Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1082
Views
3
Helpful
14
Replies

Access ASDM from different interface

Go to solution
jensscheuvens
Level 1
Level 1

‎05-24-2023 07:24 AM

Hello together,

I am trying to access our ASA via ASDM from another Interface than the Management Interface.
I have multiple subinterfaces and I would like to access from one Host (Host A) behind Interface "test01" to the ASA via ASDM:

GigabitEthernet0/1.1
vlan 22
nameif test01
security-level 92
ip address 192.168.1.254 255.255.255.0

GigabitEthernet0/1.2
vlan 33
nameif test02
security level 95
ip address 192.168.2.254 255.255.255.0

If opening ASDM from Host A (192.168.1.5) and trying to connect to 192.168.2.254 it does not work.
In the logs I can see that the ASA in unable to locate the egress Interface. If simulating the traffic via packet tracer it
says "no route to host". But the interfaces are directly connected.

I have already tried to grant management access via:

http 192.168.1.5 255.255.255.255 test02


Am I missing here something or is this not possible?


ASA Version 9.12(4)47

ASDM Version 7.20(1)23


Thanks in advance

1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-24-2023 07:28 AM - edited ‎05-24-2023 07:31 AM

@jensscheuvens if you are connected behind test01 interface of the ASA you can only connect using SSH, HTTP (ASDM) etc to the closest interface (test01), not a far interface (test02) - thats' by design. The only exception to that if mgmt was over a VPN.

FYI, packet-tracer if for traffic "through" the ASA, not "to" the ASA so is not representative.

View solution in original post

0 Helpful
14 Replies 14

Go to solution
Rob Ingram
VIP
VIP

‎05-24-2023 07:28 AM - edited ‎05-24-2023 07:31 AM

@jensscheuvens if you are connected behind test01 interface of the ASA you can only connect using SSH, HTTP (ASDM) etc to the closest interface (test01), not a far interface (test02) - thats' by design. The only exception to that if mgmt was over a VPN.

FYI, packet-tracer if for traffic "through" the ASA, not "to" the ASA so is not representative.

0 Helpful

Go to solution
jensscheuvens
Level 1
Level 1
In response to Rob Ingram

‎05-24-2023 07:45 AM

Thanks for your answer. It is the same when trying to access the device via SSH from 192.168.1.5 "failed to locate egress interface"

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to jensscheuvens

‎05-24-2023 07:49 AM - edited ‎05-24-2023 10:38 AM

as @Rob Ingram  mention there is two plane in ASA 
DATA PLANE and MGMT PLANE 

it separate so access via test01 for subnet of test02 is not pass through the DATA PLANE and access failed 
you need to specify subnet that direct connect to interface use in command or use 0.0.0.0 (cisco not recommend this it risky) 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jensscheuvens

‎05-24-2023 07:56 AM

@jensscheuvens but your configuration is incorrect if connecting from 192.168.1.5, the source interface is test01.

http 192.168.1.5 255.255.255.255 test01

...then connect to 129.168.1.254.

As I mentioned you cannot be connected behind test01 interface and connect to test02 interface.

0 Helpful

Go to solution
jensscheuvens
Level 1
Level 1
In response to Rob Ingram

‎05-25-2023 12:25 AM

 

Hi, 

I  have configured http 192.168.1.5 255.255.255.255 test01. 
It was a mistake that I wrote above test02.

Ok thanks for your explanations and it is now clear to me.

One question which came to my mind yesterday:

If performing a NAT like:

SRC INT: test01
SRC: 192.168.1.5

DST INT: test02
SRC: 192.168.2.254

would that work?

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to jensscheuvens

‎05-25-2023 01:35 AM

192.168.2.254 is the IP address of test02 which is Firewall interface GigabitEthernet0/1.2.

unless you do something like this

object network Real-IP-test01

 host 192.168.1.5

!

nat (test01,test02) source static Real-IP-test01 Interface

 

or

object network Real-IP2

 host 192.168.2.100

nat(test01,test02) source static Real-IP-test01 Real-IP2

please do not forget to rate.
0 Helpful

Go to solution
Flavio Miranda
VIP
VIP

‎05-24-2023 07:30 AM

Hi

 Use http 0.0.0.0 0.0.0.0 test01

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-24-2023 07:32 AM - edited ‎05-25-2023 01:40 AM

check comment above

0 Helpful

Go to solution
jensscheuvens
Level 1
Level 1
In response to MHM Cisco World

‎05-24-2023 07:46 AM

http 192.168.1.5 255.255.255.255 test01 <<- if you want to access via test01 subnet

Yes I would like to access from 192.168.1.5 via ASDM to 192.168.2.254.

I tested both but with the same result

 

Go to solution
MHM Cisco World
VIP
VIP
In response to jensscheuvens

‎05-24-2023 07:58 AM - edited ‎05-25-2023 01:40 AM

check above 

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to jensscheuvens

‎05-24-2023 08:01 AM

This is the command you need to configure if you access from 192.168.1.5

asdm image flash:asdm-openjre-7xx-1xx.bin
!
aaa authentication http console LOCAL
aaa authorization exec LOCAL auto-enable
aaa authentication login-history
!
http server enable
http server idle-timeout 60
https 192.168.1.5 255.255.255.255  test01

 

please do not forget to rate.
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Sheraz.Salim

‎05-24-2023 08:04 AM

His interface IP is .254 not .5 
just want to notice you 
thanks 
MHM

0 Helpful

Go to solution
jensscheuvens
Level 1
Level 1

‎05-25-2023 01:38 AM

Thank you every one. The thread can be closed then

Go to solution
MHM Cisco World
VIP
VIP
In response to jensscheuvens

‎05-25-2023 01:40 AM

You are so welcome 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card