Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16157
Views
10
Helpful
11
Replies

ASA ASDM access through VPN

Go to solution
mudasir05
Level 1
Level 1

‎11-05-2014 09:21 PM - edited ‎03-11-2019 10:02 PM

Hello All,

 

I have a ASA 9.1 and i access asdm thorough the management port,however iam curious to access the asdm through VPN.

When i click on VPN Wizard i see many options,which one i need to go through,vpn any client or ipsec.

Any help would be appreciated.

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mudasir05

‎11-06-2014 01:58 AM

Hi,

 

I am not sure I follow completely what you mean here.

 

You can set whatever subnet/range as the VPN Pool for the VPN users. You can then add a "http" command for the subnet you have just configured as VPN Pool to allow ASDM management connections from that subnet.

 

And I would like to point out that you can use both SSH and ASDM (HTTPS/SSL) to manage the ASA from the external network without using any form of VPN for this. You can connect to the external interface IP address of the ASA directly. In those cases you could simply add the "http" and "ssh" statements on the ASA to allow the management connections from specific hosts/subnets. Naturally if you dont manage the ASA externally from a specific IP address always then this might not be an option if you want to keep the ASA as secure as possible with regards to management connection options.

 

To list the things you need to do to manage the ASA through the VPN connection you have to atleast do these things

  • Configure the VPN Client connection
  • Confirm that the interface IP address to which you want to connect to is included in the VPN so the users traffic to that IP gets forwarded to the VPN connection
    • If you are using Full Tunnel/Tunnel All then naturally all traffic is going to the VPN
    • If you are using Split Tunnel then you have already configured an ACL that defines what traffic is forwarded to the VPN connection. In this case that ACL must include the IP address of the interface or the subnet to which it belongs to
  • Confirm that you have the "management-access <nameif>" configured using the name of the interface to which you want to connect to using the VPN connection.
  • Confirm that you have allowed management connections from the subnet configured as the VPN Pool to the interface you want to use for management with the "http" command.

 

- Jouni

View solution in original post

11 Replies 11

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-05-2014 11:24 PM

Hi,

 

It sounds to me that you have not yet configured the VPN Client connection then? Or do you have an existing VPN Client configuration and want to be able to manage the ASA through that VPN connection? (even though you could use ASDM without the VPN connection too)

 

If you do not have an existing VPN configuration on the ASA then the type of VPN Client connection (wizard) you use depends on your ASAs licensing. Any ASA can be configured to use IPsec VPN Client as each unit has support for this. This however uses the older Cisco VPN Client which I guess is not really supported/updated by Cisco anymore.

 

The current way of doing VPN Client connections would be to use the AnyConnect VPN Client. With regards to AnyConnect users licensing an ASA by default has support for 2 users (concurrently connected, not the total amount of configured users). For home use or a very small company this might be enough as there might not be many people needing to use the VPN connections anyway. For bigger setups you typically need AnyConnect Essentials license which will allow you to have as many AnyConnect VPN users as the actual hardware supports (these amounts are mentioned in the datasheets for the different ASA units)

 

So on the basis on the above you could choose with which VPN Wizard to configure your VPN connections. Nothing is stopping you from configuring both though.

 

But after you have configured the VPN there are still some configurations you would need to add to be able to manage the ASA through the VPN connections. These settings are not done through any Wizard on the ASDM. (Atleast to my understanding)

 

One important command regarding managing the ASA through VPN is the command

 

management-access <interface nameif>

 

This will allow you to configure one internal interace (as in different interface from the one that connects to the Internet) to support management connections through another interface when that management connections is coming through a VPN connections.

 

So lets say you have only "inside" and "outside" interface and have configured a VPN Client connection. If you tried to manage the ASA by connecting through the VPN Client connection to the "inside" interface IP address then this would typically fail. If you were to add "management-access inside" and the required "http" commands you would be able to manage the ASA through the VPN connection. Naturally when you configure the VPN Client connection you would have to make sure that the interface IP address you are trying to connect to is included on the VPN connections. If you use a Full Tunnel/Tunnel All type VPN configuration then there should be no problem but if you have a Split Tunnel VPN then you have to make sure that the interface IP address is included in the Split Tunnel ACL.

 

Hope this helps and made any sense :)

 

- Jouni

 

 

Go to solution
mudasir05
Level 1
Level 1
In response to Jouni Forss

‎11-05-2014 11:34 PM

Thanks Jouni for the reply,

Yes it would be the first time i will be configuring VPN on my ASA 5545 9.1.

my first query is regarding the licence,plz let me know how to chk...

and if i add command management access-management(interface) and try to access asdm via vpn through the management interface....will there be any conflict with the already config on the management interface through which i used to access asdm.

Hope iam clear...

Thanks

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mudasir05

‎11-05-2014 11:39 PM

Hi,

 

With regards to the license one thing is sure atleast. That is that you will have support for more than enough IPsec VPN Client users on your current ASA model. The AnyConnect (SSL) VPN Client licensing you can check with the below command

 

show version

 

The command "management-access" to my understanding could be used for any interface on the ASA. This command should not affect any existing management connection/configuration you have on the ASA already. The "management-access" command can be active only for a single interface at a time.

 

- Jouni

 

0 Helpful

Go to solution
mudasir05
Level 1
Level 1
In response to Jouni Forss

‎11-06-2014 01:19 AM

ok thanks,

 

I tried to configure ipsec remote vpn on my inside interface...

then at one of the steps it asked for pool of addresses,just need to confirm is this the pool of addresses which users would automatically get via dhcp or need to manually install them in their pc.

iam confused !!!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mudasir05

‎11-06-2014 01:31 AM

Hi,

 

Do notice that if you are configuring the VPN Client connection on the ASA that the user most probably connects to the ASA through the Internet and this means the VPN connections should terminate on the "outside" interface (or whatever the external interface is called on your ASA)

 

You can create the VPN Pool to be pretty much any subnet you want. Typically its some private IP address range. It should be something different from the LAN subnet atleast that you have behind the ASA. The ASA configured with a VPN Pool will give the VPN Client user the IP address from that pool. You dont have to manually set it on your VPN Client software.

 

And there are multiple other ways to assign the IP address. For example you can configure a separate DHCP server in the VPN configurations from which the users get the IP address or you can configure a specific IP address for the user if you configure the VPN users AAA on the ASA itself with LOCAL authentication.

 

- Jouni

 

0 Helpful

Go to solution
mudasir05
Level 1
Level 1
In response to Jouni Forss

‎11-06-2014 01:43 AM

ok got it...

so do we need to follow the same procedure if we want to access asdm remotely,and if yes,then in that case i should assign users the same range as the subnet i have configured on:

http server x.x.x.x

 

Thanks

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mudasir05

‎11-06-2014 01:58 AM

Hi,

 

I am not sure I follow completely what you mean here.

 

You can set whatever subnet/range as the VPN Pool for the VPN users. You can then add a "http" command for the subnet you have just configured as VPN Pool to allow ASDM management connections from that subnet.

 

And I would like to point out that you can use both SSH and ASDM (HTTPS/SSL) to manage the ASA from the external network without using any form of VPN for this. You can connect to the external interface IP address of the ASA directly. In those cases you could simply add the "http" and "ssh" statements on the ASA to allow the management connections from specific hosts/subnets. Naturally if you dont manage the ASA externally from a specific IP address always then this might not be an option if you want to keep the ASA as secure as possible with regards to management connection options.

 

To list the things you need to do to manage the ASA through the VPN connection you have to atleast do these things

  • Configure the VPN Client connection
  • Confirm that the interface IP address to which you want to connect to is included in the VPN so the users traffic to that IP gets forwarded to the VPN connection
    • If you are using Full Tunnel/Tunnel All then naturally all traffic is going to the VPN
    • If you are using Split Tunnel then you have already configured an ACL that defines what traffic is forwarded to the VPN connection. In this case that ACL must include the IP address of the interface or the subnet to which it belongs to
  • Confirm that you have the "management-access <nameif>" configured using the name of the interface to which you want to connect to using the VPN connection.
  • Confirm that you have allowed management connections from the subnet configured as the VPN Pool to the interface you want to use for management with the "http" command.

 

- Jouni

Go to solution
mudasir05
Level 1
Level 1
In response to Jouni Forss

‎11-06-2014 02:33 AM

thanks a ton...this was really helpful...

 

 

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mudasir05

‎11-06-2014 02:39 AM

Hi,

 

Glad if it helped.

 

If you get the VPN and management configurations done and for some reason the management connections through VPN does not work then we can always have a look at the ASA configurations in CLI format.

 

- Jouni

0 Helpful

Go to solution
w.prawiro
Level 1
Level 1
In response to Jouni Forss

‎08-07-2018 10:02 PM

It work for my Cisco ASA 5506X. Thank you.
0 Helpful

Go to solution
a.amin@csm-compressor.com
Level 1
Level 1
In response to w.prawiro

‎10-08-2018 09:51 PM - edited ‎10-08-2018 09:52 PM

I tried everything but for some reason I can't access ASDM via anyconnect VPN.

 

we are using bridge virtual interface (BVI) for inside and DMZ.  

thanks in advanced.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card