05-24-2023 07:24 AM
Hello together,
I am trying to access our ASA via ASDM from another Interface than the Management Interface.
I have multiple subinterfaces and I would like to access from one Host (Host A) behind Interface "test01" to the ASA via ASDM:
GigabitEthernet0/1.1
vlan 22
nameif test01
security-level 92
ip address 192.168.1.254 255.255.255.0
GigabitEthernet0/1.2
vlan 33
nameif test02
security level 95
ip address 192.168.2.254 255.255.255.0
If opening ASDM from Host A (192.168.1.5) and trying to connect to 192.168.2.254 it does not work.
In the logs I can see that the ASA in unable to locate the egress Interface. If simulating the traffic via packet tracer it
says "no route to host". But the interfaces are directly connected.
I have already tried to grant management access via:
http 192.168.1.5 255.255.255.255 test02
Am I missing here something or is this not possible?
ASA Version 9.12(4)47
ASDM Version 7.20(1)23
Thanks in advance
Solved! Go to Solution.
05-24-2023 07:28 AM - edited 05-24-2023 07:31 AM
@jensscheuvens if you are connected behind test01 interface of the ASA you can only connect using SSH, HTTP (ASDM) etc to the closest interface (test01), not a far interface (test02) - thats' by design. The only exception to that if mgmt was over a VPN.
FYI, packet-tracer if for traffic "through" the ASA, not "to" the ASA so is not representative.
05-24-2023 07:28 AM - edited 05-24-2023 07:31 AM
@jensscheuvens if you are connected behind test01 interface of the ASA you can only connect using SSH, HTTP (ASDM) etc to the closest interface (test01), not a far interface (test02) - thats' by design. The only exception to that if mgmt was over a VPN.
FYI, packet-tracer if for traffic "through" the ASA, not "to" the ASA so is not representative.
05-24-2023 07:45 AM
Thanks for your answer. It is the same when trying to access the device via SSH from 192.168.1.5 "failed to locate egress interface"
05-24-2023 07:49 AM - edited 05-24-2023 10:38 AM
as @Rob Ingram mention there is two plane in ASA
DATA PLANE and MGMT PLANE
it separate so access via test01 for subnet of test02 is not pass through the DATA PLANE and access failed
you need to specify subnet that direct connect to interface use in command or use 0.0.0.0 (cisco not recommend this it risky)
05-24-2023 07:56 AM
@jensscheuvens but your configuration is incorrect if connecting from 192.168.1.5, the source interface is test01.
http 192.168.1.5 255.255.255.255 test01
...then connect to 129.168.1.254.
As I mentioned you cannot be connected behind test01 interface and connect to test02 interface.
05-25-2023 12:25 AM
Hi,
I have configured http 192.168.1.5 255.255.255.255 test01.
It was a mistake that I wrote above test02.
Ok thanks for your explanations and it is now clear to me.
One question which came to my mind yesterday:
If performing a NAT like:
SRC INT: test01
SRC: 192.168.1.5
DST INT: test02
SRC: 192.168.2.254
would that work?
05-25-2023 01:35 AM
192.168.2.254 is the IP address of test02 which is Firewall interface GigabitEthernet0/1.2.
unless you do something like this
object network Real-IP-test01
host 192.168.1.5
!
nat (test01,test02) source static Real-IP-test01 Interface
or
object network Real-IP2
host 192.168.2.100
nat(test01,test02) source static Real-IP-test01 Real-IP2
05-24-2023 07:30 AM
Hi
Use http 0.0.0.0 0.0.0.0 test01
05-24-2023 07:32 AM - edited 05-25-2023 01:40 AM
check comment above
05-24-2023 07:46 AM
http 192.168.1.5 255.255.255.255 test01 <<- if you want to access via test01 subnet
Yes I would like to access from 192.168.1.5 via ASDM to 192.168.2.254.
I tested both but with the same result
05-24-2023 07:58 AM - edited 05-25-2023 01:40 AM
check above
05-24-2023 08:01 AM
This is the command you need to configure if you access from 192.168.1.5
asdm image flash:asdm-openjre-7xx-1xx.bin
!
aaa authentication http console LOCAL
aaa authorization exec LOCAL auto-enable
aaa authentication login-history
!
http server enable
http server idle-timeout 60
https 192.168.1.5 255.255.255.255 test01
05-24-2023 08:04 AM
His interface IP is .254 not .5
just want to notice you
thanks
MHM
05-25-2023 01:38 AM
Thank you every one. The thread can be closed then
05-25-2023 01:40 AM
You are so welcome
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide