Re:5510 cannot access management interface

hmongstrong · ‎12-23-2013

It should be simple, but I cannot get it. I want a device on 10.50.3.0 to access ASA management interface at 10.50.0.1.

ASA Version 8.0(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ___ encrypted
names
name 10.10.10.70 S2_server description S2 web server
name 8.8.8.8 GOOGLE_DNS description Google's DNS server
!
interface Ethernet0/0
nameif outside
security-level 0
ip address ___
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.5
vlan 5
nameif DOMAIN
security-level 100
ip address 10.50.5.1 255.255.255.0
!
interface Ethernet0/1.99
vlan 99
nameif HP_MGMT
security-level 100
ip address 10.50.6.1 255.255.255.0
!
interface Ethernet0/1.100
vlan 100
nameif WIRED
security-level 100
ip address 10.50.2.1 255.255.255.0
!
interface Ethernet0/1.101
vlan 101
nameif WIRELESS
security-level 100
ip address 10.50.3.1 255.255.255.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.1
vlan 1
nameif S2
security-level 100
ip address 10.10.10.1 255.255.0.0
!
interface Ethernet0/3
nameif temp
security-level 100
ip address 10.50.1.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 10.50.0.1 255.255.255.0
management-only
!
passwd ___ encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
pager lines 24
logging enable
logging asdm debugging
logging mail warnings
logging class auth mail debugging
mtu outside 1500
mtu temp 1500
mtu S2 1500
mtu management 1500
mtu WIRELESS 1500
mtu DOMAIN 1500
mtu WIRED 1500
mtu HP_MGMT 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp permit any S2
icmp permit any WIRELESS
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (temp) 1 0.0.0.0 0.0.0.0
nat (S2) 1 10.10.0.0 255.255.0.0
nat (WIRELESS) 1 0.0.0.0 0.0.0.0
nat (DOMAIN) 1 0.0.0.0 0.0.0.0
nat (WIRED) 1 0.0.0.0 0.0.0.0
static (DOMAIN,WIRELESS) 10.50.5.0 10.50.5.0 netmask 255.255.255.0
static (WIRELESS,S2) 10.50.3.0 10.50.3.0 netmask 255.255.255.0
static (DOMAIN,S2) 10.50.5.0 10.50.5.0 netmask 255.255.255.0
static (HP_MGMT,WIRELESS) 10.50.6.0 10.50.6.0 netmask 255.255.255.0
static (S2,WIRELESS) 10.10.0.0 10.10.0.0 netmask 255.255.0.0
static (S2,DOMAIN) 10.10.0.0 10.10.0.0 netmask 255.255.0.0
static (WIRED,WIRELESS) 10.50.2.0 10.50.2.0 netmask 255.255.255.0
static (WIRELESS,DOMAIN) 10.50.3.0 10.50.3.0 netmask 255.255.255.0
static (WIRELESS,HP_MGMT) 10.50.3.0 10.50.3.0 netmask 255.255.255.0
static (WIRELESS,WIRED) 10.50.3.0 10.50.3.0 netmask 255.255.255.0
route outside 0.0.0.0 0.0.0.0 ___
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.50.3.0 255.255.255.0 WIRELESS
http 10.50.0.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 management
telnet 10.50.3.0 255.255.255.0 WIRELESS
telnet timeout 5
ssh timeout 5
console timeout 10
management-access temp
dhcpd dns 10.50.5.3 12.127.17.71
!
dhcpd address 10.50.1.50-10.50.1.254 temp
dhcpd enable temp
!
dhcpd address 10.10.2.50-10.10.2.254 S2
dhcpd enable S2
!
dhcpd address 10.50.0.2-10.50.0.10 management
dhcpd enable management
!
dhcpd address 10.50.3.50-10.50.3.254 WIRELESS
dhcpd enable WIRELESS
!
dhcpd address 10.50.5.50-10.50.5.254 DOMAIN
dhcpd enable DOMAIN
!
dhcpd address 10.50.2.50-10.50.2.254 WIRED
dhcpd enable WIRED
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username admin password ___ encrypted privilege 15
prompt hostname context
Cryptochecksum:___
: end
asdm image disk0:/asdm-602.bin
no asdm history enable

Julio Carvajal · ‎12-23-2013

Hello Bee,

As you say it should be hehe but there is something you are missing here.

On any ASA platform traffic to any distant or far end interface will be denied or not allowed no matter what (This as a security model desing).

What is a far end interface?

Let's say you sit on a PC on the inside interface.

You will be able to contact the inside interface IP add of the ASA
You will be able to contact hosts on other interfaces (if the policy allows it)
You will NOT be able to contact any other interface of the ASA but the directly connected to you.
So no access to outside interface IP, Management or any other.

That's it!

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

hmongstrong · ‎12-23-2013

Okay, so what are my options in accessing the management interface without actually being plugged into it directly - as I do now and it's annoying.

Thanks!

Collin Clark · ‎12-23-2013

Since your PC is not on the same subnet as the ASA's management interface, you need a route in the ASA telling it how to get to your PC.

route management 10.50.3.0 255.255.255.0 10.50.0.x [your default gateway for that network]

The problem as Julio stated is that when someone in the 10.50.3.0 network goes out to the internet, the return traffic will be via the management interface because of the routing table. This will allow you to manage the ASA, but access through the ASA (ie internet traffic) will be blocked. The workaround is

1) Put the management interface of the ASA in the 10.50.3.0 network

or

2) Enable the management protocols (ASDM/SSH) on the inside interface.

hmongstrong · ‎12-24-2013

I can't believe that I cannot have a PC on the INSIDE interface access the MANAGEMENT interface through Asdm.

I have the same interface command on for same security levels. I will try adding a route again.

Sent from Cisco Technical Support iPad App

Julio Carvajal · ‎12-24-2013

Hello Bee,

That's just how it works sr.

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal · ‎12-23-2013

1) rate all of my helpful posts (that's basically a thanks. Remember I am doing this for free)
2) access the asa asdm or the asa via ssh/telnet from using the inside ip address (if being on an inside host)

Bottom line acces the ads via the ip address u are directly connected to
That's the only way

Sent from Cisco Technical Support Android App

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

LALIT MEHTA · ‎12-23-2013

Hi
You are using security level 100 on more then 1 interface so u need run
#same-security-traffic permit inter-interface
This command use to enable traffic between same security level interface.
Both are in different network so make routing between both network.

Sent from Cisco Technical Support Android App

Julio Carvajal · ‎12-23-2013

Hello people,

I think you are not following the right direction or maybe the customer did not explain the issue well but here is what he is saying:

It should be simple, but I cannot get it. I want a device on 10.50.3.0 to access ASA management interface at 10.50.0.1.

So no matter what you do, what you configure, You cannot access a far-end interface as I already stated.

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

hmongstrong · ‎12-24-2013

my config already has this, so it should work:

http server enable

http 10.50.3.0 255.255.255.0 WIRELESS

http 10.50.0.0 255.255.255.0 management

telnet 0.0.0.0 0.0.0.0 management

telnet 10.50.3.0 255.255.255.0 WIRELESS

I tried adding a route but it already said route exists.

I cannot telnet to 10.50.0.1 from 10.50.3.0 subnet.

Julio Carvajal · ‎12-24-2013

From the 10.50.3.0 you should telnet to the ASA interface IP address on the 10.50.0.0/24 subnet bud.

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC