all use the internal interface as the managment IP.
0
 
LVL 76

Expert Comment

by:arnold
ID: 37750571
Do the others use certificates for ASDM while this one does not?
0
 

Accepted Solution

by:
qvfps earned 0 total points
ID: 37750820
All three are setup the same with no certificates.  

I resolved the issue tonight.  The NAT command for the VPN was missing "no-proxy-arp route-lookup"  

All three ASAs are running the same version of the software but even though I reset this one to factory defaults and rebuilt it three times the same way I setup the others it left off the above.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37751314
Ok, good to hear. So you're fine now? Or is there anything else we can help with?
0
 

Author Comment

by:qvfps
ID: 37752076
Im find on this. Thanks for the suggestions.
0
 
LVL 76

Expert Comment

by:arnold
ID: 37752478
Select your own response (http:#a37750820) as the solution to close this question.
0
 

Author Closing Comment

by:qvfps
ID: 37770423
The problem was with the nat command and I found it by comparing a working VPN connection with this one
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now