07-16-2019 07:52 PM
Hi All,
I've setup the Cisco ASA 5506x firewall with the simple connection.
- outsite interface connect to internet.
- inside interface connect to my production.
- P2P interface connect to the existing network.
My problem is I can't access the ASDM from network behind the P2P link , I've found the log in ASA about my source IP and the service 443 but ASDM client show "Unable to lunch device manager from xx.xx.xx.xx"
But when I tried from inside network the ASDM can lunch as expected.
I've enable the source network for access ASA as below.
http server enable
http 192.168.140.0 255.255.255.0 inside
http 10.196.0.0 255.255.0.0 P2P
And the routing also have
route P2P 10.196.0.0 255.255.0.0 10.196.7.1
Please help to advice and thank you in advance.
07-16-2019 08:23 PM
Is it possible that your traffic arriving via the P2P link is being NATted along the way? You can test this by temporarily changing your current:
http 10.196.0.0 255.255.0.0 P2P
to
http 0.0.0.0 0.0.0.0 P2P
If it works with that then check your ASA/ASDM logs to see the actual incoming address of the connections and update the http statement accordingly.
07-17-2019 12:48 AM
07-25-2019 01:04 AM
Hi All,
Thank you for your reply.
I have the more detail to update my current connection show as below
My Client ----> L3 switch ----> Checkpoint Firewall x2 (Clustered) ---->Cisco ASA----> Network
After I've use the wiresharsk captured the traffic between Checkpoint and ASA I have found some thing.
For the ASA with 9.6(1) firmware (this version is working as expected)
Checkpoint will forward traffic to ASA with it real physical MAC address as source and ASA reply with the CheckPoint real MAC address as destination.
For the ASA with 9.9(2) firmware (this version is not working)
Checkpoint will forward traffic to ASA with it real physical MAC address as source and ASA reply with the CheckPoint Virtual MAC address as destination. That is why the communication cannot established.
So How can I do on the configuration of 9.9(2) firmware ?
07-25-2019 04:23 AM
From your latest description and the analysis you've done, this sounds like a bug. Are you running the latest interim release of 9.9(2)?
That would currently be 9.9(2)52 found here:
https://software.cisco.com/download/home/286283326/type/280775065/release/9.9.2%20Interim
If you are already running the latest interim then I would advise opening a TAC case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide