cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21487
Views
20
Helpful
19
Replies

Question about ASDM through VPN

Edward Luna
Level 1
Level 1

Hello again

I configured ASA 5510 management through the inside interface.  When I am in the office connected to the LAN I have no problem running ASDM.  However, when I'm outside the office and I connect through the Cisco SSL VPN Service I can't manage the ASA5510 even though I can access all the shared resources on the network.

When I attempt to run ASDM when connected via VPN I get the error message..  "Unable to launch device manager from x.x.x.x"  (inside address of the ASA5510).

How dangerous would it be if I just activated management via the Outside interface?

Ed

1 Accepted Solution

Accepted Solutions

Hello Edward,

Please change the pool to a different subnet than the ASA interface... That will make the ASA a little crazy regarding communications between the local pool and the local subnet.

Can you add the following command as well

managment-access inside

Regards,

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

19 Replies 19

rizwanr74
Level 7
Level 7

Hi Edward,

Have you tried this config below, I assume your remote vpn client pool is: 10.10.10.0/24, you may change to reflect your pool.

http server enable

http 10.10.10.10 255.255.255.0 outside

"How dangerous would it be if I just activated management via the Outside interface?"

it is dangerous to enable over public address, however the above config is set for private address, which must come off the vpn client session.

I hope that answers your question.

thanks

Rizwan Rafeek

Thank you for your quick response.

My remote vpn address pool is 10.1.1.100 to 10.1.1.120    

I added the commands you suggested (changed for my pool) but I still get the same error when I try to run ASDM via VPN.

I ran ipconfig on the client after the VPN was established and ipconfig indicates that the IP address of the client computer is 10.1.1.100 .  When I connect directly to the LAN (no VPN) the ip address of the client is 10.1.1.x and I have no problem running ASDM and connecting to 10.1.1.1 but when I open the VPN and get an IP address of 10.1.1.100 I can no longer run ASDM from 10.1.1.1.

There must be something in the VPN preventing the ASDM application from running.  Is there someplace in ANYConnect VPN where I can tell it to allow ASDM? 

This problem had been hounding us since we upgraded our ASAs from 8.4.1 to 9.1.5.  Found another forum posting explaining what had changed with NAT, made the suggested change, and we were once again able to ping and manage our ASAs (SSH/ASDM) from an AnyConnect VPN session through the same ASA.

Here's the link (hope it doesn't get deleted):  http://www.petenetlive.com/KB/Article/0000984.htm

Basically, make sure you add the "route-lookup" command to the end of your VPN NAT entry. Resolved our problem in about 2 minutes...  HTH - Jim

Am I correct in assuming that the client computer once connected to the Cisco VPN is using a 10.1.1.x IP address but is connected to the outside interface of the ASA5510?  If so then I suppose the ASA needs some way of knowing which direction the packets should be flowing.  In which case, using 10.1.1.x VPN addresses would be in conflict with the 10.1.1.x internal ip addresses.

Should I change the VPN address pool to use ip addresses that belong to a different subnet than the inside ip address pool?  Maybe something like 10.10.10.0/24 for the VPN address pool like you had originally indicated?

The more I think of it the more I'm becoming convinced that it must have been a mistake to make the VPN address pool and the internal address pool the same subnet.

I'll go change it and let you know what happens.

I changed the VPN address pool and it didn't make any difference.

1.  Can I/should I use addresses from the inside subnet for the VPN address pool?

2.  When I changed the VPN address pool to 10.10.10.0/24 and opened the VPN I was assigned address 10.10.10.1 but I was also assigned a default gateway of 10.10.10.2.  I would not have expected to be assigned a default gateway for a VPN connection.

I can ping 10.10.10.1 from the client... basically it's pinging itself... but I can't ping the default gateway that was assigned to my client.  Not much use for a default gateway that you can't ping.  Do you know where that default gateway is coming from?

   

Hi Edward,

Please try this and let me know if this helps.

management-access inside

"Do you know where that default gateway is coming from?" from ASA.

If you have not enable split-tunnel, vpn-clients will be injected with default-gateway.

I apologize for being so dense but I just don't understand the answers I'm getting.  I'm certain it is 100% my fault but I must understand the answers before I can implement them.

I don't use the CLI, I use the GUI.  Regardless of which way I get the commands in the result should be the same.

Maybe if we can just clear-up my misunderstandings one at a time we might get this thing to work.

Here are some givens...

My inside address pool is 10.1.1.1 thru 10.1.1.254

The inside address of the ASA is 10.1.1.1

My VPN address pool is 10.1.1.120 thru 10.1.1.129 mask 255.255.255.0

In the GUI Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH entry screen I have

Type = ASDM/HTTPS

Interface = Internal (inside)

IP address = 10.1.1.0 mask 255.255.255.0

Note: According to what I have read, the IP address entered in the GUI is either the host IP that is allowed to access the ASDM via the Internal interface or it is an entire network.  However, if I enter any IP address with a value greater than zero in the 4th octet, I can not use mask 255.255.255.0, it gives me a network address error (makes sense).  So for now I have left the allowed hosts to any host on the internal network by entering IP 10.1.1.0 mask 255.255.255.0

I know that the internal interface is enabled for ASDM because I can access it when I am connected to the LAN.  The only time I can't access it is when I am connected via the VPN (Anyconnect).  Perhaps I have a VPN issue rather than a remote administration of ASDM issue but the Anyconnect client says I am connected and I can see packets transferring both ways. 

I think we've made some progress. 

I changed the VPN address pool to 192.168.1.0/24... I left the inside address pool as it was 10.1.1.0/24

I then applied the new address pool to the VPN connection profile in the GUI.

I then ran the command management-access internal (inside)

I then ran the command write memory.

After I did that I opened a VPN session and attempted to run ASDM.  The first screen came up as usual asking for Device IP address/Name

I selected the internal ip address 10.1.1.1 and clicked OK

After clicking OK is where I always get the message Unable to launch device manager from 10.1.1.1 when I'm connected via VPN but this time I didn't get the error... I got the Security warning screen saying the certificate is invalid and do I wish to continue.  This is normal behavior and is exactly what I get when I'm connected directly to the LAN and not the VPN.

I click Yes to continue and then I get the error Unable to Launch device manager from 10.1.1.1 

This is definitely different and one more piece of information... I can now ping to 10.1.1.1 from the client when the VPN is open, so this confirms that I am able to connect with the Internal interface of the ASA from the client when the client is connected via VPN.

I'm wondering now if I need to tell the VPN management in the ASA that it's ok to run the ASDM when the request is coming from a client attached via VPN?

Any suggestions about how I can do that?

Ed 

Hello Edward,

Yeap, after you changed the ip local pool and the managment-access inside everything should work!

Can you do a debug http 255

and then attemtp to connect to the box.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Nothing I've tried so far has worked.  I'm on the phone with system support right now.  I'll let you all know what happens.

Thanks for your efforts. 

Ed

Support said I needed to create a static route between 192.168.2.0 and 10.1.1.0 which I did.  Not only did it not work but it actually brought Internet access down for the entire company.  I removed the static route and Internet access came back company wide.

I find it hard to believe that such a straight forward function as creating a VPN connection should present such a problem.  If I thought it would do any good I'd remove everything I've done to date and just follow the AnyConnect client wizard from the beginning again. 

The trouble with that plan is that I'm not certain exactly how to remove everything associated with the VPN.

I save the config file before making any changes.  I use Tools > Backup Configuration to save the config.  Is it a simple matter of using Tools > Restore Configuration to restore a prior saved config?  If it is then I could restore one of the configurations I saved before I started all this work on the VPN and then start all over.

What do you think?  Should I use the restore tool or just run through the VPN wizard again which will hopefully overwrite whatever is wrong with the VPN config?

Ed

Hi Edward,

"I'm wondering now if I need to tell the VPN  management in the ASA that  it's ok to run the ASDM when the request is  coming from a client  attached via VPN?"

http server enable

http 192.168.0.0 255.255.255.0 outside

The above two lines enables ASDM to specific subnet and interface it must come on.

Have you tried with Firefox instead of IE ?

Hello Edward,

Please change the pool to a different subnet than the ASA interface... That will make the ASA a little crazy regarding communications between the local pool and the local subnet.

Can you add the following command as well

managment-access inside

Regards,

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ju_mobile
Level 1
Level 1

Your access to the ASDM would be from the inside and as such your http access needs to identify this but using the subnet from which the VPN clients are assigned. The second step is to define the management access inside which allows your to hairpin and access the ASDM.

http://www.pyeung.com/pages/cisco/cisco-asa-vpn-asdm.html

Sent from Cisco Technical Support iPad App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: