Cisco ASA and ADSM

I was trying to access one of my ASAs from the internal network via the browser and I got the download ADSM software gui interface. Now when I tried to access another ASA with its public IP address from my home, I could not get  that download ADSM software download GUI interface. How do I fix that? Thanks
biggynetAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
pony10usConnect With a Mentor Commented:
0
 
biggynetAuthor Commented:
it shows examples of letting internal users from assessing the ASA (http 192.168.3.0 255.255.255.0 inside). How about letting external users to access the ASA with ASDM?
0
 
rauenpcConnect With a Mentor Commented:
You could let external users access the ASA via ASDM from the outside with

http 0.0.0.0 0.0.0.0 outside

However, I wouldn't suggest it. At the least change the port number the ASDM uses to something else. The best method would be to have external users access the ASDM via VPN that way things are at least secured.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
pony10usConnect With a Mentor Commented:
Absoulutely agree with rauenpc on that one.

Giving external access to ASDM is a bad idea.  We use a VPN and once "inside" we can then use ASDM or Putty or ... to access our equipment but not from the outside.
0
 
biggynetAuthor Commented:
I see so I have to setup a vpn, then once I am in the network, I can use ASDM. I was hoping access the ASA remotely with ASDM to get the gui so that it is easy to make modification.

I am new to all this. But before I google around, is there a simple tutorial to setup like a ssl vpn in the ASA? Thank you.
0
 
rauenpcConnect With a Mentor Commented:
Example

! standard access list tells the clients which destination subnets should go across the tunnel
access-list VPNCLIENTSPLITTUNNEL standard permit 10.1.1.0 255.255.255.0

ip local pool VPNCLIENTPOOL 192.168.254.1-192.168.254.50 mask 255.255.255.0

nat (inside,outside) source static SUBNETS-INTERNAL SUBNETS-INTERNAL destination static SUBNET-VPNCLIENT SUBNET-VPNCLIENT
!
crypto isakmp identity address
crypto ikev1 enable outside

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

webvpn
port 4443
enable outside
dtls port 4443
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-3.1.00495-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-64-3.1.00495-k9.pkg 4
anyconnect enable
tunnel-group-list enable

group-policy VPNCLIENTGP internal
group-policy VPNCLIENTGP attributes
dns-server value x.x.x.x
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNCLIENTSPLITTUNNEL
default-domain value company.com

tunnel-group VPNCLIENT type remote-access
tunnel-group VPNCLIENT general-attributes
address-pool VPNCLIENTPOOL
default-group-policy VPNCLIENTGP

tunnel-group VPNCLIENT webvpn-attributes
group-alias "group alias" enable

tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx
!

Assumptions from above:

Your only inside network is 10.1.1.0/24. Modify the splittunnelacl as needed
The IP's being handed out to the client is 192.168.254.1-192.168.254.50 and shouldn't overlap with any other existing subnet in your network.
The object groups "SUBNETS-INTERNAL" and "SUBNET-VPNCLIENT" are defined and include the appropriate subnets.
To enable both ASDM and anyconnect, they cannot use the same port number. ASDM will now require https://[ip_address]:8443 to access the ASA
The anyconnect images should reflect the actual files you have loaded on your ASA.
No authentication server is defined so by default it will use local authentication. It is up to you to decide if that's ok or to use another method such as RADIUS or LDAP.
If you ONLY want users to connect via SSL, you don't need:
group-policy VPNCLIENTGP attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx
!




http://www.petenetlive.com/KB/Article/0000069.htm

http://www.petenetlive.com/KB/Article/0000066.htm
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.