connecting to ssm-10 from asa5510 adsm

Unanswered Question
Jun 11th, 2009

I have the management address of 192.168.1.1 on my asa5510 and an address of 192.168.1.2 on the ssm-10.

Both the mangement of the asa and the ssm-10 are plugged into my switch. I can access the adsm and manage my asa but cannot access the ssm-10 from the adsm. I clicked on configure, then IPS and put in the 192.168.1.2 address for my IPS and a popup box comes up stating an error connecting to the device.


Any help would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcabal Thu, 06/11/2009 - 10:48

Is your ASDM on the same 192.168.1.0 network?

If not, then have the routes been properly setup to connect between the ASDM machine and the SSM?

Presumably the ASA will be the SSM's default router, was this configured in the SSM's default router configuration?

By default the management interface of the ASA will Not route packets, so you will need some configuration modifications on the ASA to route through the management interface.

Has the ASA configuration been setup to allow the ASDM connection in through the firewall to the SSM? Access-lists or NAT rules may be needed to allow the connection.


Has the ASDM machine's IP Address been added into the SSM's access-list as an allowed ip address?


You may also want to try an SSH to the SSM's IP, and an HTTPS connection directly to the SSM. If HTTPS works, then ASDM should be able to connect.


You might also try running "show version" on the SSM's CLI and ensure that both mainApp and Analysis Engine are "Running".


derek.warner Thu, 06/11/2009 - 11:25

Not sure how to even respond, I am by no means a firewall guru.


There are no static routes from the mangement port of the firewall to the ssm. guess that needs to happen.


Can I connect directly to the ssm-10 via ethernet to the management port and open up the asdm to manage the IPS?



marcabal Thu, 06/11/2009 - 11:32

1) Connect your PC to the same switch and vlan as the management ports of both the ASA and SSM

2) Give it an IP address in the same subnet as the ASA and SSM

3) From the ASA CLI session to the SSM, and run setup to add you PCs IP Address into the SSM's access-list


Then you should be able to run ASDM and connect to the SSM for the IPS screens.


To connect to the SSM from any other network will require proper configuration of routing in the ASA, and possible NAT/PAT and/or access-lists in order to allow through a connection to the SSM.

Similar to allowing through an external HTTPS connection to a web server in your DMZ.



derek.warner Thu, 06/11/2009 - 12:56

Ok,


I connected to the ssm via the CLI and sessioned in using session 1.


I added my address of 192.168.1.4/32 to the access list.


I am now getting the following error:


through the device packet to/from management-only network is denied tcp:src management:192.168.1.4/2453 dst 192.168.1.6/443



I did read something about a security + license as opposed to a base license. the base license will not allow traffic through the management device.


Shouldnt I be able to open the adsm with the 192.168.1.6 address of the ssm-10?

marcabal Thu, 06/11/2009 - 13:10

What is the address of your SSM?

Is it 192.168.1.2 as in your original post, or 192.168.1.6?


Is this message coming from the ASA console? Or from something else.


If your ASDM machine is on the same vlan and subnet as the SSM, then the connection to the SSM should not be going to the ASA. The ASDM will connect to the ASA for the firewall configuration and control, but when going to the IPS screens it should be directly connecting to the IPS SSM's external command and contol IP and should not be getting to the ASA at all.


can you try opening a browser on your ASDM machine and connecting to your sensor with https://192.168.1.6 (or .2 whichever is your SSM address), and then click the button to start IDM.

If IDM starts up, then ASDM should work as well. If IDM won't start up, then there be something wrong in your wiring or configuration.



derek.warner Fri, 06/12/2009 - 05:08

the 192.168.1.2 is the asa management address, the 192.168.1.6 is the IPS management address. Both management ports and my computer are connected to the same switch.


I sessioned into the IDS from the CLI and added my computers address of 192.168.1.4 to the access list of the IPS.


I tried to open a web browser and attempted to connect to http://192.168.1.6 and nothing happens.


The message I was referring to was coming from the ASDM when connected to the ASA.


Going to try and restart from scratch to see if I missed anything.



I did run show version and the 2 things you mentioned are showing "running".


V/R

derek.warner Fri, 06/12/2009 - 07:03

Got it!


DOH!


I had a route on my laptop


192.168.1.6 255.255.255.255 192.168.1.1


When atttempting to connect, the data would go to the firewall management port and attempt to then connect to the ssm-10 at 192.168.1.6.


I deleted the route and Shazzam, a connection via https.


thanks for all your help.

Actions

This Discussion