Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA 5510

Posted on 2014-02-13
5
Medium Priority
?
881 Views
Last Modified: 2014-02-20
Hi -

I'm running ASA 9.1(4) ASDM 7.1(5)100 and I'm looking to allow pings from trusted.panorama9.com to my external interfaces.

Also, I have an MPLS network and my other sites cannot ping the Cisco ASA's at other locations.  How do I allow access to login and ping?

ex. network a - 10.100.0.0/22 cant get to the ASA on network b - 10.101.0.0/22
0
Comment
Question by:emeka57
  • 3
  • 2
5 Comments
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39858897
The first thing you need to do to allow pings to be allowed from "trusted.panorama9.com" is to modify the ACL that is tied to your external interface. Follow the steps below to accomplish this.

1. Login to the ASA
2. Click on the "Configuration" tab located at the top of ASDM
3. Click on "Firewall" located on the left hand side of the screen
4. Ensure that "Access Rules" is highlighted towards the top left hand side of your screen.
5. In the middle of your screen highlight the "Outside" interface
6. Click on the "Add" button towards the top of your screen.
7. This will open a new window. You will want to configure the settings below.
8. In the Interface drop down menu select "Outside"
9. In Action select "Permit"
10. In the Source: drop down menu you can do 1 of 2 things. You can select "Any" which will allow any IP address to ping the external IP address. Or you can select "trusted.panorama9.com" to allow only this IP address to ping your external IP address. I am going to assume you only want to allow this website/IP address to ping your external Interface on the ASA so follow the steps below. If you do not care and want to allow "Any"then skip to step 21.
11. Click on the button "...." next to Source
12. Click on the "Add" button and select "Network Object Group"
13. In the Group Name field type in the name and description of your choice.
14. Towards the lower left hand part of your screen select the bubble for "Create New Network Object Member"
15. In the name type in a name of your choice
16. In the "Type" drop down menu select "Host"
17. In IP Version select "IPv4"
18. In the IP Address field type in the following IP addresses. Since this website resolves to several different IP addresses you will need to repeat steps 15-19 to complete this task:
176.34.92.107
23.22.231.73
23.23.19.242
46.137.29.174
46.137.35.158
46.137.39.245
46.137.57.132
54.217.22.204
54.228.38.235
54.242.90.133
54.247.1.8
79.125.105.180
19. Click on the "Add" button
20. Click "OK"
21. In the "Destination" field click on the button "...."
22. Scroll down and double click "Outside" found underneath Interfaces
23. Click "OK"
24. In the "Service" field click on the button "....."
25. Double click on "icmp"
26. Click "OK"
27. Click "OK"
28. Click on "Apply" to apply the configuration to your ASA
29. Test out the configuration to ensure this website is able to ping your ASA's external IP address.
0
 
LVL 9

Accepted Solution

by:
BigPapaGotti earned 2000 total points
ID: 39858945
The second issue is that the other sites are unable to connect to the ASA to login. There are a couple of things off the top of my head that could be causing this issue. One is a routing issue and second this could be a configuration issue where only certain IP addresses are allowed to connect to the ASA for management. See below.

Check for a routing issue.

1. Login to the ASA via ASDM
2. Click on "Configuration" located at the top of the screen.
3. Click on "Routing"
4. Click on "Static Routes" (assuming you do NOT have a dynamic routing protocol configured.
5. You will want to try to find an entry for IP Address - "10.101.0.0" with subnet mask "255.255.252.0" If you do not have an entry for this then that would be a good reason why your network is not able to communicate with the ASA, since it would not have a route back to this network.
6. If you do not have a route for this then you will need to create one. To create one follow the steps below.
7. Click on "Add"
8. In "IP Address Type:" select IPv4
9. In "Interface" select "Inside"
10. In "Network" click on the "...." button. This will open a new window
11. Click on the "Add" button
12. Type in a name of your choice
13. In "Type" change this to "Network"
14. In IP Address type in "10.101.0.0"
15. In Netmask type in "255.255.252.0"
16. Click "OK"
17. In Gateway IP Click on the "..." button
18. Click on the "Add" button
19. Type in a name of your choice
20. In "Type" leave this set as "Host"
21. In IP Address type in the IP address of the next hop towards this network.
22. In Netmask type in "255.255.252.0"
23. Leave FQDN blank.
24. Type in a description of your choice
25. Click "OK"
26. Click "OK"
27. Click "OK"
28. Click "Apply" to apply your changes.
29. Test

Next you will want to check that the ASA allows other subnets to configure the ASA. Follow the steps below.

1. Login to the ASA via ASDM
2. Click on "Configuration"
3. Click on "Device Management"
4. Click on "Management Access"
5. Click on "ASDM/HTTPS/Telnet/SSH"
6. Locate the entry for "ASDM/HTTPS"  for the "Inside" Interface and make note of the "IP Address" and "Mask/Prefix Length" column
7. Depending on how this is setup you will need to either create a new entry or modify the existing entry to allow the subnets you want to be able to connect to ASDM.

A lot of this depends on your network topology and how things are setup. If you have any questions along the way feel free to ask. If possible attach a diagram of your network topology so I can get a better understanding of how things are setup if you need further assistance.
0
 

Author Comment

by:emeka57
ID: 39859898
Is there any way to allow pings from trusted.panorama9.com rather than the specific IP addresses?  This would be helpful in case some IP addresses change.

Also, will ping work if the interface isn't the active/primary interface?  Is there a way to use both interface as primary?
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39860313
Yes this does appear to be possible. Follow the steps below:

1. Login to ASA via ASDM
2. Click on "Configuration"
3. Click on "Firewall"
4. Click on "Objects"
5. Click on "Network Objects/Groups"
6. Click on the "Add" button then click on "Address Object"
7. Type in the name of your choice
8. In the type drop down menu select "FQDN"
9. In FQDN type in "trusted.panorama9.com"
10. Type in the description of your choice.
11. Click "OK"
12. Click "Apply"

Next you need to update your ACL to use this new object.

1. Login to ASA via ASDM
2. Click on "Configuration"
3. Click on "Access Rules"
4. Find your Outside ACL and click on the "Edit" button
5. Change the source to reflect the address object you created in the steps above.
6. Apply the configuration and Save it
7. Test

I'm not sure I understand your question about the active/primary interface as well as using both interfaces as primary. Can you describe your setup so I can get a better understanding? Do you have two outside interfaces connected to two separate IP Addresses? Are you trying to load balance over them or something along those lines?
0
 

Author Comment

by:emeka57
ID: 39873391
Thanks.

I have 2 ISPs connected to the ASA.  The primary (which is pingable when it's active) and the second (unpingable when inactive).  Is there a way to make the secondary pingable when it's inactive?

Alternatively, how do I make both active?  This will also be helpful in the event that one circuit fails.
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question