cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4471
Views
0
Helpful
6
Replies

Managing ASA5510 using ASDM via internal interface

Edward Luna
Level 1
Level 1

Hello

I am currently managing an ASA5510 using ASDM through the management port but I would like to manage the ASA through the internal port.

My concern is that I thought I remembered reading someplace that if you setup an internal port for management that it can't be used for anything else.  Is this correct?

I only configured one internal port and it is the path to my LAN.  I would hate to configure the port for management only to find that I disconnected my firewall from my internal network in the process.  Can I use my one and only configured internal port for both ASA management and route from my LAN thru the ASA firewall?

I currently have the management port set to 192.168.1.1 and my internal interface is 10.1.1.1.  If I open ASDM and connect thru the management port and select Configuration/Device Management/Management  Access/ASDM/HTTPS/Telnet/SSH

select "ADD"

select access type "ASDM/HTTPS"

select interface "internal"

IP Address   "10.1.1.0"

Mask       "255.255.255.0"

Will that give me access to ASA management thru my internal network but cripple my network access to the ASA? 

Sorry if this is confusing... I don't know how else to phrase it.

Thanks

Ed

1 Accepted Solution

Accepted Solutions

Hi

it sounds like a better plan than opening up for each and every unit on the inside :).

But if you have a old laptop or something like that I would state that setting that up with a syslog server and use that to manage the firewall would be a even better option.

that way you would get logs and a management station.

there are several syslog servers that are free and I like to use grep that is also free to filter information.

http 10.1.1.52 255.255.255.255 inside

will make the 10.1.1.52 the only server to work with asdm

but you will have to remove the old http 10.1.1.0 255.255.255.0 inside statement.

If you find the answers helpful please rate.

good luck

HTH

View solution in original post

6 Replies 6

hobbe
Level 7
Level 7

Hi

yes you can use the inside interface, no problem

do you have a special address you know you will be coming from ?

if not you should have that

start the cli

http 10.1.1.0 255.255.255.0 inside

good luck

HTH

Thanks for the fast reply.

I was thinking that I might use remote administration to my Small Business Server 2008 (RWW) to connect to my server (known internal IP address) and specify that only that IP can administer the ASA.

Sound like a plan?

Ed

Hi

it sounds like a better plan than opening up for each and every unit on the inside :).

But if you have a old laptop or something like that I would state that setting that up with a syslog server and use that to manage the firewall would be a even better option.

that way you would get logs and a management station.

there are several syslog servers that are free and I like to use grep that is also free to filter information.

http 10.1.1.52 255.255.255.255 inside

will make the 10.1.1.52 the only server to work with asdm

but you will have to remove the old http 10.1.1.0 255.255.255.0 inside statement.

If you find the answers helpful please rate.

good luck

HTH

I will gladly rate... your answers are always very helpfull.  Now if I only knew how to rate we'd be fat.  How do I do it?  Rate I mean.  

oops... I just thought of something.

RWW connects to the SBS 2008 via HTTPS (port 443)

The add device management in ASDM says it uses port 443 for HTTP admin access.  Sounds like a conflict.

Will I need to change the port assignment for ASDM management from 443 to 444 or does the fact that the IP addresses are different for the two functions negate the need for different ports?

In other words... ASDM comes in port 443 but for ip addy 10.1.1.1 and RWW comes in port 443 but ip addy 10.1.1.2.

Hi

Yes the different addres makes it a totally different thing.

443 is "standard" for https so basically most webservers that uses SSL use that port.

This is basic TCP/IP and if you are to work with firewalls you should study it until you know it front to back.

There are some realy nice books from o´reilly. if you have the time it would make sence to start reading up on ip v6 also. its not "here" when it comes to america and europe, but it is growing fast in Asia.

good luck

hth

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: