topic ASDM access through s2s tunnel group on ASA5510 in Network Security

ASDM access through s2s tunnel group on ASA5510

danewoodall — Mon, 11 Mar 2019 22:26:12 GMT

For years now we've had an ASA5510 running an old version of ASA/ASDM (7.0/5.0) and couldn't access ASDM through a modern system with a recent JRE, so we didn't bother with this.

However, we've recently upgraded ASA/ASDM for purposes of adding failover and want to be able to access ASDM through our site to site tunnel. The site to site tunnel gives us access to the VLAN that the firewall is the gateway for, but not access to the firewall itself.

This side of the network is the 10.1.55.0 subnet, and that side of the network is the 192.168.1.0 subnet. I can ping devices on the 192.168.1.0 subnet, but not the firewall, (not that I really need to) and devices can ping me back. I can access ASDM through RDP or ssh into a server on the 192.168.1.0 subnet, but not directly from the 10.1.55.0 subnet.

This is the current config relative to the 10.1.55.0 subnet:

access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0

access-list untrust_cryptomap_600 extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0

access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.1.55.0 255.255.255.0

asdm location 10.1.55.0 255.255.255.0 untrust

nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp

http 10.1.55.0 255.255.255.0 untrust

trust is the name of the "inside" interface that has an IP of 192.168.1.1

untrust is the name of the "outside" interface

prod is the name of the production environment interface

and dmz of course is the name of the dmz interface

As far as I'm aware, the tunnel comes into the firewall through the untrust (public) interface, because that is the destination of the tunnel on the 10.1.55.0 subnet side.

What am I missing here that would allow asdm access through the untrust interface for the 10.1.55.0 subnet?

ASDM access through s2s tunnel group on ASA5510

Julio Carvajal — Wed, 08 Feb 2012 22:06:22 GMT

Hello Dane,

So all you want to do is to be able to access ASDM, to accomplish this you need to be able to access the trust interface on the other side.

For this:

managment-access trust.

Then give it a try.

Regards,

Julio

Do rate helpful posts!!

ASDM access through s2s tunnel group on ASA5510

danewoodall — Wed, 08 Feb 2012 22:11:07 GMT

That is already set. I can access ASDM from the trust side, it's accessing it from the untrust side (where the VPN tunnel comes across) that does not currently work.

Is the problem that since only 1 interface can be specified as having management access, that since the VPN tunnel comes across the untrust interface, that there is no way to give it access?

ASDM access through s2s tunnel group on ASA5510

Julio Carvajal — Wed, 08 Feb 2012 22:15:23 GMT

Hello Dane,

That is correct.

Also remember than on an ASA you cannot connect to a distant interface.

So in this case the remote site will connect to the vpn and then they will be part of the inside interface so he will not be able to access the untrusted interface, just the trusted one.

Regards,

Julio

Do rate all the helpful posts!

Re: ASDM access through s2s tunnel group on ASA5510

danewoodall — Wed, 08 Feb 2012 22:20:26 GMT

It is a given though that in order to make the tunnel work, that it goes across the public (untrust) interface, so all my traffic from the 10.1.55.0 side is coming through the untrust interface.

The ASA in this case is the vpn. The problem I have is accessing the trust interface..

There is no way to route the traffic from untrust to trust, in order to give these VPN connections that originate outside of the network and come across the untrust interface, to access ASDM?

I guess that is the impression I'm getitng, I just want to confirm.

Edit: It just seems counter intuitive, since I can grant ASDM/HTTP access to a subnet over a non-management interface (outside), but not actually be able to access it except on a single interface that is defined as the management interface?

ASDM access through s2s tunnel group on ASA5510

Julio Carvajal — Wed, 08 Feb 2012 22:32:52 GMT

Hello Dane,

I think I am not quite understanding your request in here.

Please correct me if I am wrong:

1inside----ASA-----1Outside2--------ASA-----Inside2

You are on Inside2 and you want to access ASDM from interface inside1 via the VPN tunell right?

ASDM access through s2s tunnel group on ASA5510

danewoodall — Wed, 08 Feb 2012 23:38:40 GMT

Yeah, that is right. ASDM's management interface is set to Inside1, and I can access it fine from inside 1, but not Inside2

ASDM access through s2s tunnel group on ASA5510

Julio Carvajal — Wed, 08 Feb 2012 23:42:48 GMT

Hello Dane,

Ok good I understand the scenario.

Now you need this

http 10.1.55.0 255.255.255.0 trust

Set that up and let me know.

Regards,

Julio

ASDM access through s2s tunnel group on ASA5510

danewoodall — Thu, 09 Feb 2012 00:06:29 GMT

Done, but still am not able to access it.

I've tried both both the outside1 IP and inside1 IP.

Re: ASDM access through s2s tunnel group on ASA5510

Julio Carvajal — Thu, 09 Feb 2012 00:17:36 GMT

Hello,

Hmm, that is estrange.Can you change this please:

no nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp

nat (trust,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp

Are you able to ping that interface now?

Regards,

ASDM access through s2s tunnel group on ASA5510

danewoodall — Thu, 09 Feb 2012 00:27:18 GMT

Done, no change.

ASDM access through s2s tunnel group on ASA5510

Julio Carvajal — Thu, 09 Feb 2012 00:42:45 GMT

Are you able to ping that interface now?

ASDM access through s2s tunnel group on ASA5510

danewoodall — Thu, 09 Feb 2012 00:45:32 GMT

Can ping the outside1 interface but not the inside1 interface

ASDM access through s2s tunnel group on ASA5510

Julio Carvajal — Thu, 09 Feb 2012 00:49:46 GMT

Hello Dane,

Do you have the inspection for the ICMP protocol:

If not just add: -fixup protocol ICMP.

On Site A do a capture on the inside interface like this.

access-list capin permit tcp host x.x.x.x (Remote_host_Ip) y.y.y.y(ASA_inside_interface) eq 443

access-list capin permit tcp host .yy.y.y(ASA_inside_interface) eq 443 host x.x.x.x (Remote_host_Ip)

capture capin access-list capin interface trust.

Try to access ASDM again and finally:

Do a : - sh cap capin and provide the output you get!

ASDM access through s2s tunnel group on ASA5510

danewoodall — Thu, 09 Feb 2012 00:53:35 GMT

Site A being where Inside1 is?

ASDM access through s2s tunnel group on ASA5510

Julio Carvajal — Thu, 09 Feb 2012 00:54:03 GMT

That is correct!

ASDM access through s2s tunnel group on ASA5510

danewoodall — Thu, 09 Feb 2012 00:58:42 GMT

So, assuming inside1 IP = 192.168.1.1

And my computer's IP = 10.1.55.150

access-list capin permit tcp host 10.1.55.150 192.168.1.1 eq 443

access-list capin permit tcp host 192.168.1.1 eq 443 host 10.1.55.150

capture capin access-list capin interface trust

Then try to ping 192.168.1.1 and then

sh cap capin

and provide results?

ASDM access through s2s tunnel group on ASA5510

Julio Carvajal — Thu, 09 Feb 2012 01:02:28 GMT

It is not ping, as I said before is ASDM:

Try to access ASDM again and finally:

Do a : - sh cap capin and provide the output you get!

Regards,

ASDM access through s2s tunnel group on ASA5510

danewoodall — Thu, 09 Feb 2012 01:08:18 GMT

Result of the command: "access-list capin permit tcp host 10.1.55.150 192.168.1.1 eq 443"

access-list capin permit tcp host 10.1.55.150 192.168.1.1 eq 443

ERROR: % Invalid Hostname

Arrow is pointing to 'eq'

ASDM access through s2s tunnel group on ASA5510

danewoodall — Thu, 09 Feb 2012 01:10:26 GMT

Should...

access-list capin permit tcp host 10.1.55.150 192.168.1.1 eq 443

access-list capin permit tcp host 10.1.55.150 eq 192.168.1.1 443