Cisco ASA remote ASDM
I have a new Cisco ASA 5506x and am having difficulty setting up remote management.
SSH on the outside address will work, and is set to accept connection from only specific IPs. However, I would like to be able to use ASDM from outside as well. (My IOS skills suck.) Using the same IPs as the ssh command does not work, and the client gets a "unable to launch device manager from ..."
I have Anyconnect VPN working as well, and when connected, I can ping all addresses on the inside network, including the management IP. (same as gateway address) Device is configured to use inside address 10.0.12.0/24, and VPN pool is 10.0.13.0/24.
I have ' management-access inside' entered in the configuration, and yes when a PC is connected to the inside ports, the ASDM will come up and run as expected.
I think what is killing this is the default configuration now comes with all the ports on the device (less 'outside') are joined to a bridged network that is by default BVI1. All remaining interfaces are given the nameif of 'inside-1' thru 'inside-7'. To make http work on the inside ports requires adding lines 'http 10.0.12.0 255.255.255.0 inside-1' thru ...inside-7. If I add 'http 10.0.12.0 255.255.255.0 inside' or http 10.0.13.0 255.255.255.0 inside' it barks at me that this is an 'ambiguous command'. (same thing if trying to add BVI1) So clearly it wants to reference something that is a physical connection instead of a virtual object. Problem is that the only other options visible when trying to use ASDM to add the line are the inside-1,-7 , and outside. Adding it to outside accepts the command, but still does not work with the same resultant message to the client using VPN or straight in.
Numerous articles from random strangers on Google tell me that if the VPN pool is different, the nat entry allows access across the two networks and the management-access is 'inside' it should work. All articles found so far are not using the bridge network on the inside.
This is the last item I need to make work prior to shipping this out, which of course, makes it all the more a focal point.
Anyone been down this rabbit hole already?
SSH on the outside address will work, and is set to accept connection from only specific IPs. However, I would like to be able to use ASDM from outside as well. (My IOS skills suck.) Using the same IPs as the ssh command does not work, and the client gets a "unable to launch device manager from ..."
I have Anyconnect VPN working as well, and when connected, I can ping all addresses on the inside network, including the management IP. (same as gateway address) Device is configured to use inside address 10.0.12.0/24, and VPN pool is 10.0.13.0/24.
I have ' management-access inside' entered in the configuration, and yes when a PC is connected to the inside ports, the ASDM will come up and run as expected.
I think what is killing this is the default configuration now comes with all the ports on the device (less 'outside') are joined to a bridged network that is by default BVI1. All remaining interfaces are given the nameif of 'inside-1' thru 'inside-7'. To make http work on the inside ports requires adding lines 'http 10.0.12.0 255.255.255.0 inside-1' thru ...inside-7. If I add 'http 10.0.12.0 255.255.255.0 inside' or http 10.0.13.0 255.255.255.0 inside' it barks at me that this is an 'ambiguous command'. (same thing if trying to add BVI1) So clearly it wants to reference something that is a physical connection instead of a virtual object. Problem is that the only other options visible when trying to use ASDM to add the line are the inside-1,-7 , and outside. Adding it to outside accepts the command, but still does not work with the same resultant message to the client using VPN or straight in.
Numerous articles from random strangers on Google tell me that if the VPN pool is different, the nat entry allows access across the two networks and the management-access is 'inside' it should work. All articles found so far are not using the bridge network on the inside.
This is the last item I need to make work prior to shipping this out, which of course, makes it all the more a focal point.
Anyone been down this rabbit hole already?
ASKER
I tried that also, yes. It did not make any difference.
Could you post your config? remove any sensitive info
ASKER
Config attached.
Note that adding line "http 10.0.13.0 255.255.255.0 inside" complains that it is an ambiguous command.
Bill
working.txt
Note that adding line "http 10.0.13.0 255.255.255.0 inside" complains that it is an ambiguous command.
Bill
working.txt
http 10.0.13.0 255.255.255.0 outside
Why do you have private address subnet here?
You would put the public ip of where you are trying to access the firewall from the outside. For example, if you are trying to access it from home, you would put your wan ip here with a 32bit mask
Why do you have private address subnet here?
You would put the public ip of where you are trying to access the firewall from the outside. For example, if you are trying to access it from home, you would put your wan ip here with a 32bit mask
The ip you need to put in the http outside command are the ip address you want to allow access to the firewall from the internet. This has to be a public address.
ASKER
I have tried that using the same public IP block addresses to 'outside' that work for SSH, but no joy with asdm. http ..... inside also does not work, which it should when the anyconnect VPN is active. Note that I can ping the management address (and anything on the inside network) using the anyconnect VPN, but cannot ssh or asdm through it.
ASKER
To clarify a little.
10.0.13.0 is the address pool for the anyconnect VPN.
10.0.12.0 is the inside network.
With the anyconnect VPN active;
http 10.0.13.0 255.255.255.0 outside - does not work.
http 10.0.13.0 255.255.255.0 inside - ASA will not accept the command.
http 10.0.13.0 255.255.255.0 inside-1 - ASA accepts the command, but still does not work. Repeating this for all 7 inside interfaces does not work.
"management-access inside" is in the config, and I don't know of any other way to define that one.
10.0.13.0 is the address pool for the anyconnect VPN.
10.0.12.0 is the inside network.
With the anyconnect VPN active;
http 10.0.13.0 255.255.255.0 outside - does not work.
http 10.0.13.0 255.255.255.0 inside - ASA will not accept the command.
http 10.0.13.0 255.255.255.0 inside-1 - ASA accepts the command, but still does not work. Repeating this for all 7 inside interfaces does not work.
"management-access inside" is in the config, and I don't know of any other way to define that one.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ArneLovis
Yes, that was what I had in the config at that time. I cannot enter a line using "inside" for http. again, adding line "http 10.0.13.0 255.255.255.0 inside" complains that it is an ambiguous command. I have tried using 'http 10.0.13.0 255.255.255.0 inside-1' thru 'inside-7' without success while on the VPN. I have even tried 'http 0.0.0.0 0.0.0.0 outside" (briefly) and tried to connect without the VPN and it still will not work. During all this I had 'debug http 255' active and there was no activity on the serial console. It's like it never got the connection request. Since it DOES work properly from a PC on inside-1 I think the 'management-access inside' is correct. I get the feeling it is something in the NAT statements that is wrong.
Yes, that was what I had in the config at that time. I cannot enter a line using "inside" for http. again, adding line "http 10.0.13.0 255.255.255.0 inside" complains that it is an ambiguous command. I have tried using 'http 10.0.13.0 255.255.255.0 inside-1' thru 'inside-7' without success while on the VPN. I have even tried 'http 0.0.0.0 0.0.0.0 outside" (briefly) and tried to connect without the VPN and it still will not work. During all this I had 'debug http 255' active and there was no activity on the serial console. It's like it never got the connection request. Since it DOES work properly from a PC on inside-1 I think the 'management-access inside' is correct. I get the feeling it is something in the NAT statements that is wrong.
I would suggest truying on a different port
http server enable 8443
obviously you need to change the port that asdm connects to
http server enable 8443
obviously you need to change the port that asdm connects to
ASKER
I got Cisco on the phone and the tech decided the bridge was the problem. So we took it out, and started putting things back together. He has another call scheduled and had to drop out, and the current situation is just about the same as before. I will get the rest of the parts back together and see where we are, but at this point, I still have a router that I can do everything I want it to do with the exception of run ASDM from outside the network. I will post a new run config when I get it checked out.
ASKER
Thanks for the assist.
With the bridge ripped out and the device just being a router, I still cannot run asdm and now ssh across the vpn connector, but I can run both from the outside. Changing the port number seems to have been the trick. The config is a lot simpler and I expect it might be easier to maintain without all the bridge statements. Not really thrilled that I lose the ability to use the back of the ASA as a little switch, but it is what it is. If I had time, I would put it back to bridge and try with the other port number, but I have to get this thing in the mail.
With the bridge ripped out and the device just being a router, I still cannot run asdm and now ssh across the vpn connector, but I can run both from the outside. Changing the port number seems to have been the trick. The config is a lot simpler and I expect it might be easier to maintain without all the bridge statements. Not really thrilled that I lose the ability to use the back of the ASA as a little switch, but it is what it is. If I had time, I would put it back to bridge and try with the other port number, but I have to get this thing in the mail.
ASKER
Follow up.
I decided I wanted that switch functionality after all, so took the time to put the bridge back in.
Confirmed that the port number was all that was keeping this from working.
Thanks again for the assist.
I decided I wanted that switch functionality after all, so took the time to put the bridge back in.
Confirmed that the port number was all that was keeping this from working.
Thanks again for the assist.
Glad that it's working!
I would guess that Cisco didn;t want to canibalise their switch sales...
You might find this informative about the management-access line https://serverfault.com/questions/346557/what-does-the-cisco-asa-command-management-access-do
I would guess that Cisco didn;t want to canibalise their switch sales...
You might find this informative about the management-access line https://serverfault.com/questions/346557/what-does-the-cisco-asa-command-management-access-do
http x.x.x.x subnetmask OUTSIDE
Ip being the allowed ip address or network allowed to access asdm from the outside.