Question about ASDM through VPN

Answered Question
May 21st, 2012

Hello again

I configured ASA 5510 management through the inside interface.  When I am in the office connected to the LAN I have no problem running ASDM.  However, when I'm outside the office and I connect through the Cisco SSL VPN Service I can't manage the ASA5510 even though I can access all the shared resources on the network.

When I attempt to run ASDM when connected via VPN I get the error message..  "Unable to launch device manager from x.x.x.x"  (inside address of the ASA5510).

How dangerous would it be if I just activated management via the Outside interface?

Ed

I have this problem too.
0 votes
Correct Answer by Julio Carvaja about 1 year 11 months ago

Hello Edward,

Please change the pool to a different subnet than the ASA interface... That will make the ASA a little crazy regarding communications between the local pool and the local subnet.

Can you add the following command as well

managment-access inside

Regards,

Do rate all the helpful posts

Julio

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
rizwanr74 Mon, 05/21/2012 - 13:10

Hi Edward,

Have you tried this config below, I assume your remote vpn client pool is: 10.10.10.0/24, you may change to reflect your pool.

http server enable

http 10.10.10.10 255.255.255.0 outside

"How dangerous would it be if I just activated management via the Outside interface?"

it is dangerous to enable over public address, however the above config is set for private address, which must come off the vpn client session.

I hope that answers your question.

thanks

Rizwan Rafeek

smsbconsulting Mon, 05/21/2012 - 14:21

Thank you for your quick response.

My remote vpn address pool is 10.1.1.100 to 10.1.1.120    

I added the commands you suggested (changed for my pool) but I still get the same error when I try to run ASDM via VPN.

I ran ipconfig on the client after the VPN was established and ipconfig indicates that the IP address of the client computer is 10.1.1.100 .  When I connect directly to the LAN (no VPN) the ip address of the client is 10.1.1.x and I have no problem running ASDM and connecting to 10.1.1.1 but when I open the VPN and get an IP address of 10.1.1.100 I can no longer run ASDM from 10.1.1.1.

There must be something in the VPN preventing the ASDM application from running.  Is there someplace in ANYConnect VPN where I can tell it to allow ASDM? 

smsbconsulting Mon, 05/21/2012 - 14:34

Am I correct in assuming that the client computer once connected to the Cisco VPN is using a 10.1.1.x IP address but is connected to the outside interface of the ASA5510?  If so then I suppose the ASA needs some way of knowing which direction the packets should be flowing.  In which case, using 10.1.1.x VPN addresses would be in conflict with the 10.1.1.x internal ip addresses.

Should I change the VPN address pool to use ip addresses that belong to a different subnet than the inside ip address pool?  Maybe something like 10.10.10.0/24 for the VPN address pool like you had originally indicated?

The more I think of it the more I'm becoming convinced that it must have been a mistake to make the VPN address pool and the internal address pool the same subnet.

I'll go change it and let you know what happens.

smsbconsulting Mon, 05/21/2012 - 15:36

I changed the VPN address pool and it didn't make any difference.

1.  Can I/should I use addresses from the inside subnet for the VPN address pool?

2.  When I changed the VPN address pool to 10.10.10.0/24 and opened the VPN I was assigned address 10.10.10.1 but I was also assigned a default gateway of 10.10.10.2.  I would not have expected to be assigned a default gateway for a VPN connection.

I can ping 10.10.10.1 from the client... basically it's pinging itself... but I can't ping the default gateway that was assigned to my client.  Not much use for a default gateway that you can't ping.  Do you know where that default gateway is coming from?

   

rizwanr74 Mon, 05/21/2012 - 17:29

Hi Edward,

Please try this and let me know if this helps.

management-access inside

"Do you know where that default gateway is coming from?" from ASA.

If you have not enable split-tunnel, vpn-clients will be injected with default-gateway.

smsbconsulting Tue, 05/22/2012 - 14:31

I apologize for being so dense but I just don't understand the answers I'm getting.  I'm certain it is 100% my fault but I must understand the answers before I can implement them.

I don't use the CLI, I use the GUI.  Regardless of which way I get the commands in the result should be the same.

Maybe if we can just clear-up my misunderstandings one at a time we might get this thing to work.

Here are some givens...

My inside address pool is 10.1.1.1 thru 10.1.1.254

The inside address of the ASA is 10.1.1.1

My VPN address pool is 10.1.1.120 thru 10.1.1.129 mask 255.255.255.0

In the GUI Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH entry screen I have

Type = ASDM/HTTPS

Interface = Internal (inside)

IP address = 10.1.1.0 mask 255.255.255.0

Note: According to what I have read, the IP address entered in the GUI is either the host IP that is allowed to access the ASDM via the Internal interface or it is an entire network.  However, if I enter any IP address with a value greater than zero in the 4th octet, I can not use mask 255.255.255.0, it gives me a network address error (makes sense).  So for now I have left the allowed hosts to any host on the internal network by entering IP 10.1.1.0 mask 255.255.255.0

I know that the internal interface is enabled for ASDM because I can access it when I am connected to the LAN.  The only time I can't access it is when I am connected via the VPN (Anyconnect).  Perhaps I have a VPN issue rather than a remote administration of ASDM issue but the Anyconnect client says I am connected and I can see packets transferring both ways. 

smsbconsulting Tue, 05/22/2012 - 15:34

I think we've made some progress. 

I changed the VPN address pool to 192.168.1.0/24... I left the inside address pool as it was 10.1.1.0/24

I then applied the new address pool to the VPN connection profile in the GUI.

I then ran the command management-access internal (inside)

I then ran the command write memory.

After I did that I opened a VPN session and attempted to run ASDM.  The first screen came up as usual asking for Device IP address/Name

I selected the internal ip address 10.1.1.1 and clicked OK

After clicking OK is where I always get the message Unable to launch device manager from 10.1.1.1 when I'm connected via VPN but this time I didn't get the error... I got the Security warning screen saying the certificate is invalid and do I wish to continue.  This is normal behavior and is exactly what I get when I'm connected directly to the LAN and not the VPN.

I click Yes to continue and then I get the error Unable to Launch device manager from 10.1.1.1 

This is definitely different and one more piece of information... I can now ping to 10.1.1.1 from the client when the VPN is open, so this confirms that I am able to connect with the Internal interface of the ASA from the client when the client is connected via VPN.

I'm wondering now if I need to tell the VPN management in the ASA that it's ok to run the ASDM when the request is coming from a client attached via VPN?

Any suggestions about how I can do that?

Ed 

Julio Carvaja Tue, 05/22/2012 - 15:53

Hello Edward,

Yeap, after you changed the ip local pool and the managment-access inside everything should work!

Can you do a debug http 255

and then attemtp to connect to the box.

Regards,

Julio

smsbconsulting Wed, 05/23/2012 - 12:32

Nothing I've tried so far has worked.  I'm on the phone with system support right now.  I'll let you all know what happens.

Thanks for your efforts. 

Ed

smsbconsulting Wed, 05/23/2012 - 13:39

Support said I needed to create a static route between 192.168.2.0 and 10.1.1.0 which I did.  Not only did it not work but it actually brought Internet access down for the entire company.  I removed the static route and Internet access came back company wide.

I find it hard to believe that such a straight forward function as creating a VPN connection should present such a problem.  If I thought it would do any good I'd remove everything I've done to date and just follow the AnyConnect client wizard from the beginning again. 

The trouble with that plan is that I'm not certain exactly how to remove everything associated with the VPN.

I save the config file before making any changes.  I use Tools > Backup Configuration to save the config.  Is it a simple matter of using Tools > Restore Configuration to restore a prior saved config?  If it is then I could restore one of the configurations I saved before I started all this work on the VPN and then start all over.

What do you think?  Should I use the restore tool or just run through the VPN wizard again which will hopefully overwrite whatever is wrong with the VPN config?

Ed

rizwanr74 Tue, 05/22/2012 - 19:49

Hi Edward,

"I'm wondering now if I need to tell the VPN  management in the ASA that  it's ok to run the ASDM when the request is  coming from a client  attached via VPN?"

http server enable

http 192.168.0.0 255.255.255.0 outside

The above two lines enables ASDM to specific subnet and interface it must come on.

Have you tried with Firefox instead of IE ?

Correct Answer
Julio Carvaja Mon, 05/21/2012 - 16:07

Hello Edward,

Please change the pool to a different subnet than the ASA interface... That will make the ASA a little crazy regarding communications between the local pool and the local subnet.

Can you add the following command as well

managment-access inside

Regards,

Do rate all the helpful posts

Julio

ju_mobile Mon, 05/21/2012 - 15:52

Your access to the ASDM would be from the inside and as such your http access needs to identify this but using the subnet from which the VPN clients are assigned. The second step is to define the management access inside which allows your to hairpin and access the ASDM.

http://www.pyeung.com/pages/cisco/cisco-asa-vpn-asdm.html

Sent from Cisco Technical Support iPad App

smsbconsulting Fri, 05/25/2012 - 09:58

I would like to take a moment to thank everyone for their help in solving this problem.  It turns out that most (if not all) the answers provided by the folks who responded to my problem were correct.  Each response addressed the issue in an appropriate manner and had I been more knowledgeable about Cisco VPN's, the information provided by everyone would have been sufficient for me to have solved the problem.

On the chance that others might benefit from my experience with this problem, I thought it might be worthwhile to explain in a little more detail what it was that finally solved my problem.  The missing piece of information... (which I found in a Cisco step-by-step VPN setup procedure)... was to create what is called an "Exempt Route".  The step-by-step procedure stated that the VPN address pool and the inside address pool should be different.  The fact that they are different requires that a Route exists between the two networks.  When I had originally created the route I mistakenly created a "Static Route".  This was an error... the route must be an "Exempt Route".  As soon as I created the Exempt Route everything began to work.

Thanks again to all. 

Ed

shady2show Wed, 06/06/2012 - 14:36

If there is any more clarification on this matter.

I'm confused on this also. I have a twice nat rule applied that allows me to access the inside network, can ping the inside interface, and can access the inside http web page but I still get the "Unable to launch the device manager from IP"

Since the Exempt route is already created and all other access works...is there another specific command that needs to be input in order for the asdm to respond to the VPN address space?

I have

ojbect network Inside

     network 192.168.1.0/24

object network VPN

     network 192.168.3.0/24

     nat (inside,outside) source static Inside Inside destination static VPN VPN

Everything works BUT ASDM, was there another set of commands requiring NAT for the ASA Inside interface?

iOS 8.4(1)

Actions

Login or Register to take actions

This Discussion

Posted May 21, 2012 at 12:57 PM
Stats:
Replies:15 Avg. Rating:5
Views:4996 Votes:0
Shares:0
Tags: asdm, vpn, through, about
+

Related Content

Discussions Leaderboard