topic Access ASDM from a different vlan and interface than the management in Network Security

Access ASDM from a different vlan and interface than the management

billetj01 — Mon, 11 Mar 2019 16:32:35 GMT

Hello everybody,

I am a new user of an ASA5510 using ASA version 8.0 and ASDM 6.0(2)

That firewall is used to be the central part of a network be multiple inside VLANs and Internet connection.

So my firewall is directly connected to a switch 3750 and couple of other swicthes are connected to that first switch.

At the moment, in order to connect to ASDM I have on cable in trunk between eth1 of the firewall and eth0/1 of my switch (so set as trunk line) and one cable between the management interface and eth0/48 of my switch on a specific VLAN (VLAN 69 on my switch which is just for the management interface). At the moment it is the only workaround I have found to connect to that ASDM. So basically I have one comnputer on the network on VLAN69 from which I can get the ASDM working. But all my switch have are on Vlan 1 for management purpose, so I need another computer on vlan 1 to manage my switches.

I am almost sure that there is a way to be able from Vlan1 to access to ASDM but I don't find how.

Here is my configuration of the ASA5510 :

ASA Version 8.0(2)

hostname AFAW001

domain-name test.COM

enable password xxxxxxxx encrypted

names

name 10.3.72.10 Switch01

....

name 10.3.72.37 AdminPC

dns-guard

interface Ethernet0/0

nameif Internet

security-level 0

ip address 62.xxx.xxx.x81 255.255.255.xxx

interface Ethernet0/1

nameif Inside_Network

security-level 100

no ip address

interface Ethernet0/1.1

vlan 1

nameif VLAN_Admin

security-level 100

ip address 10.3.72.1 255.255.255.128

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 10.3.74.241 255.255.255.240

passwd h83ErV7OnuCAO8TG encrypted

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

dns server-group DefaultDNS

domain-name test.COM

same-security-traffic permit inter-interface

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu Internet 1500

mtu Inside_Network 1500

mtu VLAN_Admin 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

asdm history enable

arp timeout 14400

nat-control

global (Internet) 101 interface

nat (management) 101 0.0.0.0 0.0.0.0

nat (VLAN_Admin) 101 0.0.0.0 0.0.0.0

route Internet 0.0.0.0 0.0.0.0 62.xxx.xxx.x81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.3.72.0 255.255.255.128 VLAN_Admin

http 10.3.74.240 255.255.255.240 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh 10.3.74.242 255.255.255.255 management

ssh 10.3.72.37 255.255.255.255 VLAN_Admin

ssh timeout 5

console timeout 0

dhcpd address 10.3.74.242-10.3.74.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

service-policy global_policy global

prompt hostname context

Cryptochecksum:b71e78a98adb84b4f0a5d544be20e21c

: end

Thank you for your help

Re: Access ASDM from a different vlan and interface than the man

Collin Clark — Wed, 28 Oct 2009 14:18:26 GMT

JB-

Are you required to trunk? There is only one VLAN on it, so for simplicity sake, you make want to remove the trunk and have it connect as an access port. Under interface Ethernet0/1 you should remove the security level. Other than that your config looks good. When on VLAN1, can you SSH into the ASA? Ping it? Anything in the log?

Re: Access ASDM from a different vlan and interface than the man

billetj01 — Wed, 28 Oct 2009 16:51:23 GMT

Hi,

Sorry, I have forgot to let some "..." to show where I have cut in my config. I have about 20 vlans in my configuration with dhcp enable and NAT. All the VLAN I have hidden are subcontractors which are sharing the same internet access. So I need that trunk.

When I am on VLAN1 at the moment I can not do anything to the ASA, no ping, no ssh, nothing.

Re: Access ASDM from a different vlan and interface than the man

Collin Clark — Wed, 28 Oct 2009 18:30:34 GMT

Do you see your IP in the ARP table of the ASA?

Re: Access ASDM from a different vlan and interface than the man

billetj01 — Thu, 29 Oct 2009 08:07:07 GMT

Intersting, it is not in the ARP table of the ASA.

Here is the actual config of the ASA :

*****************************

ASA Version 8.0(2)

hostname AFAW001

domain-name test.COM

enable password h83ErV7OnuCAO8TG encrypted

names

...

dns-guard

interface Ethernet0/0

nameif Internet

security-level 0

ip address 62.xxx.xxx.x82 255.255.255.xxx

interface Ethernet0/1

nameif Inside_Network

security-level 0

no ip address

interface Ethernet0/1.1

vlan 1

nameif VLAN_Admin

security-level 100

ip address 10.3.72.1 255.255.255.128

interface Ethernet0/1.10

vlan 10

nameif VLAN_Visitor

security-level 30

ip address 10.3.72.129 255.255.255.128

...... (VLANs)

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 10.3.74.241 255.255.255.240

passwd xxxxxxxxx encrypted

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

dns server-group DefaultDNS

domain-name OL3.AREVA.COM

same-security-traffic permit inter-interface

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu Internet 1500

mtu Inside_Network 1500

mtu VLAN_Admin 1500

.....

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

asdm history enable

arp timeout 14400

nat-control

global (Internet) 101 interface

nat (management) 101 0.0.0.0 0.0.0.0

nat (VLAN_Admin) 101 0.0.0.0 0.0.0.0

nat (VLAN_Visitor) 101 0.0.0.0 0.0.0.0

.....

route Internet 0.0.0.0 0.0.0.0 62.xxx.xxx.x81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.3.72.0 255.255.255.128 VLAN_Admin

http 10.3.74.240 255.255.255.240 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh 10.3.74.242 255.255.255.255 management

ssh 10.3.72.37 255.255.255.255 VLAN_Admin

ssh timeout 5

console timeout 0

dhcpd address 10.3.74.242-10.3.74.254 management

dhcpd enable management

dhcpd address 10.3.72.130-10.3.72.254 VLAN_Visitor

dhcpd dns 212.86.0.5 212.86.0.6 interface VLAN_Visitor

dhcpd enable VLAN_Visitor

....

threat-detection basic-threat

threat-detection statistics

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

service-policy global_policy global

prompt hostname context

Cryptochecksum:2aa198c41a4b426d33a3d4fd097818c2

: end

********************

and the result of show route on the ASA :

Gateway of last resort is 62.xxx.xxx.x81 to network 0.0.0.0

C 10.3.72.0 255.255.255.128 is directly connected, VLAN_Admin

C 10.3.74.240 255.255.255.240 is directly connected, management

....

C 10.3.72.128 255.255.255.128 is directly connected, VLAN_Visitor

C 62.xxx.xxx.x80 255.255.255.xxx is directly connected, Internet

S* 0.0.0.0 0.0.0.0 [1/0] via 62.xxx.xxx.x81, Internet

Re: Access ASDM from a different vlan and interface than the man

Collin Clark — Thu, 29 Oct 2009 14:15:38 GMT

If you don't see your MAC in the ARP table, there is a layer1/2 problem. You'll need to make sure your PC has the correct IP address (10.3.72.x), your in the correct VLAN (1), and the VLAN is on the trunk. Also you may want to remove the nameif on the main interface.

interface Ethernet0/1

no nameif Inside_Network

If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. This property is also true for the active physical interface in a redundant interface pair. Because the physical or redundant interface must be enabled for the subinterface to pass traffic, ensure that the physical or redundant interface does not pass traffic by leaving out the nameif command. If you want to let the physical or redundant interface pass untagged packets, you can configure the nameif command as usual. The firewall could be moving the packets to the wrong interface because the main interface and E0/1.1 are both processing vlan 1 packets.

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/intrface.html#wp1044006

Re: Access ASDM from a different vlan and interface than the man

billetj01 — Fri, 30 Oct 2009 12:53:58 GMT

Status :

******

interface Ethernet0/1

no nameif

no security-level

no ip address

*******

IP address of the computer in VLAN Admin correct :10.3.72.37 255.255.255.128 GW 10.3.72.1

And maybe could help the config of the 1st switch :

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname ASWE0001

enable secret 5 xxxxx

username root privilege 15 password 7 xxxxx

no aaa new-model

clock timezone CST -2

clock summer-time HEL recurring

switch 1 provision ws-c3750-48ts

no ip subnet-zero

no ip source-route

no ip domain-lookup

ip domain-name xxxxx

errdisable recovery cause psecure-violation

errdisable recovery interval 120

no file verify auto

spanning-tree mode rapid-pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

vlan internal allocation policy ascending

interface FastEthernet1/0/1

description linktoFirewall

switchport trunk encapsulation dot1q

switchport mode trunk

udld port aggressive

interface FastEthernet1/0/2

description To S

switchport access vlan xx

switchport mode access

no mdix auto

no cdp enable

spanning-tree portfast

.....

interface GigabitEthernet1/0/1

description LinkToBuilding C

switchport trunk encapsulation dot1q

switchport mode trunk

udld port aggressive

interface GigabitEthernet1/0/2

description LinktoBuilding F

switchport trunk encapsulation dot1q

switchport mode trunk

udld port aggressive

interface GigabitEthernet1/0/3

description LinkToBuilding B

switchport trunk encapsulation dot1q

switchport mode trunk

udld port aggressive

interface GigabitEthernet1/0/4

description LinkToBuilding Q

switchport trunk encapsulation dot1q

switchport mode trunk

udld port aggressive

interface Vlan1

ip address 10.3.72.10 255.255.255.128

ip default-gateway 10.3.72.1

ip classless

no ip http server

ip http authentication local

no ip http secure-server

access-list 99 permit any log

snmp-server community public RO

snmp-server community SubC RW

control-plane

alias exec sis sh inter status

alias exec s sh ru

line con 0

logging synchronous

line vty 0 4

access-class 99 in

exec-timeout 0 0

logging synchronous

transport input ssh

line vty 5 15

no login

no exec

end

*******

So far no communictaion and still nothing in the ARP table, not even the switches. Really strange.

Re: Access ASDM from a different vlan and interface than the man

Collin Clark — Fri, 30 Oct 2009 14:42:06 GMT

It is strange. Can you do a show interface trunk and make sure VLAN 1 is on it? In the ASA do you see the MAC/IP in the ARP table? You may have to ping the switch from the ASA first.

Re: Access ASDM from a different vlan and interface than the man

billetj01 — Tue, 10 Nov 2009 13:51:11 GMT

Sorry for the delayed answer.

So on the switch, here is the answer from show interface trunk :

******************************

show interfaces trunk

Port Mode Encapsulation Status Native vlan

Fa1/0/1 on 802.1q trunking 1

Gi1/0/1 on 802.1q trunking 1

Gi1/0/2 on 802.1q trunking 1

Gi1/0/3 on 802.1q trunking 1

Gi1/0/4 on 802.1q trunking 1

Port Vlans allowed on trunk

Fa1/0/1 1-4094

Gi1/0/1 1-4094

Gi1/0/2 1-4094

Gi1/0/3 1-4094

Gi1/0/4 1-4094

Port Vlans allowed and active in management domain

Fa1/0/1 1,4,10,30-47,50,69,371-372

Gi1/0/1 1,4,10,30-47,50,69,371-372

Gi1/0/2 1,4,10,30-47,50,69,371-372

Gi1/0/3 1,4,10,30-47,50,69,371-372

Gi1/0/4 1,4,10,30-47,50,69,371-372

Port Vlans in spanning tree forwarding state and not pruned

Fa1/0/1 1,4,10,30-47,50,69,371-372

Gi1/0/1 1,4,10,30-47,50,69,371-372

Gi1/0/2 1,4,10,30-47,50,69,371-372

Gi1/0/3 1,4,10,30-47,50,69,371-372

Gi1/0/4 1,4,10,30-47,50,69,371-372

***************************

And still no ARP table entries for the switches. i've tried to put it as a static arp but nothing better.

If I remember, when There was a name on the main interface (Inside) I had the switch entries but tagged as being from the global interface, not the VLAN_Admin interface.

Re: Access ASDM from a different vlan and interface than the man

Collin Clark — Tue, 10 Nov 2009 22:30:33 GMT

Do you see the MAC address of the PC on the switch port it is connected too? Can post the results?

show mac address-table interface fastEthernet 0/1

Re: Access ASDM from a different vlan and interface than the man

billetj01 — Wed, 11 Nov 2009 06:26:47 GMT

Ok, result of the command on the switch port where my PC on VLAN_Admin is connected :

*****************

show mac address-table interface fastEthernet 0/1

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

1 0012.7959.716e DYNAMIC Fa0/1

Total Mac Addresses for this criterion: 1

*********************

On the same switch, I have the PC which is on the management VLAN, and that one appears in the ASA arp Table.

Re: Access ASDM from a different vlan and interface than the man

Collin Clark — Wed, 11 Nov 2009 14:56:44 GMT

Great. Looking at the management protocols you have configured.

http 10.3.72.0 255.255.255.128 VLAN_Admin

ssh 10.3.72.37 255.255.255.255 VLAN_Admin

Is your IP in this range? Do you use SSH or ASDM?

Re: Access ASDM from a different vlan and interface than the man

billetj01 — Thu, 12 Nov 2009 07:36:13 GMT

The IP address of the computer on the VLAN_Admin is 10.3.72.37, mask 255.255.255.128, GW 10.3.72.1

At the moment I am trying with ssh, faster to test. Then if I succeed to have the ssh traffic going across, I think the https will be easy for ASDM.