11-06-2013 12:44 PM - edited 03-11-2019 08:01 PM
I have just installed a new ASA5512 in transparent mode. This is the first time I have done this type of installation and have been having some issues getting remote management to the device. I have configured a BVI interface for management with an IP of 10.252.255.25.
The network looks like this......
172.19.130.5 --- LAN --- Router --- MPLS --- Router 10.252.255.30 ---- ASA Gi0/1 ---- ASAGi0/0 ----- Switch to LAN ---- 10.252.0.0 clients
So, from my management workstation on 172.19.130.5 I can ping the router at 10.252.255.30, I can also ping and manage the client machines on the 10.252.0.0 network on the other side of the ASA but I cant manage the ASA on 10.252.255.25. It going to be something I haven't done so any help would be greatly appreciated.
Please see config attached.
Murray
11-07-2013 10:24 PM
Did you check the ASA logs when you try to connect to the BVI
11-09-2013 09:23 PM
Do you still need assistance?
11-15-2013 11:08 AM
Hi jumora,
Yes I am still experiencing the issue. Because the device is now on a remote site I am not able to get to a management machine to console onto it. I can contact a person on site but they are not that experienced at working at the command line and they have other duties to attend to.
Did you manage to look at the config it posted to verify that it was OK?
Murray
Sent from Cisco Technical Support iPad App
11-15-2013 11:36 AM
Are you unable to connect with both SSH and ASDM?
I noticed you do not have an SSH command for 172.19.130.5
ssh 172.19.130.5 255.255.255.255 inside
11-15-2013 02:03 PM
Configuration wise everything looks OK.
IP address asignment
Routing setup.
SSH setup (Marius 130.5 is included on that range)
So as long as the destination IP address is on the 172.19.128.0/22 you should be able to connect..
Are you able to ping the ASA?
do the following
cap capin interface inside match tcp host 172.19.130.5 host 10.252.255.25 eq 22
Then try to connect via SSH and share
show cap capin
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-16-2013 02:13 AM
Hi Julio,
I will ask the local guy on site to use the capture commands and get the output and have a look.
Just to add that I can ping devices either side of the firewall so I know it spassing the traffic, so i think that its either a config issue or a problem with the traffic getting back to my management worksatation.
172.19.130.5 --- LAN --- Router --- MPLS --- Router 10.252.255.30 ---- ASA Gi0/1 ---- ASAGi0/0 ----- Switch to LAN 10.252.255.17 ---- 10.252.0.0 clients
11-16-2013 10:33 AM
Hello,
Okey let us know,
By te way from wich IP address are you comming?
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-16-2013 10:44 AM
Im using 172.19.130.5 as the source IP
11-16-2013 10:51 AM
Hello,
Okey,
Are you 100 % sure 10.252.255.30 is the next-hop IP address.
By the way are you available for a tshoot session?
Let me know via a message (check ur inbox)
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-25-2013 11:56 AM
So I have managed to get the very helpful guy on site to capture some packets. When I try to SSH to the device no packets are captured, however, if I try to SSH to an IP on the other side of the FW I get packets being captured as shown below.
I have gone over the config but still can't find a problem, I'm close to pulling my hair out on this one.
TEE-FDC-FW01# cap capin int inside match tcp any any eq 22
TEE-FDC-FW01# sh cap capin
6 packets captured
1: 15:41:50.028852 10.64.68.32.20472 > 10.252.200.13.22: S 4240694991:4240694991(0) win 8192
2: 15:41:50.030317 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 4240694992 win 0
3: 15:41:50.563447 10.64.68.32.20472 > 10.252.200.13.22: S 1154043407:1154043407(0) win 8192
4: 15:41:50.564820 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 1154043408 win 0
5: 15:41:51.094508 10.64.68.32.20472 > 10.252.200.13.22: S 386805799:386805799(0) win 8192
6: 15:41:51.095667 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 386805800 win 0
6 packets shown
Sent from Cisco Technical Support iPad App
11-25-2013 12:07 PM
Hello Murray,
Are you sure the packets should arrive on the Inside interface????
If the answer is yes Then the problem is not on the ASA as the traffic is not even reaching the ASA, I would recommend then doing a SPAN monitor session on the L2 network to see where the packets are going
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-28-2013 05:34 AM
Hello again,
Its been a while.
Here is the output from he capture.
As can be seen, I can traverse the firewall and SSH to a device on the otherside but not to the firewall itself.
TEE-FDC-FW01# cap capin int inside match tcp any any eq 22
TEE-FDC-FW01# sh cap capin
6 packets captured
1: 15:41:50.028852 10.64.68.32.20472 > 10.252.200.13.22: S 4240694991:4240694991(0) win 8192
2: 15:41:50.030317 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 4240694992 win 0
3: 15:41:50.563447 10.64.68.32.20472 > 10.252.200.13.22: S 1154043407:1154043407(0) win 8192
4: 15:41:50.564820 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 1154043408 win 0
5: 15:41:51.094508 10.64.68.32.20472 > 10.252.200.13.22: S 386805799:386805799(0) win 8192
6: 15:41:51.095667 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 386805800 win 0
6 packets shown
11-16-2013 08:18 AM
My bad, missread the subnetmask
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide