Solved

Cisco ASA 5510

Posted on 2014-02-13
5
835 Views
Last Modified: 2014-02-20
Hi -

I'm running ASA 9.1(4) ASDM 7.1(5)100 and I'm looking to allow pings from trusted.panorama9.com to my external interfaces.

Also, I have an MPLS network and my other sites cannot ping the Cisco ASA's at other locations.  How do I allow access to login and ping?

ex. network a - 10.100.0.0/22 cant get to the ASA on network b - 10.101.0.0/22
0
Comment
Question by:emeka57
  • 3
  • 2
5 Comments
 
LVL 9

Expert Comment

by:BigPapaGotti
Comment Utility
The first thing you need to do to allow pings to be allowed from "trusted.panorama9.com" is to modify the ACL that is tied to your external interface. Follow the steps below to accomplish this.

1. Login to the ASA
2. Click on the "Configuration" tab located at the top of ASDM
3. Click on "Firewall" located on the left hand side of the screen
4. Ensure that "Access Rules" is highlighted towards the top left hand side of your screen.
5. In the middle of your screen highlight the "Outside" interface
6. Click on the "Add" button towards the top of your screen.
7. This will open a new window. You will want to configure the settings below.
8. In the Interface drop down menu select "Outside"
9. In Action select "Permit"
10. In the Source: drop down menu you can do 1 of 2 things. You can select "Any" which will allow any IP address to ping the external IP address. Or you can select "trusted.panorama9.com" to allow only this IP address to ping your external IP address. I am going to assume you only want to allow this website/IP address to ping your external Interface on the ASA so follow the steps below. If you do not care and want to allow "Any"then skip to step 21.
11. Click on the button "...." next to Source
12. Click on the "Add" button and select "Network Object Group"
13. In the Group Name field type in the name and description of your choice.
14. Towards the lower left hand part of your screen select the bubble for "Create New Network Object Member"
15. In the name type in a name of your choice
16. In the "Type" drop down menu select "Host"
17. In IP Version select "IPv4"
18. In the IP Address field type in the following IP addresses. Since this website resolves to several different IP addresses you will need to repeat steps 15-19 to complete this task:
176.34.92.107
23.22.231.73
23.23.19.242
46.137.29.174
46.137.35.158
46.137.39.245
46.137.57.132
54.217.22.204
54.228.38.235
54.242.90.133
54.247.1.8
79.125.105.180
19. Click on the "Add" button
20. Click "OK"
21. In the "Destination" field click on the button "...."
22. Scroll down and double click "Outside" found underneath Interfaces
23. Click "OK"
24. In the "Service" field click on the button "....."
25. Double click on "icmp"
26. Click "OK"
27. Click "OK"
28. Click on "Apply" to apply the configuration to your ASA
29. Test out the configuration to ensure this website is able to ping your ASA's external IP address.
0
 
LVL 9

Accepted Solution

by:
BigPapaGotti earned 500 total points
Comment Utility
The second issue is that the other sites are unable to connect to the ASA to login. There are a couple of things off the top of my head that could be causing this issue. One is a routing issue and second this could be a configuration issue where only certain IP addresses are allowed to connect to the ASA for management. See below.

Check for a routing issue.

1. Login to the ASA via ASDM
2. Click on "Configuration" located at the top of the screen.
3. Click on "Routing"
4. Click on "Static Routes" (assuming you do NOT have a dynamic routing protocol configured.
5. You will want to try to find an entry for IP Address - "10.101.0.0" with subnet mask "255.255.252.0" If you do not have an entry for this then that would be a good reason why your network is not able to communicate with the ASA, since it would not have a route back to this network.
6. If you do not have a route for this then you will need to create one. To create one follow the steps below.
7. Click on "Add"
8. In "IP Address Type:" select IPv4
9. In "Interface" select "Inside"
10. In "Network" click on the "...." button. This will open a new window
11. Click on the "Add" button
12. Type in a name of your choice
13. In "Type" change this to "Network"
14. In IP Address type in "10.101.0.0"
15. In Netmask type in "255.255.252.0"
16. Click "OK"
17. In Gateway IP Click on the "..." button
18. Click on the "Add" button
19. Type in a name of your choice
20. In "Type" leave this set as "Host"
21. In IP Address type in the IP address of the next hop towards this network.
22. In Netmask type in "255.255.252.0"
23. Leave FQDN blank.
24. Type in a description of your choice
25. Click "OK"
26. Click "OK"
27. Click "OK"
28. Click "Apply" to apply your changes.
29. Test

Next you will want to check that the ASA allows other subnets to configure the ASA. Follow the steps below.

1. Login to the ASA via ASDM
2. Click on "Configuration"
3. Click on "Device Management"
4. Click on "Management Access"
5. Click on "ASDM/HTTPS/Telnet/SSH"
6. Locate the entry for "ASDM/HTTPS"  for the "Inside" Interface and make note of the "IP Address" and "Mask/Prefix Length" column
7. Depending on how this is setup you will need to either create a new entry or modify the existing entry to allow the subnets you want to be able to connect to ASDM.

A lot of this depends on your network topology and how things are setup. If you have any questions along the way feel free to ask. If possible attach a diagram of your network topology so I can get a better understanding of how things are setup if you need further assistance.
0
 

Author Comment

by:emeka57
Comment Utility
Is there any way to allow pings from trusted.panorama9.com rather than the specific IP addresses?  This would be helpful in case some IP addresses change.

Also, will ping work if the interface isn't the active/primary interface?  Is there a way to use both interface as primary?
0
 
LVL 9

Expert Comment

by:BigPapaGotti
Comment Utility
Yes this does appear to be possible. Follow the steps below:

1. Login to ASA via ASDM
2. Click on "Configuration"
3. Click on "Firewall"
4. Click on "Objects"
5. Click on "Network Objects/Groups"
6. Click on the "Add" button then click on "Address Object"
7. Type in the name of your choice
8. In the type drop down menu select "FQDN"
9. In FQDN type in "trusted.panorama9.com"
10. Type in the description of your choice.
11. Click "OK"
12. Click "Apply"

Next you need to update your ACL to use this new object.

1. Login to ASA via ASDM
2. Click on "Configuration"
3. Click on "Access Rules"
4. Find your Outside ACL and click on the "Edit" button
5. Change the source to reflect the address object you created in the steps above.
6. Apply the configuration and Save it
7. Test

I'm not sure I understand your question about the active/primary interface as well as using both interfaces as primary. Can you describe your setup so I can get a better understanding? Do you have two outside interfaces connected to two separate IP Addresses? Are you trying to load balance over them or something along those lines?
0
 

Author Comment

by:emeka57
Comment Utility
Thanks.

I have 2 ISPs connected to the ASA.  The primary (which is pingable when it's active) and the second (unpingable when inactive).  Is there a way to make the secondary pingable when it's inactive?

Alternatively, how do I make both active?  This will also be helpful in the event that one circuit fails.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now