cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1227
Views
0
Helpful
6
Replies

Management Port

laurabolda
Level 1
Level 1

We have an ASA 5510 at the remote office.  There is no Network Administrator at this location. The Network Administrator from the Main office logins to Cisco VPN client to do the administration on the ASA.   What IP address would you assign to the Management port of the ASA?  Would you leave it at the default 192.168.1.1?

Thanks.

Laura

3 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Assuming there is LAN-to-LAN VPN tunnel between the remote and HQ, you can manage it using the inside ip address of the remote ASA.

When you VPN Client to your main office, are you able to access your remote LAN? If you can't, then you would need to configure a few things in regards to the VPN itself:

1) Split tunnel for the VPN Client needs to include the remote LAN subnet

2) Crypto ACL for the LAN-to-LAN tunnel between main and remote office needs to include the vpn client pool subnet as interesting traffic, ie:

On main site: access-list permit ip

On remote site: access-list permit ip  

3) On the remote site: management-access inside   --> so you can manage the inside interface through the vpn tunnel

4) On the remote site: NAT exemption needs to include traffic from remote LAN towards the vpn ip pool subnet.

5) On the remote site: whether you are managing through SSH or ASDM, you would need to include "ssh inside", and/or "http inside"

6) On the main site: same-security-traffic permit intra-interface ---> to allow traffic from vpn client to u-turn towards the lan-to-lan tunnel to remote site.

Hope that helps.

View solution in original post

Based on the configuration of the remote ASA, the simplest way to manage the remote ASA from your main site is through it's outside ip address.

Currently you do not have VPN tunnel configured yet between the 2 sites.

So I would manage the remote ASA via its outside ip address: 109.66.25.80

On the remote ASA, you can restrict the SSH or HTTP access to only be accessible/managed from your main site public ip address (PAT) as follows:

ssh Outside

http Outside

View solution in original post

Great to hear. Yes, you can remove all the "dhcpd" configuration on the remote site.

Here is a sample configuration for LAN-to-LAN tunnel:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

Configuration is a lot more complex and it has to be done on both ASA as per above sample config.

View solution in original post

6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

Assuming there is LAN-to-LAN VPN tunnel between the remote and HQ, you can manage it using the inside ip address of the remote ASA.

When you VPN Client to your main office, are you able to access your remote LAN? If you can't, then you would need to configure a few things in regards to the VPN itself:

1) Split tunnel for the VPN Client needs to include the remote LAN subnet

2) Crypto ACL for the LAN-to-LAN tunnel between main and remote office needs to include the vpn client pool subnet as interesting traffic, ie:

On main site: access-list permit ip

On remote site: access-list permit ip  

3) On the remote site: management-access inside   --> so you can manage the inside interface through the vpn tunnel

4) On the remote site: NAT exemption needs to include traffic from remote LAN towards the vpn ip pool subnet.

5) On the remote site: whether you are managing through SSH or ASDM, you would need to include "ssh inside", and/or "http inside"

6) On the main site: same-security-traffic permit intra-interface ---> to allow traffic from vpn client to u-turn towards the lan-to-lan tunnel to remote site.

Hope that helps.

Halijenn,

Thanks so much for your prompt response and the info.  I will go back to check each item.  Can you do me a favor?  Attached is the config file.  What IP address would you use for the Management port?

Thanks.

Laura

Based on the configuration of the remote ASA, the simplest way to manage the remote ASA from your main site is through it's outside ip address.

Currently you do not have VPN tunnel configured yet between the 2 sites.

So I would manage the remote ASA via its outside ip address: 109.66.25.80

On the remote ASA, you can restrict the SSH or HTTP access to only be accessible/managed from your main site public ip address (PAT) as follows:

ssh Outside

http Outside

Halijenn,

Your instructions work.  I was able to manage the ASA from the Main office.  Is it OK to remove these statements since I have setup SSH and HTTP using the IP address of the outside interface?

dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management

You mentioned about site-to-site VPN.  Would you recommend site-to-site VPN for easy of administration in my case?  If so, how would you set one up?

Thanks.

Laura

Great to hear. Yes, you can remove all the "dhcpd" configuration on the remote site.

Here is a sample configuration for LAN-to-LAN tunnel:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

Configuration is a lot more complex and it has to be done on both ASA as per above sample config.

Halijenn,

Thank you every much for taking time to help me out.  I appreciate your assistance very much.

Laura

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: