topic Re: Can't connect ASDM from remote site. in Network Security

Can't connect ASDM from remote site.

msompong1 — Wed, 17 Jul 2019 02:52:06 GMT

Hi All,

I've setup the Cisco ASA 5506x firewall with the simple connection.

- outsite interface connect to internet.

- inside interface connect to my production.

- P2P interface connect to the existing network.

My problem is I can't access the ASDM from network behind the P2P link , I've found the log in ASA about my source IP and the service 443 but ASDM client show "Unable to lunch device manager from xx.xx.xx.xx"

But when I tried from inside network the ASDM can lunch as expected.

I've enable the source network for access ASA as below.

http server enable
http 192.168.140.0 255.255.255.0 inside
http 10.196.0.0 255.255.0.0 P2P

And the routing also have

route P2P 10.196.0.0 255.255.0.0 10.196.7.1

Please help to advice and thank you in advance.

Re: Can't connect ASDM from remote site.

Marvin Rhoads — Wed, 17 Jul 2019 03:23:54 GMT

Is it possible that your traffic arriving via the P2P link is being NATted along the way? You can test this by temporarily changing your current:

http 10.196.0.0 255.255.0.0 P2P

http 0.0.0.0 0.0.0.0 P2P

If it works with that then check your ASA/ASDM logs to see the actual incoming address of the connections and update the http statement accordingly.

Re: Can't connect ASDM from remote site.

GRANT3779 — Wed, 17 Jul 2019 07:48:12 GMT

Hi There, I had a very similar issue recently but asdm access was an issue across a 4G WAN link. Out of interest, can you SSH to the ASA across the P2P?
My problem was MTU/Fragmentation or lack of. I had to add tcp miss-adjust on the WAN interfaces. I only knew this was the issue after running some packet captures to see what was going on.
May be unrelated to your issue but thought I would make you aware.

Re: Can't connect ASDM from remote site.

msompong1 — Thu, 25 Jul 2019 08:04:26 GMT

Hi All,

Thank you for your reply.

I have the more detail to update my current connection show as below

My Client ----> L3 switch ----> Checkpoint Firewall x2 (Clustered) ---->Cisco ASA----> Network

After I've use the wiresharsk captured the traffic between Checkpoint and ASA I have found some thing.

For the ASA with 9.6(1) firmware (this version is working as expected)

Checkpoint will forward traffic to ASA with it real physical MAC address as source and ASA reply with the CheckPoint real MAC address as destination.

For the ASA with 9.9(2) firmware (this version is not working)

Checkpoint will forward traffic to ASA with it real physical MAC address as source and ASA reply with the CheckPoint Virtual MAC address as destination. That is why the communication cannot established.

So How can I do on the configuration of 9.9(2) firmware ?

Re: Can't connect ASDM from remote site.

Marvin Rhoads — Thu, 25 Jul 2019 11:23:31 GMT

From your latest description and the analysis you've done, this sounds like a bug. Are you running the latest interim release of 9.9(2)?

That would currently be 9.9(2)52 found here:

https://software.cisco.com/download/home/286283326/type/280775065/release/9.9.2%20Interim

If you are already running the latest interim then I would advise opening a TAC case.