ASA 5510 with a SSM-10

Answered Question
Feb 5th, 2012

Hello folks

Brand new user.  I just received my hardware and I'm attempting to set it up.  No problems with setting up the 5510 so far.  I used eth 0/0 for Outside and eth 0/3 for inside.  Everything works as far a I can tell.  Now I'm trying to set up the SSM-10 and I'm running into a problem with the ip address on the ASA management port and the SSM-10 management port.

I used the ASDM to run the setup wizzard for the SSM-10 and it appeared that the setup wizzard completed normally, I received the messages at the end of the setup wizzard and they all said OK, but now when I attempt to get to the SSM-10 from the ASDM I get a message saying the management port on the SSM-10 is unreachable.  I assume this is because the PC I'm running ASDM on is connected to the 5510 Management port 0/0 with ip address  192,168,1.1 and the SSM-10 management port is connected to my network with ip address 10.1.1.4.  Obviously I would need a route to get from 192.168.1.1 to 10.1.1.4 but I have no idea where I should create that route. 

I read someplace that if you setup the management port for "Manage Only" that all traffic stops at the management port and is not passed anyplace else. I'm not certain I know exactly what that means but it's a good bet I've got something setup wrong.

Okay... I took the long way around but my question is... how can I get ASDM to talk to SSM-10 when they are on two different subnets and the system will not allow me to set them up on the same subnet?

Thanks for listening.

I have this problem too.
0 votes
Correct Answer by mayrojas about 2 years 2 months ago

No worries,

The mask of the Address 0.0.0.0 should also be 0.0.0.0 so the star appears and the default gateway starts working.

Mike

Correct Answer by mayrojas about 2 years 2 months ago

Edward,

You dont have to telnet to the SSM, what I meant was to session 1 to it from the ASA.

Go to the ASA command line and then do the same steps I put above:

1- ciscoasa#session 1

2-It will ask you for username and password, those are the ones from the module:

3-You will be logged to the AIP

4-sensor#config t

5-sensor(config)# service host

6-sensor(config-host) network-settings 

7-sensor(config-hos-net)  host-ip x.x.x.x/24, (ie host-ip 10.1.1.254/24,10.1.1.1)

8-then exit until it goes to the enable prompt, save the changes and that will be it.

Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
jyothydas Sun, 02/05/2012 - 21:43
  • Whats the IP of ASA and SSM ?
  • What is the gateway for SSM ? Firewall's? If not make it so.
  • Try CLI mode to test access of SSM.
smsbconsulting Sun, 02/05/2012 - 22:28

internal ip of ASA 5510 is 10.1.1.1/24

ip of ASA management port (configured "manage only") is 192.168.1.1/24

ip of the SSM-10 management port is 10.1.1.4/24

Gateway of SSM is 10.1.1.1

Firewall is active and enabled.  Source any... destination any, on both the external and internal interfaces.

DHCP is enable on internal port and a 4 port switch is connected.  Any PC connected to the switch has Internet access so we know everything is working right through the ASA 5510.  However, when I connect a PC to the Management port on the ASA 5510 and run ASDM, I cannot access the SSM-10 even though I used the ASDM in this exact configuration to run the initial setup wizard on the SSM-10.

I've never used cli and wouldn't know where to start.

smsbconsulting Mon, 02/06/2012 - 07:47

Hello again

Any more takers?  What am I missing?

I realize it must be somthing simple but I just don't see it.  I assume the SSM-10 acts like a separate device so I'll need to tell ASDM how to connect to it but being totally new to Cisco ASDM I am at a standstill.

Can anyone give me a hypothetical example? 

Something like...

assign the management port on the SSM-10 an ip address of xx.xx.xx.xx

assign the management port on the ASA5510 an ip address of yy.yy.yy.yy

set the port parameters as follows.  (sample port settings)

create a route from xx.xx.xx.xx to yy.yy.yy.yy

done.

Thanks

mayrojas Mon, 02/06/2012 - 08:04

Hi Edward,

This is Mike. Basically the main Idea of the management interfaces on Cisco Gear is to provide out of band management, meaning, having a totally sepparate network just for management. The fact that you are sitting on the inside and the AIP module has an IP address on another subnet it complicated a little bit the things.

I will suggest you to put an IP address on the AIP module of 10 something and put the default gateway as the inside of the ASA.

Remember that the port on the IPS will need to be connected on the same inside switch so so can reach it from your computer.

If you have any questions let me know.

Mike

smsbconsulting Mon, 02/06/2012 - 09:51

Hi Mike

Thank you for your response.

I'm afraid I don't know how to change the IP address of the SSM-10.  Apparently I was able to set it during the initial setup via ASDM but I can no longer access the SSM-10 from ASDM so I can't change anything on the SSM-10.

I was able to connect directly to the SSM-10 using the web interface but it doesn't allow me to change the ip address of the ssm-10.

I tried to telnet into the ssm-10 (port23) but I could not make the connection.  Perhaps the telnet port isn't 23.

I assume I'll need to reset the ip address using the CLI but I have no clue how to do that.

I hope you'll be able to guide me as to the exact procedure for changing the ip address.  Can I assume that both the management port on the ASA5510 and the management port on the SSM-10 must be on the same subnet?  If so, then that is where I made my mistake and fixing the ssm-10 ip address will probably fix my problem.

Thanks for your help

Ed

mayrojas Mon, 02/06/2012 - 10:01

Changing the IP address is not that hard.

You can do session 1 to the module, on the ASA CLI to the following:

session 1

Put your username and password then,

sensor#config t

sensor(config)# service host

sensor(config-host) network-settings 

sensor(config-hos-net)  host-ip x.x.x.x/24, (ie host-ip 10.1.1.254/24,10.1.1.1)

Let me know how it goes.

Mike

smsbconsulting Mon, 02/06/2012 - 10:33

Thanks for your response.

I can't establish a telnet session.  Is it possible that the telnet port on the SSM-10 is disabled?    If so, how do I enable it?

I'm trying to connect via telnet port 23 but nothing happens... no connection.

I can connect using the web interface by directing a web browser to the following address https://10.1.1.3:8443  but when I try to telnet using the same PC, telnet does not connect.

Am I using the wrong port for telnet into the SSM-10?

Please forward the exact entries I would need to make on a Windows XP machine to open a telnet session directly to the SSM-10 with the ip address 10.1.1.3 because what I am doing is simply not connecting.

Thanks again for your help

Correct Answer
mayrojas Mon, 02/06/2012 - 10:41

Edward,

You dont have to telnet to the SSM, what I meant was to session 1 to it from the ASA.

Go to the ASA command line and then do the same steps I put above:

1- ciscoasa#session 1

2-It will ask you for username and password, those are the ones from the module:

3-You will be logged to the AIP

4-sensor#config t

5-sensor(config)# service host

6-sensor(config-host) network-settings 

7-sensor(config-hos-net)  host-ip x.x.x.x/24, (ie host-ip 10.1.1.254/24,10.1.1.1)

8-then exit until it goes to the enable prompt, save the changes and that will be it.

Mike

smsbconsulting Mon, 02/06/2012 - 13:53

Mike

I understand what you want me to do but unfortunately I have no idea how to get to an ASA command line.  I have never used the Cisco CLI I have only used the GUI and at that I have exactly 2 days experience with the GUI.

I appreciate your patience but could you kindly tell me how to get to an ASA command line.

Thanks

Ed

mayrojas Mon, 02/06/2012 - 14:19

Ohhh,

I thought you did not know how to get to the IPS. Ok, no worries, here. On the ASDM go ahead and select tools-->command line

There on single line put the following:

telnet 0 0 inside

Click on send

username cisco password cisco privilege 15

Click on send

aaa authentication telnet console LOCAL

Click on send

On your computer that is located on the inside, go ahead and telnet to the inside IP address

Put the username and password

It will enter to userview which is somthing like this:

ciscoasa>

Enter the command enable, it should ask you for the enable password, if you havent change it, just hit enter, if enter doesnt work then put cisco.

If neither enter nor Cisco work, do the following:

ciscoasa>login

It will ask you for username and password, put cisco and cisco as password, it should take you to

ciscoasa#

Then from there it will doing the steps above,

Session 1

Enter the username and password for your IPS

sensor#config t

sensor(config)# service host

sensor(config-host) network-settings 

sensor(config-hos-net)  host-ip x.x.x.x/24, (ie host-ip 10.1.1.254/24,10.1.1.1)

Let me know how it goes.

Mike

smsbconsulting Mon, 02/06/2012 - 16:58

Mike

So sorry... I never thought to look in tools.  Now I see how to get to a command line.  Thanks.

Since my last post I've consistently made things worse and finally decided to reset to factory defaults.  I then reentered my configuration and got back to where I had been with one major difference.  I can no longer access the Internet from the internal network.

When I originally did the setup I selected the External interface to get it's IP address from DHCP.  I also checked the box that said to get the default routes fron DHCP.  With that configuration I was able to access the Internet from the internal network.  After I reset to factory defaults I configured the external interface for a static IP address and the option to get the default routes from DHCP was grayed out.  I gues I need a default static route added to the static route table but I'm just guessing.  All I know for sure is before, when I was using DHCP on the external interface I had no problem accesing the internet and now that I'm using a static IP address for the external interface I can't reach the Internet.

Thanks for al your help.

Ed

mayrojas Mon, 02/06/2012 - 17:14

Ed,

No worries, Can you rollback to DHCP and check what default gateway you get? Then if you want to run with an static IP you can configure it manually and create the default gateway entry.

Let me know

Mike

smsbconsulting Mon, 02/06/2012 - 18:44

Mike

I rolled back to DHCP for the external interface and my Internet access is working.

However, I can't find anything that is called "default gateway" in the ASDM.  Where would that be?  Like I said earlier... there is a check box labeled "get default routes from DHCP" and I check it when I use DHCP for the external interface.  Could this be what you mean by default gateway?

When I look under Monitoring>Routing>routes I see an entry named "Default" under the heading of "Type" and under the "interface" heading on the same line it says  0.0.0.0.0.0.0.0[1/0] followed by the ip address of my external interface.  I assume that means that the system automatically created a default route for my external interface.  Could this be my problem when I try using a static IP on the external interface, do I need to create a default route for that interface of all zeroes?

One step forward...two steps back.

Ed

mayrojas Mon, 02/06/2012 - 18:58

If you Go into tools, command line interface again and do a show route, you should be able to see the next hop for the default route, it should show something like

s 0.0.0.0 0.0.0.0

That IP address is the one for your next hop to get out to the internet. Since it is working now, I dont see a reason why changing it back.

Now, enable telnet as recommended previously and enter to session 1 and change the IP address of the module so you can reach it from the inside network along with the ASDM.

Mike

smsbconsulting Mon, 02/06/2012 - 19:28

Mike

Ok... I see it.  It shows 0.0.0.0.0.0.0.0[1/0] via xx.xx.xx.xx (my external IP address)

It aslo showed the same thing in the ASDM under Monitor>routes>route.

The reason I can't use DHCP on the external is because in the production environment the ASA5510 connects to an upstream router that doesn't provide DHCP.   I'm working in the test environment at the moment and it does provide DHCP.

I should be able to make it work now with all the information you have provided.

I'll let you know and thanks again.

Ed

smsbconsulting Tue, 02/07/2012 - 06:32

Hello Mike

I changed back to DHCP (but I can't run that way in production) and ran a Show Route command.

Here is what it listed:  (note: Internet access works in this configuration)

Gateway of last resort is gateway to network 0.0.0.0

c    xx.xx.xx.xx 255.255.255.248 is directly connected, Internet

c    192.168.1.1 255.255.255.0 is directly connected, management

s    0.0.0.0 255.255.255.255 [1/0] via gateway, Internet

d*   0.0.0.0.0.0.0.0 [1/0] via gateway, Internet

After I change the external interface to a static IP, the "show route" looks like the following:

Gateway of last resort is not set.

c    xx.xx.xx.xx 255.255.255.248 is directly connected, Internet

c    192.168.1.1 255.255.255.0 is directly connected, management

s    0.0.0.0. 255.255.255.255 [1/0] via gateway, Internet

the d* is missing.

If I could find a single entry in the help text (or online) that describes how to set the "Gateway of Last Resort" I think my problem would be solved but for some inexplicable reason, Cisco decided to use the term "Gateway of Last Resort" in their Show Route command but neglected to use the same term in their help text, which makes it rather hard to find in the help text tomb.

How do I set the Gateway of Last resort and please be painfully specific... I'm a total noob when it comes to anything Cisco. 

Thanks

Ed

Correct Answer
mayrojas Tue, 02/07/2012 - 06:38

No worries,

The mask of the Address 0.0.0.0 should also be 0.0.0.0 so the star appears and the default gateway starts working.

Mike

smsbconsulting Tue, 02/07/2012 - 08:09

Mike

I got it working by entering the following on the command line...  route internet 0 0 (external interface ip) 1

That command created the static route 0.0.0.0.0.0.0.0 [1/0] via Gateway, Internet

Internet access is now working fine when the external interface is configured with a static IP.

Thank's for all your help... I couldn't have done it without you.

Ed

Actions

Login or Register to take actions

This Discussion

Posted February 5, 2012 at 9:22 PM
Stats:
Replies:19 Avg. Rating:5
Views:1810 Votes:0
Shares:0
Tags: asa_5510
+

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,165
4 1,473
5 1,446