I try to SSH and get access denied.
I try to ASDM and get "Unable to launch device manager from 172.16.252.100"
I think I am missing something. Software is 8.4(5) and running in Transparent Mode.
Inside/Outside are in bridge-group 1. No BVI is configured as we will be using Management0/0 for access.
login as: test
test@172.16.252.100's password:
Access denied
[Code].....
I am currently managing an ASA5510 using ASDM through the management port but I would like to manage the ASA through the internal port.
My concern is that I thought I remembered reading someplace that if you setup an internal port for management that it can't be used for anything else. Is this correct?
I only configured one internal port and it is the path to my LAN. I would hate to configure the port for management only to find that I disconnected my firewall from my internal network in the process. Can I use my one and only configured internal port for both ASA management and route from my LAN thru the ASA firewall?
I currently have the management port set to 192.168.1.1 and my internal interface is 10.1.1.1. If I open ASDM and connect thru the management port and select Configuration/Device Management/Management Access/ASDM/HTTPS/Telnet/SSH
select "ADD"
select access type "ASDM/HTTPS"
select interface "internal"
IP Address "10.1.1.0"
Mask "255.255.255.0"
Will that give me access to ASA management thru my internal network but cripple my network access to the ASA?
We have several pairs of ASA5510s in failover A/P mode, some running 8.3(2) and others running 8.4(1).
e0/0 = outside
e0/1 = inside
m0/0 = management
The problem we're having is we can't get anything to route out of the management interface unless we put in a static route at least to the subnet level. For example, we want syslog traffic to exit out m0/0 to our syslog server 10.71.211.79. Our 'gateway of last resort' points to the next hop out e0/0, and a second static route with a higher metric and a more distinct network space is for m0/0 as in:
route outside 0.0.0.0 0.0.0.0 192.168.49.129 1route management 10.72.0.0 255.255.0.0 10.72.232.94 10
This doesn't work, and ASDM loggin gives this error: ".....Routing failed to locate next hop for udp from NP Identity Ifc:10.72.232.89/514 to management:10.72.211.79/514"
If I put in a more granular subnet route, or a host route of the syslog server it works, such as:
route management 10.72.211.0 255.255.255.0 10.72.232.94 10 <------------- this works
route management 10.72.211.79 255.255.255.255 10.72.232.94 10 <------------- this works too
Why won't a static route for 10.71.0.0 255.255.0.0 work in this case?
We are going to have numerous hosts access and be sent messages though the management interface of these ASAs, and it would be very burdonsome to have to add a host, or even a subnet, route for every one. I've removed all static routes and tried to rely on EIGRP, but that doesn't work. I also had to put 'passive-interface management' under the EIGRP for this to work.
Here is the pertinant ASA config concerning syslog, routing, and interfaces:
interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.49.140 255.255.255.128 standby 192.168.49.141 !interface Ethernet0/1 nameif inside security-level 100 ip address xxx.xxx.xxx.xxx 255.255.255.128 standby
[Code].....
I'm on the ASDM of a 5510 and the logging with in the ASDM is currently set just right, but when I go into the console via SSH and use "term mon" I don't get this logging showing up. [code] As you can see I have set the ASDM and console to the same level. Currently in the ASDM I can see a user getting denied access to a device, but in the console view I dont get that, which I woudl like.
View 2 Replies View RelatedI have several machines behind this firewall. Each machine has it's own outside static IP and i've setup a NAT for each machine to their outside IP.Everything is working great, EXCEPT, from behind the firewall, I can't browse my own websites that I am hosting from behind the firewall. From a command prompt, the machines can resolve the url to the correct outside IP of our web server. Our DNS is externally hosted. I just can't get a website to open from behind the firewall. IE won't connect.
I did some logging, and I see from the firewall logs, the inside machine trying to hit the external ip. The log shows an INTERNAL IP on a random port trying to hit the external IP of our webserver on port 80. It says success! If I use packet tracer entering the same ips and ports, it also says success. And yet the site won't load on the inside machine?
The client machine I am testing from behind the firewall does also have it's own natted external ip. I'm not a command line/scripts guy. Looking at my ASDM Device Setup Interface GUI pagae, I see at the bottom both boxes are checked, one for enable traffic between different interfaces at the same security level, and the other enable traffic between hosts on same interface. My outside interface is security 0, my internal network interface security is 100.
i have ASA 5510 with firmware version 8.4.2 and ASDM firmware 6.4.5 , it is a new system and there is no configuration other than inside network and HTTP server enable , allow my ip address to access http server.i am able to ping the firewall but no access throguh ASDM
[code]....
How to allocate bandwidth for a certain host or service in Cisco ASA 5510 Firewall using ASDM? For instance, I would like to dedicate 2MB for H323 service (Video Conference Call).
View 1 Replies View RelatedI have Cisco5510 running with ADSM 6.0 version, I was able to access it fine since few months but suddenly I am unable to login through that.Its prompting for username and password and loading it to 100% but not opening the GUI console.I feel this could be the JAVA version issue but with the same version of JAVA I am able run another ASA 5520 which is running with 6.4ASDM version.Request you to suggest the right JAVA version to run 5510 with ASDM 6.0 GUI console.
View 1 Replies View RelatedCannot access to cisco asa5510 asdm nor ssh thru anyconnect vpn, attached is the current configuration. user authetnicaties aaa locally and has admin service-type. When vpn session is established, it lets me go thru the certificate warning and when trying to install the asdm laucher its failing. ssh access is enabled but not working. i can access both asdm and ssh from the inside network, and from a pc on that network.
View 9 Replies View RelatedI have two ASA5510 with a peer to peer VPN configuration which is working pretty well.I'm trying to connect to my remote ASA (ASA2) with ASDM on my PC through the VPN on the local ASA (ASA1)I already connected the ASDM to ASA1 through the inside interface but I cant connect to the ASA2 the same way (over the VPN).
When I ping the ASA2 inside interface from my computer, I get the following events:
ASA1:
192.168.1.36(My PC) | 512 | 192.168.2.1 | 0 | Built outbound icmp connection
192.168.2.1(ASA2 inside interface) | 0 | 192.168.1.36 | 512 | Teardown icmp connection
ASA2
192.168.1.36(My PC) | 512 | 192.168.2.1 | 0 | Built local-host Corporativo(outside):192.168.1.36
192.168.2.1(ASA2 inside interface) | 0 | 192.168.1.36 | 512 | Built local-host identity:192.168.2.1
192.168.1.36(My PC) | 512 | 192.168.2.1 | 0 | Built inbound icmp connection
192.168.1.36(My PC) | 512 | 192.168.2.1 | 0 | Teardown icmp connection
This is my config in ASA2
ASA Version 8.0(5)!hostname ciscosnqdomain-name chaco.com.boenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednamesname 192.168.2.10 SNQ-Servername 192.168.1.21 Srvplxaname 10.30.30.30 e-Servername 192.168.1.0 Experion-networkdns-guard!interface Ethernet0/0 nameif Corporativo security-level 0 ip address 10.64.12.6 255.255.0.0!interface Ethernet0/1 nameif ExP_LS security-level 90 ip address 192.168.2.1 255.255.255.0!interface Ethernet0/2 shutdown no nameif no security-level no ip address!interface Ethernet0/3 shutdown no nameif no security-level no ip address!interface Management0/0 nameif management security-level 100 ip address 192.168.0.2 255.255.255.0!boot system
[code]....
For years now we've had an ASA5510 running an old version of ASA/ASDM (7.0/5.0) and couldn't access ASDM through a modern system with a recent JRE, so we didn't bother with this.
However, we've recently upgraded ASA/ASDM for purposes of adding failover and want to be able to access ASDM through our site to site tunnel. The site to site tunnel gives us access to the VLAN that the firewall is the gateway for, but not access to the firewall itself.
This side of the network is the 10.1.55.0 subnet, and that side of the network is the 192.168.1.0 subnet. I can ping devices on the 192.168.1.0 subnet, but not the firewall, (not that I really need to) and devices can ping me back. I can access ASDM through RDP or ssh into a server on the 192.168.1.0 subnet, but not directly from the 10.1.55.0 subnet.
This is the current config relative to the 10.1.55.0 subnet:
access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0
access-list untrust_cryptomap_600 extended permit ip 192.168.0.0 255.255.0.0
[Code]....
As far as I'm aware, the tunnel comes into the firewall through the untrust (public) interface, because that is the destination of the tunnel on the 10.1.55.0 subnet side.
What am I missing here that would allow asdm access through the untrust interface for the 10.1.55.0 subnet?
I am trying to get an ASA5510 working in transparent mode, multi-context. I am on revision 8.2.5, so there are no bridge groups (those are enabled in 8.4). I first set it to transparent mode, then set it to multi-context mode. I am doing trunking through the Ethernet0/0 to Ethernet0/1, and have two vlans on subinterfaces of each interface. These interfaces are in the 2nd and 3rd contexts, and all trunking between vlans is working correctly in transparent mode.
But I can't telnet or ssh to the ASA itself.
I have an IP address on the inside vlan interface in
I have a fresh out the box asa5510 with 8.4 on it.I have built these before but for some reason cannot get this one to work. I am consoled on, have applied the following config but can still not ping to or from, can not asdm, cannot http/s. Arp table shows device it tries to ping, but device trying to pping it has incomplete arp entry. [code]
View 7 Replies View RelatedI have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies View RelatedI copied a Cisco 5510 startup-config to an identical Cisco 5510.After copying through tftp, I executed a reload. Everything looks good. Line by line compare results are the same.The problem is I can no longer use ASDM or ssh to interface with Cisco 5510.
View 25 Replies View RelatedI am having issues with the ASA 5510 management interface. I can't communicate with this interface. It is showing DOWN/DWON even if I type NO SHUT several times.
My existing config is as follows
our-asa-01# sh run
Saved
ASA Version 7.2(5)
hostname our-asa-01
names
dns-guard
interface Ethernet0/0
[code]....
I have a brand new ASA5512-X running 8.6.1, and am trying to do an initial setup using the Quick Start Guide that came with it. However, the Management Interface is not working. I have a PC connected and set to use DHCP, but the port is not active. I connected a console cable and can see in the config that the interface is shutdown. So I set it to active, and the port is now active, but is not giving out a DHCP address as the guide says it should.I would like to use the ASDM Startup Wizard to configure this device, so how do I get it to work the way the instructions say it should?
View 2 Replies View RelatedHow does one allow /31 mask for an management interface on an ASA5540 using version 8.3(1)?
I need to configure a 192.168.x.y /31 on the management 0/0 interface of a ASA5540 and it is providing me with the following error:ERROR: /31 mask is not allowed
I have two ASA 5520 with 4 Giga interfaces and 1 management interface.
I need to use 4 interfaces four data traffic
1- Inside
2- Outside
3- dmz-1
4- dmz-2
The remaining will be the management interface only.How can I configure the Statefull failover and Management?
1- I used the management0/0 for The stateful failover.
2- I used gig 0 for outside
3- I used gig 1 for inside
4- I used gig 2 for dmz-1
5- I divided the gig 3 to two sub interfaces
a- gig0/3.1 for dmz-2
b- gig0/3.2 for Management and I defined it as a management-only
I have a misanderstand about management interface configuration in cluster. So I have a cluster asa 5515X with management interface. i Would like to be able to connect to any of the member of my cluster on management interface, so i would like to fix a different ip on management interface on each of my node ip 92 and 91. I think it is the only way to make asa firmware update to access local flash on each node.
my config
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
[Code].....
i have a Cisco ASA 5520 8.4(1) with a ASA 5520 VPN Plus license
i want to use the management interface as a regular interface (using the no management-only command)is this interface a Gig interface as well ?
how to totaly disable Admin/ASDM access on our public interface of our 5510. I don't want to change IPSec or SSL access to the outside interface. Just totaly disable access to Admin/ASDM from the outside without halting all other access.
View 3 Replies View RelatedI have a ASA5510 and I have a question about the speed the ports can handle, here is one port:
-interface Ethernet0/2
- speed 100
-shutdown
- no nameif
-no security-level
-no ip address
it's ethernet and not fastethernet so I figure it will only go to 10Mbps, but at the same time I can hard code the speed to 100.
I am currently doing some research (for my employer) into creating multi-context sub-interfaces on a Transparent ASA 5550.
I have not been able to find any details on this subject which state it is or it is not possible. This will be used for Syslog logging.
I seem to get conflicting information on using the Management port as a regular routed interface on the ASA5510..The management interface can be used for the traffic that passes through the firewall as well. The Security Plus License for the ASA 5510 is required in order to use the management0/0 port as a regular interface. With a base license on the 5510, the management0/0 port cannot be used as a regular interface.
I believe that I saw another post that mentioned it was part of the standard IOS if you had a later version.
I have a 5510 FW in multi-context mode that is showing a high drop count on the Management interface in the Admin context.
View 1 Replies View RelatedI've got an ASA 5505 running 6.3 I've connected the management interface to our management vlan (which contains switch IPs, ilo's etc)Is there a way to allow access to this vlan from another?
View 1 Replies View RelatedAfter I have upgraded our ASA 5510 to 8.4.2 I have problem with the management interface.Our former firmware 8.2.3 had no problem using the management interface as a DMZ zone, but after we upgraded to 8.4.2 we can't make it work.The interface and the protocol is up, when I type: show interface.But when I ping the interface from a computer connectet to the interface, nothing happens.
Even the logging shows nothing.
We have ASA FW 5010 in our organization and we have 4 DMZ's under the DMZ interface on ASA and all DMZ's are created on sub interfaces and assigned different VLANS on each DMZ's.
View 7 Replies View RelatedWe use filter rules on an ASA5510 firewall to direct clients to a web filtering server which generally works very well. However lately we're finding that despite having more web filtering licenses than users, the web filtering licenses are being consumed up, mainly because of a recent increase in the rollout of ipads, iphones, androids etc. We could deploy a proxy server in the wireless DMZ to make all the wireless devices appear to web filter as a single IP, and apply a single policy, but that brings it's own problems. My question is: Is there a way to hide them all behind the interface IP instead, so that all wireless devices appear to the web filter on the LAN as the wireless dmz interface IP rather than the wireless device IP?
View 1 Replies View RelatedOur ASA 5510 is running 8.0(5). We recently upgraded the license from base to security plus. By doing so the capacity of the the external port Ethernet0/0 and Ethernet0/1 should increase from the original FE to GE. But, we were still seeing 100 Mbps on our Ethernet0/0 interface. We figured that out that the provider switch is only supporting 100 Mbps which is a bottleneck for us.The provider will be upgrading there switches to 1 Gb switch.
We will have to swap the switch connections now from 100 Mbps to 1 Gb switch.What commands should we be familar ourself with?Though this will be doine in our maintenace window.All the transaltions/connections will be dropped in our production environment so we are kind of scared.
Recently, I've been having significant problems with denial of service on our ASA-5510. Two IP addresses in particular attack my ASA regularly. What kind of rule do I need to create to deny these IP's access to my firewall?
View 4 Replies View RelatedI'm currently configuring an ASA5510.I connected a laptop (IP 192.168.96.18/255.255.255.0) to port 0/2 and tried to ping 192.168.100.2 ... impossible to ping outside interface.I resetted the config of the ASA to retest more simple. [code]
View 1 Replies View Related
