internal ip of ASA 5510 is 10.1.1.1/24

ip of ASA management port (configured "manage only") is 192.168.1.1/24

ip of the SSM-10 management port is 10.1.1.4/24

Gateway of SSM is 10.1.1.1

Firewall is active and enabled.  Source any... destination any, on both the external and internal interfaces.

DHCP is enable on internal port and a 4 port switch is connected.  Any PC connected to the switch has Internet access so we know everything is working right through the ASA 5510.  However, when I connect a PC to the Management port on the ASA 5510 and run ASDM, I cannot access the SSM-10 even though I used the ASDM in this exact configuration to run the initial setup wizard on the SSM-10.

I've never used cli and wouldn't know where to start.

Hello again

Any more takers?  What am I missing?

I realize it must be somthing simple but I just don't see it.  I assume the SSM-10 acts like a separate device so I'll need to tell ASDM how to connect to it but being totally new to Cisco ASDM I am at a standstill.

Can anyone give me a hypothetical example? 

Something like...

assign the management port on the SSM-10 an ip address of xx.xx.xx.xx

assign the management port on the ASA5510 an ip address of yy.yy.yy.yy

set the port parameters as follows.  (sample port settings)

create a route from xx.xx.xx.xx to yy.yy.yy.yy

done.

Thanks

Hi Edward,

This is Mike. Basically the main Idea of the management interfaces on Cisco Gear is to provide out of band management, meaning, having a totally sepparate network just for management. The fact that you are sitting on the inside and the AIP module has an IP address on another subnet it complicated a little bit the things.

I will suggest you to put an IP address on the AIP module of 10 something and put the default gateway as the inside of the ASA.

Remember that the port on the IPS will need to be connected on the same inside switch so so can reach it from your computer.

If you have any questions let me know.

Mike

Hi Mike

Thank you for your response.

I'm afraid I don't know how to change the IP address of the SSM-10.  Apparently I was able to set it during the initial setup via ASDM but I can no longer access the SSM-10 from ASDM so I can't change anything on the SSM-10.

I was able to connect directly to the SSM-10 using the web interface but it doesn't allow me to change the ip address of the ssm-10.

I tried to telnet into the ssm-10 (port23) but I could not make the connection.  Perhaps the telnet port isn't 23.

I assume I'll need to reset the ip address using the CLI but I have no clue how to do that.

I hope you'll be able to guide me as to the exact procedure for changing the ip address.  Can I assume that both the management port on the ASA5510 and the management port on the SSM-10 must be on the same subnet?  If so, then that is where I made my mistake and fixing the ssm-10 ip address will probably fix my problem.

Thanks for your help

Ed

Changing the IP address is not that hard.

You can do session 1 to the module, on the ASA CLI to the following:

session 1

Put your username and password then,

sensor#config t

sensor(config)# service host

sensor(config-host) network-settings 

sensor(config-hos-net)  host-ip x.x.x.x/24, (ie host-ip 10.1.1.254/24,10.1.1.1)

Let me know how it goes.

Mike

Thanks for your response.

I can't establish a telnet session.  Is it possible that the telnet port on the SSM-10 is disabled?    If so, how do I enable it?

I'm trying to connect via telnet port 23 but nothing happens... no connection.

I can connect using the web interface by directing a web browser to the following address https://10.1.1.3:8443  but when I try to telnet using the same PC, telnet does not connect.

Am I using the wrong port for telnet into the SSM-10?

Please forward the exact entries I would need to make on a Windows XP machine to open a telnet session directly to the SSM-10 with the ip address 10.1.1.3 because what I am doing is simply not connecting.

Thanks again for your help

Mike

I understand what you want me to do but unfortunately I have no idea how to get to an ASA command line.  I have never used the Cisco CLI I have only used the GUI and at that I have exactly 2 days experience with the GUI.

I appreciate your patience but could you kindly tell me how to get to an ASA command line.

Thanks

Ed

Ohhh,

I thought you did not know how to get to the IPS. Ok, no worries, here. On the ASDM go ahead and select tools-->command line

There on single line put the following:

telnet 0 0 inside

Click on send

username cisco password cisco privilege 15

Click on send

aaa authentication telnet console LOCAL

Click on send

On your computer that is located on the inside, go ahead and telnet to the inside IP address

Put the username and password

It will enter to userview which is somthing like this:

ciscoasa>

Enter the command enable, it should ask you for the enable password, if you havent change it, just hit enter, if enter doesnt work then put cisco.

If neither enter nor Cisco work, do the following:

ciscoasa>login

It will ask you for username and password, put cisco and cisco as password, it should take you to

ciscoasa#

Then from there it will doing the steps above,

Session 1

Enter the username and password for your IPS

sensor#config t

sensor(config)# service host

sensor(config-host) network-settings 

sensor(config-hos-net)  host-ip x.x.x.x/24, (ie host-ip 10.1.1.254/24,10.1.1.1)

Let me know how it goes.

Mike

Mike

So sorry... I never thought to look in tools.  Now I see how to get to a command line.  Thanks.

Since my last post I've consistently made things worse and finally decided to reset to factory defaults.  I then reentered my configuration and got back to where I had been with one major difference.  I can no longer access the Internet from the internal network.

When I originally did the setup I selected the External interface to get it's IP address from DHCP.  I also checked the box that said to get the default routes fron DHCP.  With that configuration I was able to access the Internet from the internal network.  After I reset to factory defaults I configured the external interface for a static IP address and the option to get the default routes from DHCP was grayed out.  I gues I need a default static route added to the static route table but I'm just guessing.  All I know for sure is before, when I was using DHCP on the external interface I had no problem accesing the internet and now that I'm using a static IP address for the external interface I can't reach the Internet.

Thanks for al your help.

Ed

Ed,

No worries, Can you rollback to DHCP and check what default gateway you get? Then if you want to run with an static IP you can configure it manually and create the default gateway entry.

Let me know

Mike

Mike

I rolled back to DHCP for the external interface and my Internet access is working.

However, I can't find anything that is called "default gateway" in the ASDM.  Where would that be?  Like I said earlier... there is a check box labeled "get default routes from DHCP" and I check it when I use DHCP for the external interface.  Could this be what you mean by default gateway?

When I look under Monitoring>Routing>routes I see an entry named "Default" under the heading of "Type" and under the "interface" heading on the same line it says  0.0.0.0.0.0.0.0[1/0] followed by the ip address of my external interface.  I assume that means that the system automatically created a default route for my external interface.  Could this be my problem when I try using a static IP on the external interface, do I need to create a default route for that interface of all zeroes?

One step forward...two steps back.

Ed

If you Go into tools, command line interface again and do a show route, you should be able to see the next hop for the default route, it should show something like

s 0.0.0.0 0.0.0.0

That IP address is the one for your next hop to get out to the internet. Since it is working now, I dont see a reason why changing it back.

Now, enable telnet as recommended previously and enter to session 1 and change the IP address of the module so you can reach it from the inside network along with the ASDM.

Mike