04-05-2010 07:34 PM
We have an ASA 5510 at the remote office. There is no Network Administrator at this location. The Network Administrator from the Main office logins to Cisco VPN client to do the administration on the ASA. What IP address would you assign to the Management port of the ASA? Would you leave it at the default 192.168.1.1?
Thanks.
Laura
Solved! Go to Solution.
04-05-2010 07:52 PM
Assuming there is LAN-to-LAN VPN tunnel between the remote and HQ, you can manage it using the inside ip address of the remote ASA.
When you VPN Client to your main office, are you able to access your remote LAN? If you can't, then you would need to configure a few things in regards to the VPN itself:
1) Split tunnel for the VPN Client needs to include the remote LAN subnet
2) Crypto ACL for the LAN-to-LAN tunnel between main and remote office needs to include the vpn client pool subnet as interesting traffic, ie:
On main site: access-list
On remote site: access-list
3) On the remote site: management-access inside --> so you can manage the inside interface through the vpn tunnel
4) On the remote site: NAT exemption needs to include traffic from remote LAN towards the vpn ip pool subnet.
5) On the remote site: whether you are managing through SSH or ASDM, you would need to include "ssh
6) On the main site: same-security-traffic permit intra-interface ---> to allow traffic from vpn client to u-turn towards the lan-to-lan tunnel to remote site.
Hope that helps.
04-06-2010 10:13 PM
Based on the configuration of the remote ASA, the simplest way to manage the remote ASA from your main site is through it's outside ip address.
Currently you do not have VPN tunnel configured yet between the 2 sites.
So I would manage the remote ASA via its outside ip address: 109.66.25.80
On the remote ASA, you can restrict the SSH or HTTP access to only be accessible/managed from your main site public ip address (PAT) as follows:
ssh
http
04-07-2010 02:23 PM
Great to hear. Yes, you can remove all the "dhcpd" configuration on the remote site.
Here is a sample configuration for LAN-to-LAN tunnel:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml
Configuration is a lot more complex and it has to be done on both ASA as per above sample config.
04-05-2010 07:52 PM
Assuming there is LAN-to-LAN VPN tunnel between the remote and HQ, you can manage it using the inside ip address of the remote ASA.
When you VPN Client to your main office, are you able to access your remote LAN? If you can't, then you would need to configure a few things in regards to the VPN itself:
1) Split tunnel for the VPN Client needs to include the remote LAN subnet
2) Crypto ACL for the LAN-to-LAN tunnel between main and remote office needs to include the vpn client pool subnet as interesting traffic, ie:
On main site: access-list
On remote site: access-list
3) On the remote site: management-access inside --> so you can manage the inside interface through the vpn tunnel
4) On the remote site: NAT exemption needs to include traffic from remote LAN towards the vpn ip pool subnet.
5) On the remote site: whether you are managing through SSH or ASDM, you would need to include "ssh
6) On the main site: same-security-traffic permit intra-interface ---> to allow traffic from vpn client to u-turn towards the lan-to-lan tunnel to remote site.
Hope that helps.
04-06-2010 06:49 PM
04-06-2010 10:13 PM
Based on the configuration of the remote ASA, the simplest way to manage the remote ASA from your main site is through it's outside ip address.
Currently you do not have VPN tunnel configured yet between the 2 sites.
So I would manage the remote ASA via its outside ip address: 109.66.25.80
On the remote ASA, you can restrict the SSH or HTTP access to only be accessible/managed from your main site public ip address (PAT) as follows:
ssh
http
04-07-2010 09:05 AM
Halijenn,
Your instructions work. I was able to manage the ASA from the Main office. Is it OK to remove these statements since I have setup SSH and HTTP using the IP address of the outside interface?
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
You mentioned about site-to-site VPN. Would you recommend site-to-site VPN for easy of administration in my case? If so, how would you set one up?
Thanks.
Laura
04-07-2010 02:23 PM
Great to hear. Yes, you can remove all the "dhcpd" configuration on the remote site.
Here is a sample configuration for LAN-to-LAN tunnel:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml
Configuration is a lot more complex and it has to be done on both ASA as per above sample config.
04-07-2010 06:56 PM
Halijenn,
Thank you every much for taking time to help me out. I appreciate your assistance very much.
Laura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide