Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How can I access ASA contexts via ASDM using a DNS name?

I am running a ASA5585 in multi context mode and want to access each individual context directly with ASDM by a DNS name? I can SSH to the context with this name but not using ASDM.

Everyone's tags (1)
11 REPLIES
Super Bronze

How can I access ASA contexts via ASDM using a DNS name?

Hi,

Well if the DNS resolves to the correct IP address then I would imagine its related to ASDM related settings on the whole ASA or under specific contexts

What do the following command output say

In System Context

show run asdm

In Security Context

show run http

show run ssh

- Jouni

New Member

How can I access ASA contexts via ASDM using a DNS name?

I'm thinking you're right but the dns name does resolve properly to the IP. I can SSH to it by context name that I setup a DNS entry for. I'm wondering if either the DNS name that I use has to match the hostname of the context (and if so what is the format i.e. ASANAME/contextname) or does there have to be a PTR record for some security purpose?

See output below.

Thanks,

JouniForss wrote:

Hi,

Well if the DNS resolves to the correct IP address then I would imagine its related to ASDM related settings on the whole ASA or under specific contexts

What do the following command output say

In System Context

show run asdm

no asdm history enable

In Security Context

show run http

http server enable

http server idle-timeout 15

http 10.0.0.0 255.0.0.0 Outside


show run ssh

ssh 0.0.0.0 0.0.0.0 Outside

ssh timeout 5

ssh key-exchange group dh-group1-sha1


- Jouni

Super Bronze

Re: How can I access ASA contexts via ASDM using a DNS name?

Hi,

There is one clear problem there.

You have not defined the ASDM image that the ASA would use in the devices System Context space.

So your ASA doesnt know what ASDM image to use.

You need to add

asdm image flash:/.bin

- Jouni

Super Bronze

Re: How can I access ASA contexts via ASDM using a DNS name?

Or actually,

I am not 100% about the default settings. It might be that the ASA could use some ASDM image even without the configuration.

But probably better to define it.

Naturally confirm that you have an ASDM image on the flash

dir flash:

- Jouni

New Member

How can I access ASA contexts via ASDM using a DNS name?

Yes the ASA will use the latest ASDM image in flash by default. To be clear, it works fine when I access each context directly by its IP. However, I would like to define a DNS entry that I could use instead.

TIA

Jason

New Member

Re:How can I access ASA contexts via ASDM using a DNS name?

What are you using for your internal dns server? Make a ptr there


Sent from Cisco Technical Support Android App

New Member

Re:How can I access ASA contexts via ASDM using a DNS name?

Nope that doesn't work either. I have an A record and PTR record that both match the ASA hostname exactly. NSLOOKUP from the client that I'm running ASDM resolves it fwd and rev. It has to be an ASA setting.

Super Bronze

How can I access ASA contexts via ASDM using a DNS name?

Hi,

Do you already have the ASDM installed on your computer or are you attempting to connect to the Security Context to install/run it? If you have not yet installed it, are you sure you are using https instead of http?

Since your Security Context accepts SSH from any source address behind "outside" and the ASDM accepts from 10.0.0.0/8, are the connections coming from that network for sure?

The following command might also provide some information

show run all ssl

The following command should tell what ports the ASA is listening on

show asp table socket

- Jouni

New Member

Re:How can I access ASA contexts via ASDM using a DNS name?

I already have ASDM installed on my client and I'm am able to connect to each context on it's outside interface. I have created DNS entries using those outside IPs and it does not work. I would think that ASDM uses the client OS to resolve the name to IP but I guess not.

sh run all ssl

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1

pri/act/FOSASADC/admin# sh asp t

pri/act/FOSASADC/admin# sh asp table s

pri/act/FOSASADC/admin# sh asp table socket

Protocol  Socket    Local Address               Foreign Address         State

SSL       00c474af  10.128.4.4:443              0.0.0.0:*               LISTEN

TCP       03f5e0af  10.128.4.4:22               0.0.0.0:*               LISTEN

TCP       0555537f  10.128.4.4:23               0.0.0.0:*               LISTEN

TCP       13c52a88  10.128.4.4:22               10.120.64.167:19110     ESTAB

Super Bronze

Re: How can I access ASA contexts via ASDM using a DNS name?

Hi,

Not sure what the problem is.

We have for example 4x ASA5585-X SSP20 units. All running Multiple Context mode. Each units "admin" Security Context has a connection to management network. That management networks interface IP address is defined on our internal DNS server and everything works just fine.

I am not not sure if I have been asking questions that you have already answered. I am a bit tired and reading a networking book for several hours so my brain hurts

Have you tried monitoring the logs through the SSH connection while you have attempted to log through the ASDM connection on the ASA?

Have you tried to use Wireshark on the local machine to determine what is happening ASDM connection to the ASA?

Have you considered running "debug http " on the ASA and see what the output produces while attempting logging in with ASDM?

Also, what exactly happens with the ASDM connection attempt using DNS name? Does it simply timeout or perhaps produce some actual error message?

- Jouni

New Member

Re: How can I access ASA contexts via ASDM using a DNS name?

I just created an A record for my ASA and could get to it via ASDM-Launcher with the format NAME:PORT

ASDM-Launcher does use whatever DNS source you have set up. Type in google.com and watch it try to contact a device until it times out.

394
Views
0
Helpful
11
Replies
CreatePlease to create content