Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
600
Views
4
Helpful
5
Replies

Can I create a IPSec tunnel into an ASA-5500 for ASDM?

Go to solution
jimmyc_2
Level 1
Level 1

‎10-16-2013 12:22 PM - edited ‎03-11-2019 07:52 PM

Two Questions:

             

One: I need to  access a remote ASA, using ASDM (SSL or TLS) from a workstation.

How do I make that as secure as possible?

Two:  If I choose to build an IPSec tunnel between the ASA at the workstartion and the remote ASA in the field,

would the access list specify interesting traffice be between the workstation IP addr and the Outside Interface on the remote ASA?

That would be the most secure method, right?

Many thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to jimmyc_2

‎10-17-2013 12:50 AM

Hi,

You wont need command "management-access Outside" if your connecting to the remote devices external interface. The command I mentioned is needed if you want to establish a L2L VPN Connection between 2 sites and then connect to the remote device for management purposes through the L2L VPN and connect to it using its "inside" interface IP address.

I am not sure if the ASDM or SSH for example would really require VPN connection in addition to them but that is naturally your choice. After this you would essentially have an already secure connection going through an encrypted connection to the actual remote device.

- Jouni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jon Are Endrerud
Level 1
Level 1

‎10-16-2013 12:40 PM

Do you have two devices on two seperat locations?

I would create an ipsec (L2L) tunnel between the two firwalls, if possible.

To do this you need to specify the endpoint ip in tunnel manager, a key, crytomap (ACL), NAT rules and ACL on the interface where your workstation are located.

Please come back with more information.

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx

Go to solution
jimmyc_2
Level 1
Level 1
In response to Jon Are Endrerud

‎10-16-2013 01:06 PM

I can handle the NAT, nonat, keys etc.

What would be the Access list?

Let's say the local PC is 10.10.10.5, which connect to the local ASA Inside Interf of 10.10.10.1.

The remote ASA Outside Interf ip address is 8.9.10.11.

Is the ACL for interesting traffic "permit host 10.10.10.5 host 8.9.10.11" ?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to jimmyc_2

‎10-16-2013 01:14 PM

Hi,

Do notice that you have the option to connect to the ASA through its "inside" interface too. Atleast I think it should be possible with all the management types if the managed ASA is configured with "management-access inside"

What you say above should be correct if you configure NAT0 also for that traffic. I guess you could even leave out all NAT configurations and specify the interesting traffic as being from your ASAs public IP address to the remote ASA public IP address.

Though I guess I would prefer to use the option you already mentioned above. The remote ASA should not need any NAT configurations for this. Only to configure the VPN and specify the interesting traffic in the same way (though naturally mirror image of the other end)

This type of setup could also give you an option to use things like SNMP and Logging for the remote ASA through the same L2L VPN connection.

- Jouni

0 Helpful

Go to solution
jimmyc_2
Level 1
Level 1
In response to Jouni Forss

‎10-16-2013 01:46 PM

Thanks Jouni,

All of the regular internet traffic will be going out Outside2; I should have mentioned that earlier.

There is no need to nat since I only have one connection (the ASDM) that is permitted on Outside, all else denied.

Just to be clear, at the remote ASA, I will use "management-access Outside",

and use the Outside IP addr for interesting traffic, yes?

Also, please confirm that IPSec is more secure than SSL/TLS.

Thanks.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to jimmyc_2

‎10-17-2013 12:50 AM

Hi,

You wont need command "management-access Outside" if your connecting to the remote devices external interface. The command I mentioned is needed if you want to establish a L2L VPN Connection between 2 sites and then connect to the remote device for management purposes through the L2L VPN and connect to it using its "inside" interface IP address.

I am not sure if the ASDM or SSH for example would really require VPN connection in addition to them but that is naturally your choice. After this you would essentially have an already secure connection going through an encrypted connection to the actual remote device.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card