Solved: ASDM but not ASDM?

azore2007 · ‎02-20-2008

Hi people

I have recently checked out the ASDM package and I really like the information that you can see in it, speed / active vpn tunnels etc.

But is there anyway you can have "ASDM" on a already CLI configured ASA without messing it up? I just want the information, not configure the ASA from the ASDM.

I read the docs and they pretty much want a clean install and you have to pick ASDM

or CLI configuration and stick with it, or it gets messy.

I'm currently polling my ASA to a MRTG but I cant see active ipsec/vpn tunnels / specific host data flow.

Sure I could get this through commands in CLI but... well ASDM is nice :D

Thanks

m.sir · ‎02-20-2008

Iam using ASDM exactly in this way .. ASDM provide great service for monitoring but I have never used it for configuration.. I want control on my configuration so i trust only CLI (there are also few commands unsupported in ASDM)

You can install and use ASDM for monitoring without doubts - your CLI configuration is unaffected until you do configuration tasks in ASDM

M.

View solution in original post

m.sir · ‎02-20-2008

Iam using ASDM exactly in this way .. ASDM provide great service for monitoring but I have never used it for configuration.. I want control on my configuration so i trust only CLI (there are also few commands unsupported in ASDM)

You can install and use ASDM for monitoring without doubts - your CLI configuration is unaffected until you do configuration tasks in ASDM

M.

azore2007 · ‎02-20-2008

Alright so it doesnt affect the conf if I now decide to install asdm? great gonna try it then

Thanks!

m.sir · ‎02-20-2008

Yes dont worry you can go ahead

install ASDM (just copy asdm image to firewall flash)

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml#t8

Than you must enable the ASA/PIX Security Appliance to start its secure web server Enter the command

http server enable

After the ASA/PIX Security Appliance web server is enabled, you must tell the security appliance who can access ASDM and where they are located. To accomplish this, enter the address of your PC and tell the security appliance you are located on the inside interface (let we say you PC is 192.168.1.2) Enter the command

http 192.168.1.2 255.255.255.255 inside

Than you can access to ASDM via https (let we say inside IP of firewall is 192.168.1.1

https://192.168.1.1/

M.

edunn · ‎02-20-2008

You can also set the ASDM preferences to preview commands before sending them to the device.

On the top menu of the ASDM, click Tools -> Preferences and check Preview commands before sending them to the device. This will show you the exact command-line entries that will be applied when you submit a change through the ASDM.

azore2007 · ‎02-20-2008

Hey guys, thanks for the answers

-Using ASA5510-

Is it possible to create a virtual interface and put the mananagement interface there?

Or do I really have to "burn" the manamagement port for this?

My internal lan has 192.168.10/24 address

The ASA outside interface has 192.168.10.5

So I create a "dmz" on the outside interface (ethernet 0/0.2) etc and put the management-only and ip adress on it?

Something like this

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 192.168.10.5 255.255.255.0

!

interface Ethernet0/0.3

vlan 3

nameif mngmt

security-level 0

ip address 192.168.1.1 255.255.255.0

management-only

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

And then add access in the outside ACL and put a static link?

(not getting it to work atm so thats why im asking if its possible at all :) )

Thanks gain