We have ASA's across our stores that are currently on different subnets. I can access the ASA on ASDM on any of them when I'm on the same subnet. However I recall there being a way to allow ASDM access on a different subnet. Is there a way to do this on the Management port of the ASA controllers? All are ASA 5510's.
ideally you would only allow the NMS subnet to your ASA MGMT interface/ASDM.
just configure the source IP/subnet that you would allow ASDM. make sure routing is correct/reachable.
http 192.168.1.0 255.255.255.0 management
I'm confused a bit. What CLI command would I have to enter or whatnot to tell the ASA that it's ok to allow an ASDM on the main subnet to monitor it's traffic? Sorry I'm very new with working with ASA's.
As Jhon mentioned to you the cli command you need to allow that other network using the management interface is the following:
http 192.168.1.0 255.255.255.0 management
http is the capability to use the ASDM within the network that follows the command
192.168.1.0 255.255.255.0 -> is the network and mask address where you want to use asdm
managemtv -> this is the name of the management interface
Note: you will need access to the management interface in order to use ASDM.
They seem to be tripping up after setting them like this. I can still see them on the same subnet but is there a port i need to open up on the outside or inside or even on the main ASA in order for this to work? Basically to broadly sum up our network we have an ASA for each store for each guest network that's also setup to handle our wifi systems. they're linked to the switches on the management port on port 3 of our gigabit wifi switch at each store. do I instead need to say plug the management port into the backbone switch of each store or is there another command that I'm missing on either the Switches or ASA's?
Well no not through the guest network We'd like it to go through the Management Port. See the ASA's connected as such: Ethernet 0 is set as outside and going out through the world on the modem provided. Ethernet 1 is going back to a switch we have configured within that store for just that store's wifi. since our physical locations are beyond range of the wifi AP's there's no way for us to use them for ASDM. Then the management port is going back into the configured switch for the wifi's. traffic from the store with machines on the wifi go though a different port on the switch to the rest of the network which is tunneled through a VPN to the other stores and the office. Guest traffic on the wifi go through to the wifi switch and then are filtered in a different gig port to the ASA's Ethernet 1 port and is then sent through the Ethernet 0 to the modem of the store. the management port is going through an unsetup port on the wifi switch but it has the no shutdown command entered on it.
Honestly I'm really confused on all this. I think a config example at this point would be the best course
I think now I have a better picture, so if you want to access the ASA using ASDM using the management interface, then the port where the management interface is connected to the switch should be configured, for example:
On the ASA side:
The management interface must be configured:
ciscoasa(config)# nterface Management0/0
ciscoasa(config-if)#ip address 192.168.1.1 255.255.255.0
For the ASDM on the management port:
ciscoasa(config)# http 192.168.1.0 255.255.255.0 management
ciscoasa(config)# http x.x.x.x y.y.y.y management
Please take into account to replace x.x.x.x and y.y.y.y for the network space and mask from where you are trying to access the ASA using its management ip adress in my example it is 192.168.1.1,
I need to know something how are you trying to access the ASA outside the store, from a vpn such as a site to site vpn, a remote access vpn? the VPN is configured in the ASA or the switch?
Our setup is actually a MPLS setup. We have the ASA's MAC address for the management port listed in the ASA saved on the DHCP server as a reserved IP. See after entering the commands listed above the connection is still refused. The ASDM on the subnet that I'd like to be able to see the ASA's on the other subnets on the MPLS connection. I went out and tried the public IP address listed by a tracker and still no luck, later removed it when it failed.