11-05-2014 09:21 PM - edited 03-11-2019 10:02 PM
Hello All,
I have a ASA 9.1 and i access asdm thorough the management port,however iam curious to access the asdm through VPN.
When i click on VPN Wizard i see many options,which one i need to go through,vpn any client or ipsec.
Any help would be appreciated.
Thanks
Solved! Go to Solution.
11-06-2014 01:58 AM
Hi,
I am not sure I follow completely what you mean here.
You can set whatever subnet/range as the VPN Pool for the VPN users. You can then add a "http" command for the subnet you have just configured as VPN Pool to allow ASDM management connections from that subnet.
And I would like to point out that you can use both SSH and ASDM (HTTPS/SSL) to manage the ASA from the external network without using any form of VPN for this. You can connect to the external interface IP address of the ASA directly. In those cases you could simply add the "http" and "ssh" statements on the ASA to allow the management connections from specific hosts/subnets. Naturally if you dont manage the ASA externally from a specific IP address always then this might not be an option if you want to keep the ASA as secure as possible with regards to management connection options.
To list the things you need to do to manage the ASA through the VPN connection you have to atleast do these things
- Jouni
11-05-2014 11:24 PM
Hi,
It sounds to me that you have not yet configured the VPN Client connection then? Or do you have an existing VPN Client configuration and want to be able to manage the ASA through that VPN connection? (even though you could use ASDM without the VPN connection too)
If you do not have an existing VPN configuration on the ASA then the type of VPN Client connection (wizard) you use depends on your ASAs licensing. Any ASA can be configured to use IPsec VPN Client as each unit has support for this. This however uses the older Cisco VPN Client which I guess is not really supported/updated by Cisco anymore.
The current way of doing VPN Client connections would be to use the AnyConnect VPN Client. With regards to AnyConnect users licensing an ASA by default has support for 2 users (concurrently connected, not the total amount of configured users). For home use or a very small company this might be enough as there might not be many people needing to use the VPN connections anyway. For bigger setups you typically need AnyConnect Essentials license which will allow you to have as many AnyConnect VPN users as the actual hardware supports (these amounts are mentioned in the datasheets for the different ASA units)
So on the basis on the above you could choose with which VPN Wizard to configure your VPN connections. Nothing is stopping you from configuring both though.
But after you have configured the VPN there are still some configurations you would need to add to be able to manage the ASA through the VPN connections. These settings are not done through any Wizard on the ASDM. (Atleast to my understanding)
One important command regarding managing the ASA through VPN is the command
management-access <interface nameif>
This will allow you to configure one internal interace (as in different interface from the one that connects to the Internet) to support management connections through another interface when that management connections is coming through a VPN connections.
So lets say you have only "inside" and "outside" interface and have configured a VPN Client connection. If you tried to manage the ASA by connecting through the VPN Client connection to the "inside" interface IP address then this would typically fail. If you were to add "management-access inside" and the required "http" commands you would be able to manage the ASA through the VPN connection. Naturally when you configure the VPN Client connection you would have to make sure that the interface IP address you are trying to connect to is included on the VPN connections. If you use a Full Tunnel/Tunnel All type VPN configuration then there should be no problem but if you have a Split Tunnel VPN then you have to make sure that the interface IP address is included in the Split Tunnel ACL.
Hope this helps and made any sense :)
- Jouni
11-05-2014 11:34 PM
Thanks Jouni for the reply,
Yes it would be the first time i will be configuring VPN on my ASA 5545 9.1.
my first query is regarding the licence,plz let me know how to chk...
and if i add command management access-management(interface) and try to access asdm via vpn through the management interface....will there be any conflict with the already config on the management interface through which i used to access asdm.
Hope iam clear...
Thanks
11-05-2014 11:39 PM
Hi,
With regards to the license one thing is sure atleast. That is that you will have support for more than enough IPsec VPN Client users on your current ASA model. The AnyConnect (SSL) VPN Client licensing you can check with the below command
show version
The command "management-access" to my understanding could be used for any interface on the ASA. This command should not affect any existing management connection/configuration you have on the ASA already. The "management-access" command can be active only for a single interface at a time.
- Jouni
11-06-2014 01:19 AM
ok thanks,
I tried to configure ipsec remote vpn on my inside interface...
then at one of the steps it asked for pool of addresses,just need to confirm is this the pool of addresses which users would automatically get via dhcp or need to manually install them in their pc.
iam confused !!!
11-06-2014 01:31 AM
Hi,
Do notice that if you are configuring the VPN Client connection on the ASA that the user most probably connects to the ASA through the Internet and this means the VPN connections should terminate on the "outside" interface (or whatever the external interface is called on your ASA)
You can create the VPN Pool to be pretty much any subnet you want. Typically its some private IP address range. It should be something different from the LAN subnet atleast that you have behind the ASA. The ASA configured with a VPN Pool will give the VPN Client user the IP address from that pool. You dont have to manually set it on your VPN Client software.
And there are multiple other ways to assign the IP address. For example you can configure a separate DHCP server in the VPN configurations from which the users get the IP address or you can configure a specific IP address for the user if you configure the VPN users AAA on the ASA itself with LOCAL authentication.
- Jouni
11-06-2014 01:43 AM
ok got it...
so do we need to follow the same procedure if we want to access asdm remotely,and if yes,then in that case i should assign users the same range as the subnet i have configured on:
http server x.x.x.x
Thanks
11-06-2014 01:58 AM
Hi,
I am not sure I follow completely what you mean here.
You can set whatever subnet/range as the VPN Pool for the VPN users. You can then add a "http" command for the subnet you have just configured as VPN Pool to allow ASDM management connections from that subnet.
And I would like to point out that you can use both SSH and ASDM (HTTPS/SSL) to manage the ASA from the external network without using any form of VPN for this. You can connect to the external interface IP address of the ASA directly. In those cases you could simply add the "http" and "ssh" statements on the ASA to allow the management connections from specific hosts/subnets. Naturally if you dont manage the ASA externally from a specific IP address always then this might not be an option if you want to keep the ASA as secure as possible with regards to management connection options.
To list the things you need to do to manage the ASA through the VPN connection you have to atleast do these things
- Jouni
11-06-2014 02:33 AM
thanks a ton...this was really helpful...
11-06-2014 02:39 AM
Hi,
Glad if it helped.
If you get the VPN and management configurations done and for some reason the management connections through VPN does not work then we can always have a look at the ASA configurations in CLI format.
- Jouni
08-07-2018 10:02 PM
10-08-2018 09:51 PM - edited 10-08-2018 09:52 PM
I tried everything but for some reason I can't access ASDM via anyconnect VPN.
we are using bridge virtual interface (BVI) for inside and DMZ.
thanks in advanced.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide