Management Port

Answered Question
Apr 5th, 2010
User Badges:

We have an ASA 5510 at the remote office.  There is no Network Administrator at this location. The Network Administrator from the Main office logins to Cisco VPN client to do the administration on the ASA.   What IP address would you assign to the Management port of the ASA?  Would you leave it at the default 192.168.1.1?


Thanks.


Laura

Correct Answer by Jennifer Halim about 6 years 11 months ago

Great to hear. Yes, you can remove all the "dhcpd" configuration on the remote site.


Here is a sample configuration for LAN-to-LAN tunnel:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml


Configuration is a lot more complex and it has to be done on both ASA as per above sample config.

Correct Answer by Jennifer Halim about 6 years 11 months ago

Based on the configuration of the remote ASA, the simplest way to manage the remote ASA from your main site is through it's outside ip address.

Currently you do not have VPN tunnel configured yet between the 2 sites.


So I would manage the remote ASA via its outside ip address: 109.66.25.80


On the remote ASA, you can restrict the SSH or HTTP access to only be accessible/managed from your main site public ip address (PAT) as follows:


ssh Outside

http Outside

Correct Answer by Jennifer Halim about 6 years 11 months ago

Assuming there is LAN-to-LAN VPN tunnel between the remote and HQ, you can manage it using the inside ip address of the remote ASA.

When you VPN Client to your main office, are you able to access your remote LAN? If you can't, then you would need to configure a few things in regards to the VPN itself:

1) Split tunnel for the VPN Client needs to include the remote LAN subnet

2) Crypto ACL for the LAN-to-LAN tunnel between main and remote office needs to include the vpn client pool subnet as interesting traffic, ie:

On main site: access-list permit ip

On remote site: access-list permit ip  

3) On the remote site: management-access inside   --> so you can manage the inside interface through the vpn tunnel

4) On the remote site: NAT exemption needs to include traffic from remote LAN towards the vpn ip pool subnet.

5) On the remote site: whether you are managing through SSH or ASDM, you would need to include "ssh inside", and/or "http inside"

6) On the main site: same-security-traffic permit intra-interface ---> to allow traffic from vpn client to u-turn towards the lan-to-lan tunnel to remote site.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Jennifer Halim Mon, 04/05/2010 - 19:52
User Badges:
  • Cisco Employee,

Assuming there is LAN-to-LAN VPN tunnel between the remote and HQ, you can manage it using the inside ip address of the remote ASA.

When you VPN Client to your main office, are you able to access your remote LAN? If you can't, then you would need to configure a few things in regards to the VPN itself:

1) Split tunnel for the VPN Client needs to include the remote LAN subnet

2) Crypto ACL for the LAN-to-LAN tunnel between main and remote office needs to include the vpn client pool subnet as interesting traffic, ie:

On main site: access-list permit ip

On remote site: access-list permit ip  

3) On the remote site: management-access inside   --> so you can manage the inside interface through the vpn tunnel

4) On the remote site: NAT exemption needs to include traffic from remote LAN towards the vpn ip pool subnet.

5) On the remote site: whether you are managing through SSH or ASDM, you would need to include "ssh inside", and/or "http inside"

6) On the main site: same-security-traffic permit intra-interface ---> to allow traffic from vpn client to u-turn towards the lan-to-lan tunnel to remote site.


Hope that helps.

laurabolda Tue, 04/06/2010 - 18:49
User Badges:

Halijenn,


Thanks so much for your prompt response and the info.  I will go back to check each item.  Can you do me a favor?  Attached is the config file.  What IP address would you use for the Management port?


Thanks.


Laura

Attachment: 
Correct Answer
Jennifer Halim Tue, 04/06/2010 - 22:13
User Badges:
  • Cisco Employee,

Based on the configuration of the remote ASA, the simplest way to manage the remote ASA from your main site is through it's outside ip address.

Currently you do not have VPN tunnel configured yet between the 2 sites.


So I would manage the remote ASA via its outside ip address: 109.66.25.80


On the remote ASA, you can restrict the SSH or HTTP access to only be accessible/managed from your main site public ip address (PAT) as follows:


ssh Outside

http Outside

laurabolda Wed, 04/07/2010 - 09:05
User Badges:

Halijenn,


Your instructions work.  I was able to manage the ASA from the Main office.  Is it OK to remove these statements since I have setup SSH and HTTP using the IP address of the outside interface?


dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management


You mentioned about site-to-site VPN.  Would you recommend site-to-site VPN for easy of administration in my case?  If so, how would you set one up?


Thanks.


Laura

laurabolda Wed, 04/07/2010 - 18:56
User Badges:

Halijenn,


Thank you every much for taking time to help me out.  I appreciate your assistance very much.


Laura

Actions

This Discussion