Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1005
Views
0
Helpful
12
Replies

Accessing Management Interface from internal network

Go to solution
heather.burke
Level 1
Level 1

‎10-28-2010 12:38 PM - edited ‎03-11-2019 12:01 PM

We want to be able to access our firewall from our desks, rather than always from the server room.  (imagine that!)  However, we seem unable to make this work.  Our management interface is still the default 192.168.1.1.  We want to access it from our internal network of 192.168.204.0.  To make things more complicated, we have layer 2 switches on this network.  Any ideas on how we can get this to work?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to heather.burke

‎10-28-2010 09:52 PM

Hello Heather,

Well it is normal that you get an error message if you try to put an IP address on a interface if there is another interface on the same range, The L3 devices are meant to separate broadcast domains, not try to join them.

Now going back to your original issue. Yes you will use the Inside IP address of the firewall to access the ASDM. Those commands for example the one below

http server enable

http 192.168.2.2 255.255.255.255 inside

Will allow the host 192.168.2.2 to access the ASDM.

When working with ASA`s we need to differentiate 2 kinds of traffic, the one that is passing through him, and the one that is TO him. If you do a show asp table socket, you will be able to see in which ports the firewall itself is listening to. If you set this right, when you do the show asp table socket you will be able to see that the firewall is listening on SSL 443 on the interface inside, ready for you to manage it from the inside

Hope this helps.

Mike.

Mike

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎10-28-2010 01:55 PM

You have a couple of options 1) Use the inside interface to manage the device 2) Change the IP of the management interface and put it in your 192.168.204.0 network 3) Create a new management network and leave the IP of the ASA management interface. Are you using ASDM or SSH (or both)?

0 Helpful

Go to solution
heather.burke
Level 1
Level 1
In response to Collin Clark

‎10-28-2010 02:00 PM

I am using kind of a hybrid of both.  I kind of prefer ASDM because I am more

visual, but I will do what works best.

I tried adding the management interface to my internal network as an experiment, but it told me I could not use a network address for an interface IP.

The original thought was to leave it as it's own network, but I would then need a router to connect it to the internal switch, wouldn't I?

If I manage it from the internal interface, what are the drawbacks of that?  (obviously less secure)  How would I set that up?

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to heather.burke

‎10-28-2010 02:17 PM

The original thought was to leave it as it's own network, but I would then need a router to connect it to the internal switch, wouldn't I?

Yup you would.

Managing on the inside is less secure but sometimes you have to use what you've got. You will need to permit management traffic to the inside interface. For example let's say your workstation IP is 192.168.204.5, in the ASA we grant your IP ASDM & SSH access to the inside interface-

ssh 192.168.204.5 255.255.255.255 inside

http 192.168.204.5 255.255.255.255 inside

Just do the same for other admin IPs.

0 Helpful

Go to solution
heather.burke
Level 1
Level 1
In response to Collin Clark

‎10-28-2010 02:23 PM

Cool!  So what ip address would we use to access the management functions then?  Would you

use the internal interface IP?

Do the commands you give generate an ACL for the traffic for the inside interface, or how does it know that you are using those addresses for management functions?

Thanks again!

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to heather.burke

‎10-28-2010 09:52 PM

Hello Heather,

Well it is normal that you get an error message if you try to put an IP address on a interface if there is another interface on the same range, The L3 devices are meant to separate broadcast domains, not try to join them.

Now going back to your original issue. Yes you will use the Inside IP address of the firewall to access the ASDM. Those commands for example the one below

http server enable

http 192.168.2.2 255.255.255.255 inside

Will allow the host 192.168.2.2 to access the ASDM.

When working with ASA`s we need to differentiate 2 kinds of traffic, the one that is passing through him, and the one that is TO him. If you do a show asp table socket, you will be able to see in which ports the firewall itself is listening to. If you set this right, when you do the show asp table socket you will be able to see that the firewall is listening on SSL 443 on the interface inside, ready for you to manage it from the inside

Hope this helps.

Mike.

Mike
0 Helpful

Go to solution
heather.burke
Level 1
Level 1
In response to Maykol Rojas

‎10-29-2010 08:44 AM

Great Thanks!

I am able to now access the ASDM from my desk.  However, when I try to go through telnet or SSH, it won't accept the password.

Any ideas as to why this would be?  It should still be the same password that I use to connect via asdm and through the serial port in the server room, right?

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to heather.burke

‎10-29-2010 08:53 AM

Should be the same password. Are you using local username/passwords or do you use AAA?

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to heather.burke

‎10-29-2010 10:31 AM

Hello Heather,

Thank you so much for letting us know the inputs on this. If you want to access the SSH with the same username and password as you do with ASDM, you will need the following command:

aaa authentication ssh console LOCAL

Please try the command and if you need further assistance or you have any doubts please let me know.

Thanks.

Mike

Mike
0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to heather.burke

‎10-29-2010 06:37 AM

Yes you would use the IP assigned to the inside interface. Since the SSH and HTTPS traffic is destined to the box, the ASA knows it is for management. Traffic destined to the ASA is implicitly dropped and the two commands above are "opening" access to the ASA.

Hope that makes sense.

0 Helpful

Go to solution
heather.burke
Level 1
Level 1
In response to Collin Clark

‎11-01-2010 11:34 AM

thanks, it's working great now!

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to heather.burke

‎11-01-2010 12:12 PM

Hello Heather,

Thanks, would you please mark this post as aswered so other people can use it as reference?

Mike

Mike
0 Helpful

Go to solution
heather.burke
Level 1
Level 1
In response to Maykol Rojas

‎11-01-2010 12:20 PM

Certainly!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card