Access ASDM from a different vlan and interface than the management

Unanswered Question
Oct 28th, 2009

Hello everybody,

I am a new user of an ASA5510 using ASA version 8.0 and ASDM 6.0(2)

That firewall is used to be the central part of a network be multiple inside VLANs and Internet connection.

So my firewall is directly connected to a switch 3750 and couple of other swicthes are connected to that first switch.

At the moment, in order to connect to ASDM I have on cable in trunk between eth1 of the firewall and eth0/1 of my switch (so set as trunk line) and one cable between the management interface and eth0/48 of my switch on a specific VLAN (VLAN 69 on my switch which is just for the management interface). At the moment it is the only workaround I have found to connect to that ASDM. So basically I have one comnputer on the network on VLAN69 from which I can get the ASDM working. But all my switch have are on Vlan 1 for management purpose, so I need another computer on vlan 1 to manage my switches.

I am almost sure that there is a way to be able from Vlan1 to access to ASDM but I don't find how.

Here is my configuration of the ASA5510 :

ASA Version 8.0(2)

!

hostname AFAW001

domain-name test.COM

enable password xxxxxxxx encrypted

names

name 10.3.72.10 Switch01

....

name 10.3.72.37 AdminPC

dns-guard

!

interface Ethernet0/0

nameif Internet

security-level 0

ip address 62.xxx.xxx.x81 255.255.255.xxx

!

interface Ethernet0/1

nameif Inside_Network

security-level 100

no ip address

!

interface Ethernet0/1.1

vlan 1

nameif VLAN_Admin

security-level 100

ip address 10.3.72.1 255.255.255.128

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.3.74.241 255.255.255.240

!

passwd h83ErV7OnuCAO8TG encrypted

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

dns server-group DefaultDNS

domain-name test.COM

same-security-traffic permit inter-interface

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu Internet 1500

mtu Inside_Network 1500

mtu VLAN_Admin 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

asdm history enable

arp timeout 14400

nat-control

global (Internet) 101 interface

nat (management) 101 0.0.0.0 0.0.0.0

nat (VLAN_Admin) 101 0.0.0.0 0.0.0.0

route Internet 0.0.0.0 0.0.0.0 62.xxx.xxx.x81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.3.72.0 255.255.255.128 VLAN_Admin

http 10.3.74.240 255.255.255.240 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh 10.3.74.242 255.255.255.255 management

ssh 10.3.72.37 255.255.255.255 VLAN_Admin

ssh timeout 5

console timeout 0

dhcpd address 10.3.74.242-10.3.74.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b71e78a98adb84b4f0a5d544be20e21c

: end

Thank you for your help

JB

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Wed, 10/28/2009 - 07:18

JB-

Are you required to trunk? There is only one VLAN on it, so for simplicity sake, you make want to remove the trunk and have it connect as an access port. Under interface Ethernet0/1 you should remove the security level. Other than that your config looks good. When on VLAN1, can you SSH into the ASA? Ping it? Anything in the log?

billetj01 Wed, 10/28/2009 - 09:51

Hi,

Sorry, I have forgot to let some "..." to show where I have cut in my config. I have about 20 vlans in my configuration with dhcp enable and NAT. All the VLAN I have hidden are subcontractors which are sharing the same internet access. So I need that trunk.

When I am on VLAN1 at the moment I can not do anything to the ASA, no ping, no ssh, nothing.

billetj01 Thu, 10/29/2009 - 01:07

Intersting, it is not in the ARP table of the ASA.

Here is the actual config of the ASA :

*****************************

ASA Version 8.0(2)

!

hostname AFAW001

domain-name test.COM

enable password h83ErV7OnuCAO8TG encrypted

names

...

dns-guard

!

interface Ethernet0/0

nameif Internet

security-level 0

ip address 62.xxx.xxx.x82 255.255.255.xxx

!

interface Ethernet0/1

nameif Inside_Network

security-level 0

no ip address

!

interface Ethernet0/1.1

vlan 1

nameif VLAN_Admin

security-level 100

ip address 10.3.72.1 255.255.255.128

!

interface Ethernet0/1.10

vlan 10

nameif VLAN_Visitor

security-level 30

ip address 10.3.72.129 255.255.255.128

!

...... (VLANs)

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.3.74.241 255.255.255.240

!

passwd xxxxxxxxx encrypted

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

dns server-group DefaultDNS

domain-name OL3.AREVA.COM

same-security-traffic permit inter-interface

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu Internet 1500

mtu Inside_Network 1500

mtu VLAN_Admin 1500

.....

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

asdm history enable

arp timeout 14400

nat-control

global (Internet) 101 interface

nat (management) 101 0.0.0.0 0.0.0.0

nat (VLAN_Admin) 101 0.0.0.0 0.0.0.0

nat (VLAN_Visitor) 101 0.0.0.0 0.0.0.0

.....

route Internet 0.0.0.0 0.0.0.0 62.xxx.xxx.x81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.3.72.0 255.255.255.128 VLAN_Admin

http 10.3.74.240 255.255.255.240 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh 10.3.74.242 255.255.255.255 management

ssh 10.3.72.37 255.255.255.255 VLAN_Admin

ssh timeout 5

console timeout 0

dhcpd address 10.3.74.242-10.3.74.254 management

dhcpd enable management

!

dhcpd address 10.3.72.130-10.3.72.254 VLAN_Visitor

dhcpd dns 212.86.0.5 212.86.0.6 interface VLAN_Visitor

dhcpd enable VLAN_Visitor

!

....

!

threat-detection basic-threat

threat-detection statistics

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:2aa198c41a4b426d33a3d4fd097818c2

: end

********************

and the result of show route on the ASA :

Gateway of last resort is 62.xxx.xxx.x81 to network 0.0.0.0

C 10.3.72.0 255.255.255.128 is directly connected, VLAN_Admin

C 10.3.74.240 255.255.255.240 is directly connected, management

....

C 10.3.72.128 255.255.255.128 is directly connected, VLAN_Visitor

C 62.xxx.xxx.x80 255.255.255.xxx is directly connected, Internet

S* 0.0.0.0 0.0.0.0 [1/0] via 62.xxx.xxx.x81, Internet

Collin Clark Thu, 10/29/2009 - 07:15

If you don't see your MAC in the ARP table, there is a layer1/2 problem. You'll need to make sure your PC has the correct IP address (10.3.72.x), your in the correct VLAN (1), and the VLAN is on the trunk. Also you may want to remove the nameif on the main interface.

interface Ethernet0/1

no nameif Inside_Network

If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. This property is also true for the active physical interface in a redundant interface pair. Because the physical or redundant interface must be enabled for the subinterface to pass traffic, ensure that the physical or redundant interface does not pass traffic by leaving out the nameif command. If you want to let the physical or redundant interface pass untagged packets, you can configure the nameif command as usual. The firewall could be moving the packets to the wrong interface because the main interface and E0/1.1 are both processing vlan 1 packets.

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/intrface.html#wp1044006

billetj01 Fri, 10/30/2009 - 05:53

Status :

******

interface Ethernet0/1

no nameif

no security-level

no ip address

*******

IP address of the computer in VLAN Admin correct :10.3.72.37 255.255.255.128 GW 10.3.72.1

And maybe could help the config of the 1st switch :

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname ASWE0001

!

enable secret 5 xxxxx

!

username root privilege 15 password 7 xxxxx

no aaa new-model

clock timezone CST -2

clock summer-time HEL recurring

switch 1 provision ws-c3750-48ts

no ip subnet-zero

no ip source-route

no ip domain-lookup

ip domain-name xxxxx

!

!

!

!

!

!

errdisable recovery cause psecure-violation

errdisable recovery interval 120

no file verify auto

!

spanning-tree mode rapid-pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet1/0/1

description linktoFirewall

switchport trunk encapsulation dot1q

switchport mode trunk

udld port aggressive

!

interface FastEthernet1/0/2

description To S

switchport access vlan xx

switchport mode access

no mdix auto

no cdp enable

spanning-tree portfast

!

.....

!

interface GigabitEthernet1/0/1

description LinkToBuilding C

switchport trunk encapsulation dot1q

switchport mode trunk

udld port aggressive

!

interface GigabitEthernet1/0/2

description LinktoBuilding F

switchport trunk encapsulation dot1q

switchport mode trunk

udld port aggressive

!

interface GigabitEthernet1/0/3

description LinkToBuilding B

switchport trunk encapsulation dot1q

switchport mode trunk

udld port aggressive

!

interface GigabitEthernet1/0/4

description LinkToBuilding Q

switchport trunk encapsulation dot1q

switchport mode trunk

udld port aggressive

!

interface Vlan1

ip address 10.3.72.10 255.255.255.128

!

ip default-gateway 10.3.72.1

ip classless

no ip http server

ip http authentication local

no ip http secure-server

!

access-list 99 permit any log

snmp-server community public RO

snmp-server community SubC RW

!

control-plane

!

alias exec sis sh inter status

alias exec s sh ru

!

line con 0

logging synchronous

line vty 0 4

access-class 99 in

exec-timeout 0 0

logging synchronous

login local

transport input ssh

line vty 5 15

no login

no exec

!

end

*******

So far no communictaion and still nothing in the ARP table, not even the switches. Really strange.

Collin Clark Fri, 10/30/2009 - 07:42

It is strange. Can you do a show interface trunk and make sure VLAN 1 is on it? In the ASA do you see the MAC/IP in the ARP table? You may have to ping the switch from the ASA first.

billetj01 Tue, 11/10/2009 - 05:51

Sorry for the delayed answer.

So on the switch, here is the answer from show interface trunk :

******************************

show interfaces trunk

Port Mode Encapsulation Status Native vlan

Fa1/0/1 on 802.1q trunking 1

Gi1/0/1 on 802.1q trunking 1

Gi1/0/2 on 802.1q trunking 1

Gi1/0/3 on 802.1q trunking 1

Gi1/0/4 on 802.1q trunking 1

Port Vlans allowed on trunk

Fa1/0/1 1-4094

Gi1/0/1 1-4094

Gi1/0/2 1-4094

Gi1/0/3 1-4094

Gi1/0/4 1-4094

Port Vlans allowed and active in management domain

Fa1/0/1 1,4,10,30-47,50,69,371-372

Gi1/0/1 1,4,10,30-47,50,69,371-372

Gi1/0/2 1,4,10,30-47,50,69,371-372

Gi1/0/3 1,4,10,30-47,50,69,371-372

Gi1/0/4 1,4,10,30-47,50,69,371-372

Port Vlans in spanning tree forwarding state and not pruned

Fa1/0/1 1,4,10,30-47,50,69,371-372

Gi1/0/1 1,4,10,30-47,50,69,371-372

Gi1/0/2 1,4,10,30-47,50,69,371-372

Gi1/0/3 1,4,10,30-47,50,69,371-372

Gi1/0/4 1,4,10,30-47,50,69,371-372

***************************

And still no ARP table entries for the switches. i've tried to put it as a static arp but nothing better.

If I remember, when There was a name on the main interface (Inside) I had the switch entries but tagged as being from the global interface, not the VLAN_Admin interface.

Collin Clark Tue, 11/10/2009 - 14:30

Do you see the MAC address of the PC on the switch port it is connected too? Can post the results?

show mac address-table interface fastEthernet 0/1

billetj01 Tue, 11/10/2009 - 22:26

Ok, result of the command on the switch port where my PC on VLAN_Admin is connected :

*****************

show mac address-table interface fastEthernet 0/1

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

1 0012.7959.716e DYNAMIC Fa0/1

Total Mac Addresses for this criterion: 1

*********************

On the same switch, I have the PC which is on the management VLAN, and that one appears in the ASA arp Table.

Collin Clark Wed, 11/11/2009 - 06:56

Great. Looking at the management protocols you have configured.

http 10.3.72.0 255.255.255.128 VLAN_Admin

ssh 10.3.72.37 255.255.255.255 VLAN_Admin

Is your IP in this range? Do you use SSH or ASDM?

billetj01 Wed, 11/11/2009 - 23:36

The IP address of the computer on the VLAN_Admin is 10.3.72.37, mask 255.255.255.128, GW 10.3.72.1

At the moment I am trying with ssh, faster to test. Then if I succeed to have the ssh traffic going across, I think the https will be easy for ASDM.

Actions

This Discussion