Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASDM access through s2s tunnel group on ASA5510

For years now we've had an ASA5510 running an old version of ASA/ASDM (7.0/5.0) and couldn't access ASDM through a modern system with a recent JRE, so we didn't bother with this.

However, we've recently upgraded ASA/ASDM for purposes of adding failover and want to be able to access ASDM through our site to site tunnel. The site to site tunnel gives us access to the VLAN that the firewall is the gateway for, but not access to the firewall itself.

This side of the network is the 10.1.55.0 subnet, and that side of the network is the 192.168.1.0 subnet. I can ping devices on the 192.168.1.0 subnet, but not the firewall, (not that I really need to) and devices can ping me back. I can access ASDM through RDP or ssh into a server on the 192.168.1.0 subnet, but not directly from the 10.1.55.0 subnet.

This is the current config relative to the 10.1.55.0 subnet:

access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0

access-list untrust_cryptomap_600 extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0

access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.1.55.0 255.255.255.0

asdm location 10.1.55.0 255.255.255.0 untrust

nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp

http 10.1.55.0 255.255.255.0 untrust

trust is the name of the "inside" interface that has an IP of 192.168.1.1

untrust is the name of the "outside" interface

prod is the name of the production environment interface

and dmz of course is the name of the dmz interface

As far as I'm aware, the tunnel comes into the firewall through the untrust (public) interface, because that is the destination of the tunnel on the 10.1.55.0 subnet side.

What am I missing here that would allow asdm access through the untrust interface for the 10.1.55.0 subnet?

1 ACCEPTED SOLUTION

Accepted Solutions

ASDM access through s2s tunnel group on ASA5510

Hello Dane,

Can you try the following:

nat (trust,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 route-lookup

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
27 REPLIES

ASDM access through s2s tunnel group on ASA5510

Hello Dane,

So all you want to do is to be able to access ASDM, to accomplish this you need to be able to access the trust interface on the other side.

For this:

managment-access trust.

Then give it a try.

Regards,

Julio

Do rate helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASDM access through s2s tunnel group on ASA5510

That is already set. I can access ASDM from the trust side, it's accessing it from the untrust side (where the VPN tunnel comes across) that does not currently work.

Is the problem that since only 1 interface can be specified as having management access, that since the VPN tunnel comes across the untrust interface, that there is no way to give it access?

ASDM access through s2s tunnel group on ASA5510

Hello Dane,

That is correct.

Also remember than on an ASA you cannot connect to a distant interface.

So in this case the remote site will connect to the vpn and then they will be part of the inside interface so he will not be able to access the untrusted interface, just the trusted one.

Regards,

Julio

Do rate all the helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASDM access through s2s tunnel group on ASA5510

It is a given though that in order to make the tunnel work, that it goes across the public (untrust) interface, so all my traffic from the 10.1.55.0 side is coming through the untrust interface.

The ASA in this case is the vpn. The problem I have is accessing the trust interface..

There is no way to route the traffic from untrust to trust, in order to give these VPN connections that originate outside of the network and come across the untrust interface, to access ASDM?

I guess that is the impression I'm getitng, I just want to confirm.

Edit: It just seems counter intuitive, since I can grant ASDM/HTTP access to a subnet over a non-management interface (outside), but not actually be able to access it except on a single interface that is defined as the management interface?

ASDM access through s2s tunnel group on ASA5510

Hello Dane,

I think I am not quite understanding your request in here.

Please correct me if I am wrong:

1inside----ASA-----1Outside2--------ASA-----Inside2

You are on Inside2 and you want to access ASDM from interface inside1 via the VPN tunell right?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASDM access through s2s tunnel group on ASA5510

Yeah, that is right. ASDM's management interface is set to Inside1, and I can access it fine from inside 1, but not Inside2

ASDM access through s2s tunnel group on ASA5510

Hello Dane,

Ok good I understand the scenario.

Now you need this

http 10.1.55.0 255.255.255.0 trust

Set that up and let me know.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASDM access through s2s tunnel group on ASA5510

Done, but still am not able to access it.

I've tried both both the outside1 IP and inside1 IP.

Re: ASDM access through s2s tunnel group on ASA5510

Hello,

Hmm, that is estrange.Can you change this please:

no nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp

nat (trust,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp

Are you able to ping that interface now?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASDM access through s2s tunnel group on ASA5510

Done, no change.

ASDM access through s2s tunnel group on ASA5510

Are you able to ping that interface now?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASDM access through s2s tunnel group on ASA5510

Can ping the outside1 interface but not the inside1 interface

ASDM access through s2s tunnel group on ASA5510

Hello Dane,

Do you have the inspection for the ICMP protocol:

If not just add: -fixup protocol ICMP.

On Site A do a capture on the inside interface like this.

access-list capin permit tcp host x.x.x.x (Remote_host_Ip)  y.y.y.y(ASA_inside_interface) eq 443

access-list capin permit tcp host .yy.y.y(ASA_inside_interface) eq 443 host x.x.x.x (Remote_host_Ip) 

capture capin access-list capin interface trust.

Try to access ASDM again and finally:

Do  a : - sh cap capin and provide the output you get!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASDM access through s2s tunnel group on ASA5510

Site A being where Inside1 is?

ASDM access through s2s tunnel group on ASA5510

That is correct!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASDM access through s2s tunnel group on ASA5510

So, assuming inside1 IP = 192.168.1.1

And my computer's IP = 10.1.55.150

access-list capin permit tcp host 10.1.55.150 192.168.1.1 eq 443

access-list capin permit tcp host 192.168.1.1 eq 443 host 10.1.55.150

capture capin access-list capin interface trust

Then try to ping 192.168.1.1 and then

sh cap capin

and provide results?

ASDM access through s2s tunnel group on ASA5510

It is not ping, as I said before is ASDM:

Try to access ASDM again and finally:

Do  a : - sh cap capin and provide the output you get!

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASDM access through s2s tunnel group on ASA5510

Result of the command: "access-list capin permit tcp host 10.1.55.150 192.168.1.1 eq 443"

access-list capin permit tcp host 10.1.55.150 192.168.1.1 eq 443

                                                          ^

ERROR: % Invalid Hostname

Arrow is pointing to 'eq'

New Member

ASDM access through s2s tunnel group on ASA5510

Should...

access-list capin permit tcp host 10.1.55.150 192.168.1.1 eq 443

be

access-list capin permit tcp host 10.1.55.150 eq 192.168.1.1 443

?

ASDM access through s2s tunnel group on ASA5510

Should be

access-list capin permit tcp host 10.1.55.150  host 192.168.1.1 eq 443

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASDM access through s2s tunnel group on ASA5510

Result of the command: "sh cap capin"

0 packet captured

0 packet shown

ASDM access through s2s tunnel group on ASA5510

So packets are not reaching the Inside interface.

Can you post your configuration ( of course with some changes due to security policies)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASDM access through s2s tunnel group on ASA5510

Blanked out IPs are all public ...

Also stripped out all user informaton.

: Saved

:

ASA Version 8.4(3)

!

hostname fire2

domain-name xxxxxxxxxxx.com

enable password EKulpKJap2J/lkIx encrypted

passwd jI7uBnbk1SCnR6Lm encrypted

names

name xxx.xxx.xxx.xxx Bandwidth.com_2

name xxx.xxx.xxx.xxx Bandwidth.com_1

name xxx.xxx.xxx.xxx Bandwidth.com_0

name xxx.xxx.xxx.xxx AWS1 description IP ADdress for AWS Tunnel 1

name xxx.xxx.xxx.xxx AWS2

dns-guard

!

interface Ethernet0/0

description Al Gore's Internet

nameif untrust

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.240

!

interface Ethernet0/1

description Subnet for Production Application Server Broadcast Containment

nameif prod

security-level 99

ip address 192.168.5.1 255.255.255.0

!

interface Ethernet0/2

description DMZ for F5 Load Balancer Cluster

nameif dmz

security-level 98

ip address 192.168.6.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description Corporate Data Center Subnet

nameif trust

security-level 100

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name xxxxxxxxxxxxx.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj-192.168.5.0

subnet 192.168.5.0 255.255.255.0

object network obj-10.1.55.0

subnet 10.1.55.0 255.255.255.0

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

object network obj-10.1.70.0

subnet 10.1.70.0 255.255.255.0

object network obj-10.1.69.0

subnet 10.1.69.0 255.255.255.0

object network obj-192.168.5.10

host 192.168.5.10

object network obj-192.168.5.12

host 192.168.5.12

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-0.0.0.0

host 0.0.0.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network obj-192.168.6.181

host 192.168.6.181

object network obj-192.168.6.182

host 192.168.6.182

object network obj-192.168.6.183

host 192.168.6.183

object network obj-192.168.6.184

host 192.168.6.184

object network obj-192.168.6.0

subnet 192.168.6.0 255.255.255.0

object network obj_any-02

subnet 0.0.0.0 0.0.0.0

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network obj-192.168.0.0

subnet 192.168.0.0 255.255.0.0

object network obj-10.1.51.0

subnet 10.1.51.0 255.255.255.0

object network obj-192.168.1.11

host 192.168.1.11

object network obj-192.168.1.9

host 192.168.1.9

object network obj-192.168.1.8

host 192.168.1.8

object network obj-192.168.1.40

host 192.168.1.40

object network obj-192.168.1.41

host 192.168.1.41

object network obj-192.168.1.90

host 192.168.1.90

object network obj-192.168.1.83

host 192.168.1.83

object network obj-192.168.1.14

host 192.168.1.14

object network obj-192.168.1.178

host 192.168.1.178

object network obj-192.168.1.17

host 192.168.1.17

object network obj-192.168.1.70

host 192.168.1.70

object network obj-192.168.1.71

host 192.168.1.71

object network obj-192.168.1.161

host 192.168.1.161

object network obj-192.168.1.110

host 192.168.1.110

object network obj-192.168.1.189

host 192.168.1.189

object network obj-192.168.1.140

host 192.168.1.140

object network obj-192.168.1.30

host 192.168.1.30

object network obj-192.168.1.141

host 192.168.1.141

object network obj-192.168.1.151

host 192.168.1.151

object network obj-192.168.1.92

host 192.168.1.92

object network obj-192.168.1.95

host 192.168.1.95

object network obj-192.168.1.60

host 192.168.1.60

object network obj-192.168.1.15

host 192.168.1.15

object network obj_any-03

subnet 0.0.0.0 0.0.0.0

object network obj_any-04

subnet 0.0.0.0 0.0.0.0

object network obj_any-05

subnet 0.0.0.0 0.0.0.0

object-group service Media tcp-udp

port-object range 10000 20000

object-group network Bandwidth.com

network-object Bandwidth.com_0 255.255.255.255

network-object Bandwidth.com_1 255.255.255.255

network-object Bandwidth.com_2 255.255.255.255

object-group service UDPMedia udp

port-object range 10000 30000

object-group network Postini

description Postini Mail Servers

network-object xxx.xxx.xxx.xxx 255.255.240.0

access-list trust_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list trust_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0

access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.51.0 255.255.255.0

access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.69.0 255.255.255.0

access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.70.0 255.255.255.0

access-list untrust_cryptomap_dyn_20 extended deny udp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list HWVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list HWVPN_splitTunnelAcl remark HW Corp LAN

access-list HWVPN_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0

access-list HWVPN_splitTunnelAcl remark HW Corp LAN

access-list RemoteDev_splitTunnelACL remark Gatlin Access

access-list RemoteDev_splitTunnelACL standard permit host 192.168.1.15

access-list untrust_cryptomap_720_2 extended permit ip 192.168.0.0 255.255.0.0 10.1.70.0 255.255.255.0

access-list HomePez standard permit host 192.168.1.60

access-list HomePez standard permit host 192.168.1.15

access-list untrust_cryptomap_dyn_60 extended permit ip any 192.168.2.0 255.255.255.0

access-list trust_access_in extended permit ip any any

access-list untrust_cryptomap_dyn_30 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list untrust_cryptomap_680_1 extended permit ip 192.168.0.0 255.255.0.0 10.1.69.0 255.255.255.0

access-list trust_nat_0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list officeTOpeak10 extended permit ip 192.168.42.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list officeTOpeak10 extended permit ip any any

access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.69.0 255.255.255.0

access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.70.0 255.255.255.0

access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.71.0 255.255.255.0

access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.72.0 255.255.255.0

access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.73.0 255.255.255.0

access-list untrust_cryptomap_260_2 extended permit ip 192.168.0.0 255.255.0.0 10.1.71.0 255.255.255.0

access-list xx extended permit ip 192.168.1.0 255.255.255.0 10.2.72.0 255.255.255.0

access-list untrust_cryptomap_360_1 extended permit ip 192.168.0.0 255.255.0.0 10.1.71.0 255.255.255.0

access-list untrust_cryptomap_600 extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0

access-list tst remark Full Ruger Access

access-list tst remark Full Ruger Access

access-list RemoteDevAccess remark All DNS Server Access

access-list RemoteDevAccess extended permit udp 192.168.2.0 255.255.255.0 host 192.168.1.0 eq domain

access-list RemoteDevAccess extended permit icmp 192.168.2.0 255.255.255.0 host 192.168.1.91

access-list RemoteDevAccess remark Access to Oracle Dev

access-list RemoteDevAccess remark CVS Access

access-list RemoteDevAccess extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.15 eq 2401

access-list RemoteDevAccess extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.91 eq sqlnet inactive

access-list RemoteDevAccess remark All DNS Server Access

access-list RemoteDevAccess remark Access to Oracle Dev

access-list RemoteDevAccess remark CVS Access

access-list qa_access_in extended permit ip any any

access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.1.55.0 255.255.255.0

access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.1.70.0 255.255.255.0

access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.1.69.0 255.255.255.0

access-list untrust_cryptomap_700 extended permit ip 192.168.0.0 255.255.0.0 10.1.51.0 255.255.255.0

access-list dmz_access_in extended permit ip any any

access-list untrust_access_in extended permit tcp any host 192.168.1.14 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.14 eq 9090

access-list untrust_access_in extended permit tcp object-group Postini host 192.168.1.8 eq smtp log

access-list untrust_access_in extended permit tcp any host 192.168.1.8 eq ldap log

access-list untrust_access_in extended permit tcp any host 192.168.1.8 eq www log

access-list untrust_access_in extended permit tcp any host 192.168.1.8 eq https log

access-list untrust_access_in extended permit tcp any host 192.168.1.8 eq imap4 log

access-list untrust_access_in extended permit tcp any host 192.168.1.14 eq 8080

access-list untrust_access_in extended permit tcp any host 192.168.1.14 eq domain

access-list untrust_access_in extended permit udp any host 192.168.1.14 eq domain

access-list untrust_access_in extended permit tcp any host 192.168.1.17 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.17 eq https

access-list untrust_access_in extended permit tcp any host 192.168.1.17 eq ftp

access-list untrust_access_in extended permit tcp any host 192.168.1.15 eq ftp

access-list untrust_access_in extended permit tcp any host 192.168.1.9 eq ftp

access-list untrust_access_in extended permit tcp any host 192.168.1.9 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.161 eq 8080

access-list untrust_access_in extended permit tcp any host 192.168.1.151 eq 8080

access-list untrust_access_in extended permit tcp any host 192.168.1.83 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.9 eq https

access-list untrust_access_in extended permit tcp any host 192.168.1.83 eq https

access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq 8080

access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq 8888

access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq 3306

access-list untrust_access_in extended permit tcp any host 192.168.1.40 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.41 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.90 eq www

access-list untrust_access_in extended permit icmp any any

access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq 9090

access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq ftp

access-list untrust_access_in extended permit tcp any host 192.168.1.83 eq ftp

access-list untrust_access_in extended permit tcp any host 192.168.1.83 eq 9000

access-list untrust_access_in extended permit ip any interface trust

access-list untrust_access_in extended permit udp any host 192.168.1.11 eq domain

access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq domain

access-list untrust_access_in extended permit tcp any host 192.168.1.110 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.70 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.70 eq https

access-list untrust_access_in extended permit tcp any host 192.168.1.70 eq 5721

access-list untrust_access_in extended permit tcp any host 192.168.1.71 eq 3389 inactive

access-list untrust_access_in extended permit tcp any host 192.168.1.71 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.71 eq https

access-list untrust_access_in extended permit tcp any host 192.168.1.141 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.140 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.140 eq https

access-list untrust_access_in extended permit tcp any host 192.168.1.178 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.178 eq ftp

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.40 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.41 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.90 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.178 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.17 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.70 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.71 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.110 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.189 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.140 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.30 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.92 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.95 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.5.10 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.60 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.5.12 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.6.181 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.6.182 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.6.183 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.6.184 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 xxx.xxx.xxx.0 255.255.255.0 eq ssh

access-list untrust_access_in extended permit tcp any host 192.168.1.178 eq ssh

access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq https

access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq 1935

access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq ftp

access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq ssh

access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq 8080

access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq 8085

access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq 8060

access-list untrust_access_in extended deny ip 210.163.43.0 255.255.255.0 any log warnings

access-list untrust_access_in extended permit tcp any host 192.168.1.60 eq https

access-list untrust_access_in extended permit tcp any host 192.168.1.60 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.30 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.95 eq 8080

access-list untrust_access_in extended permit tcp any host 192.168.1.92 eq 8080

access-list untrust_access_in extended permit tcp any host 192.168.5.10 eq https

access-list untrust_access_in extended permit tcp any host 192.168.5.12 eq www

access-list untrust_access_in extended permit tcp any host 192.168.5.10 eq www

access-list untrust_access_in extended permit tcp any host 192.168.6.181 eq https

access-list untrust_access_in extended permit tcp any host 192.168.6.182 eq https

access-list untrust_access_in extended permit tcp any host 192.168.6.183 eq https

access-list untrust_access_in extended permit tcp any host 192.168.6.184 eq https

access-list capin extended permit tcp host 192.168.1.1 eq https host 10.1.55.150

access-list capin extended permit tcp host 10.1.55.150 host 192.168.1.1 eq https

pager lines 24

logging enable

logging timestamp

logging emblem

logging trap warnings

logging asdm informational

logging facility 16

logging host trust 192.168.1.16 format emblem

logging debug-trace

logging permit-hostdown

mtu untrust 1500

mtu prod 1500

mtu dmz 1500

mtu trust 1500

ip local pool HW-VPN-Pool 192.168.2.100-192.168.2.200 mask 255.255.255.0

ip audit name CompHosti info action alarm

ip audit name CompHost attack action alarm

ip audit interface trust CompHosti

ip audit interface trust CompHost

ip audit signature 2000 disable

ip audit signature 2001 disable

ip audit signature 2004 disable

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup

nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp route-lookup

nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp route-lookup

nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup

nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp route-lookup

nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp route-lookup

nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup

nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp route-lookup

nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp route-lookup

nat (trust,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp

nat (trust,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.5.0 obj-192.168.5.0 no-proxy-arp

nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.51.0 obj-10.1.51.0 no-proxy-arp

nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp

nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp

nat (trust,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp

!

object network obj-192.168.5.0

nat (prod,untrust) dynamic interface

object network obj-192.168.5.10

nat (prod,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.5.12

nat (prod,untrust) static xxx.xxx.xxx.xxx

object network obj_any

nat (prod,untrust) dynamic obj-0.0.0.0

object network obj_any-01

nat (prod,dmz) dynamic obj-0.0.0.0

object network obj-192.168.6.181

nat (dmz,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.6.182

nat (dmz,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.6.183

nat (dmz,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.6.184

nat (dmz,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.6.0

nat (dmz,untrust) dynamic interface

object network obj_any-02

nat (dmz,untrust) dynamic obj-0.0.0.0

object network obj-192.168.1.0

nat (trust,untrust) dynamic interface

object network obj-192.168.1.11

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.9

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.8

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.40

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.41

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.90

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.83

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.14

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.178

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.17

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.70

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.71

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.161

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.110

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.189

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.140

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.30

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.141

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.151

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.92

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.95

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.60

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj-192.168.1.15

nat (trust,untrust) static xxx.xxx.xxx.xxx

object network obj_any-03

nat (trust,untrust) dynamic obj-0.0.0.0

object network obj_any-04

nat (trust,prod) dynamic obj-0.0.0.0

object network obj_any-05

nat (trust,dmz) dynamic obj-0.0.0.0

access-group untrust_access_in in interface untrust

access-group qa_access_in in interface prod

access-group dmz_access_in in interface dmz

access-group trust_access_in in interface trust

route untrust 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

reval-period 36000

sq-period 300

aaa authentication ssh console LOCAL

http server enable

http 10.1.69.0 255.255.255.0 untrust

http 74.167.160.132 255.255.255.255 untrust

http 192.168.1.0 255.255.255.0 trust

http 10.1.55.0 255.255.255.0 untrust

http 192.168.2.0 255.255.255.0 untrust

http 10.1.55.0 255.255.255.0 trust

snmp-server host trust 192.168.1.13 community *****

snmp-server host trust 192.168.1.14 community *****

snmp-server host trust 192.168.1.200 community ***** version 2c

snmp-server host trust 192.168.1.70 community *****

snmp-server location xxxxxxxxxxxxxx

snmp-server contact support@xxxxxxxxxxxx.com

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto dynamic-map untrust_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map untrust_dyn_map 40 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map untrust_dyn_map 60 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map untrust_dyn_map 80 set ikev1 transform-set ESP-3DES-SHA

crypto map untrust_map 600 match address untrust_cryptomap_600

crypto map untrust_map 600 set peer 70.91.144.153

crypto map untrust_map 600 set ikev1 transform-set ESP-3DES-SHA

crypto map untrust_map 680 match address untrust_cryptomap_680_1

crypto map untrust_map 680 set peer 76.106.137.57

crypto map untrust_map 680 set ikev1 transform-set ESP-3DES-SHA

crypto map untrust_map 700 match address untrust_cryptomap_700

crypto map untrust_map 700 set peer 174.65.109.36

crypto map untrust_map 700 set ikev1 transform-set ESP-3DES-SHA

crypto map untrust_map 720 match address untrust_cryptomap_720_2

crypto map untrust_map 720 set peer 24.129.41.149

crypto map untrust_map 720 set ikev1 transform-set ESP-3DES-SHA

crypto map untrust_map 65535 ipsec-isakmp dynamic untrust_dyn_map

crypto map untrust_map interface untrust

crypto isakmp identity address

crypto ikev1 enable untrust

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 40

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto ikev1 policy 80

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto ikev1 policy 100

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption aes

hash sha

group 2

lifetime 28800

telnet 192.168.1.0 255.255.255.0 trust

telnet 192.168.2.0 255.255.255.0 trust

telnet timeout 60

ssh 196.40.16.128 255.255.255.224 untrust

ssh 201.194.184.0 255.255.255.224 untrust

ssh 0.0.0.0 0.0.0.0 untrust

ssh 192.168.1.0 255.255.255.0 trust

ssh 192.168.2.0 255.255.255.0 trust

ssh 0.0.0.0 0.0.0.0 trust

ssh timeout 60

console timeout 0

management-access trust

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

dhcpd dns 192.168.1.8 192.168.1.71

dhcpd wins 192.168.1.8

dhcpd domain artisit.com

!

dhcpd address 192.168.1.201-192.168.1.220 trust

dhcpd enable trust

!

priority-queue untrust

  queue-limit   488

  tx-ring-limit 8

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol ikev1

nac-settings value DfltGrpPolicy-nac-framework-create

webvpn

  anyconnect dpd-interval client none

  anyconnect dpd-interval gateway none

group-policy RemoteDevGroup internal

group-policy RemoteDevGroup attributes

vpn-filter value RemoteDevAccess

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteDev_splitTunnelACL

group-policy HWVPN internal

group-policy HWVPN attributes

wins-server none

dns-server value 192.168.1.8 192.168.1.71

vpn-tunnel-protocol ikev1 ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value HWVPN_splitTunnelAcl

tunnel-group DefaultL2LGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DefaultWEBVPNGroup general-attributes

authorization-server-group LOCAL

default-group-policy RemoteDevGroup

authorization-required

username-from-certificate use-entire-name

tunnel-group HWVPN type remote-access

tunnel-group HWVPN general-attributes

address-pool HW-VPN-Pool

default-group-policy HWVPN

tunnel-group HWVPN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 24.129.41.149 type ipsec-l2l

tunnel-group 24.129.41.149 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group RemoveDevGroup type remote-access

tunnel-group RemoveDevGroup general-attributes

address-pool HW-VPN-Pool

default-group-policy RemoteDevGroup

tunnel-group RemoveDevGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 76.106.137.57 type ipsec-l2l

tunnel-group 76.106.137.57 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 174.65.109.36 type ipsec-l2l

tunnel-group 174.65.109.36 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 70.91.144.153 type ipsec-l2l

tunnel-group 70.91.144.153 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map Voice

match dscp ef

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect dns migrated_dns_map_1

  inspect pptp

  inspect icmp

  inspect ip-options

policy-map Voicepolicy

class Voice

  priority

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:873f98c8f60f3a5402af83968d746c38

: end

ASDM access through s2s tunnel group on ASA5510

Hello Dane,

What I can tell you know is that you have a lot of issues with the Nat, as an example: check this ones:

nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

The only one you need is this one:

nat (trust,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp

So please remove the other ones because there is no need for them!

I am 50 % sure there is a bug regarding this behavior, I will research on this tomorrow morning and let you know!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ASDM access through s2s tunnel group on ASA5510

Hello Dane,

Can you try the following:

nat (trust,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 route-lookup

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASDM access through s2s tunnel group on ASA5510

Wow, that did it! Thank you Julio, I know with our convoluted config, it probably wasn't easy, but that did the trick.

Re: ASDM access through s2s tunnel group on ASA5510

Hello Dane,

My pleasure to help!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
1088
Views
0
Helpful
27
Replies
CreatePlease to create content