Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA and ADSM

Posted on 2013-01-31
6
Medium Priority
?
592 Views
Last Modified: 2013-02-15
I was trying to access one of my ASAs from the internal network via the browser and I got the download ADSM software gui interface. Now when I tried to access another ASA with its public IP address from my home, I could not get  that download ADSM software download GUI interface. How do I fix that? Thanks
0
Comment
Question by:biggynet
  • 2
  • 2
  • 2
6 Comments
 
LVL 26

Accepted Solution

by:
pony10us earned 1000 total points
ID: 38841549
0
 

Author Comment

by:biggynet
ID: 38841576
it shows examples of letting internal users from assessing the ASA (http 192.168.3.0 255.255.255.0 inside). How about letting external users to access the ASA with ASDM?
0
 
LVL 20

Assisted Solution

by:rauenpc
rauenpc earned 1000 total points
ID: 38841630
You could let external users access the ASA via ASDM from the outside with

http 0.0.0.0 0.0.0.0 outside

However, I wouldn't suggest it. At the least change the port number the ASDM uses to something else. The best method would be to have external users access the ASDM via VPN that way things are at least secured.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 26

Assisted Solution

by:pony10us
pony10us earned 1000 total points
ID: 38841661
Absoulutely agree with rauenpc on that one.

Giving external access to ASDM is a bad idea.  We use a VPN and once "inside" we can then use ASDM or Putty or ... to access our equipment but not from the outside.
0
 

Author Comment

by:biggynet
ID: 38842019
I see so I have to setup a vpn, then once I am in the network, I can use ASDM. I was hoping access the ASA remotely with ASDM to get the gui so that it is easy to make modification.

I am new to all this. But before I google around, is there a simple tutorial to setup like a ssl vpn in the ASA? Thank you.
0
 
LVL 20

Assisted Solution

by:rauenpc
rauenpc earned 1000 total points
ID: 38842058
Example

! standard access list tells the clients which destination subnets should go across the tunnel
access-list VPNCLIENTSPLITTUNNEL standard permit 10.1.1.0 255.255.255.0

ip local pool VPNCLIENTPOOL 192.168.254.1-192.168.254.50 mask 255.255.255.0

nat (inside,outside) source static SUBNETS-INTERNAL SUBNETS-INTERNAL destination static SUBNET-VPNCLIENT SUBNET-VPNCLIENT
!
crypto isakmp identity address
crypto ikev1 enable outside

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

webvpn
port 4443
enable outside
dtls port 4443
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-3.1.00495-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-64-3.1.00495-k9.pkg 4
anyconnect enable
tunnel-group-list enable

group-policy VPNCLIENTGP internal
group-policy VPNCLIENTGP attributes
dns-server value x.x.x.x
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNCLIENTSPLITTUNNEL
default-domain value company.com

tunnel-group VPNCLIENT type remote-access
tunnel-group VPNCLIENT general-attributes
address-pool VPNCLIENTPOOL
default-group-policy VPNCLIENTGP

tunnel-group VPNCLIENT webvpn-attributes
group-alias "group alias" enable

tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx
!

Assumptions from above:

Your only inside network is 10.1.1.0/24. Modify the splittunnelacl as needed
The IP's being handed out to the client is 192.168.254.1-192.168.254.50 and shouldn't overlap with any other existing subnet in your network.
The object groups "SUBNETS-INTERNAL" and "SUBNET-VPNCLIENT" are defined and include the appropriate subnets.
To enable both ASDM and anyconnect, they cannot use the same port number. ASDM will now require https://[ip_address]:8443 to access the ASA
The anyconnect images should reflect the actual files you have loaded on your ASA.
No authentication server is defined so by default it will use local authentication. It is up to you to decide if that's ok or to use another method such as RADIUS or LDAP.
If you ONLY want users to connect via SSL, you don't need:
group-policy VPNCLIENTGP attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

tunnel-group VPNCLIENT ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx
!




http://www.petenetlive.com/KB/Article/0000069.htm

http://www.petenetlive.com/KB/Article/0000066.htm
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question