cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2754
Views
0
Helpful
8
Replies

Access Cisco ASA 5510 from ASDM on a different Subnet

Kelvin C
Level 1
Level 1

Hello Guru's,

 

We have ASA's across our stores that are currently on different subnets. I can access the ASA on ASDM on any of them when I'm on the same subnet. However I recall there being a way to allow ASDM access on a different subnet. Is there a way to do this on the Management port of the ASA controllers? All are ASA 5510's.

8 Replies 8

johnlloyd_13
Level 9
Level 9

hi,

ideally you would only allow the NMS subnet to your ASA MGMT interface/ASDM.

just configure the source IP/subnet that you would allow ASDM. make sure routing is correct/reachable.

http 192.168.1.0 255.255.255.0 management

I'm confused a bit. What CLI command would I have to enter or whatnot to tell the ASA that it's ok to allow an ASDM on the main subnet to monitor it's traffic? Sorry I'm very new with working with ASA's.

Hello Kelvin,

 

As Jhon mentioned to you the cli command you need to allow that other network using the management interface is the following:

 

http 192.168.1.0 255.255.255.0 management

 

Where:

http is the capability to use the ASDM within the network that follows the command

192.168.1.0 255.255.255.0 -> is the network and mask address where you want to use asdm

managemtv -> this is the name of the management interface 

 

 

Note: you will need access to the management interface in order to use ASDM.

They seem to be tripping up after setting them like this. I can still see them on the same subnet but is there a port i need to open up on the outside or inside or even on the main ASA in order for this to work? Basically to broadly sum up our network we have an ASA for each store for each guest network that's also setup to handle our wifi systems. they're linked to the switches on the management port on port 3 of our gigabit wifi switch at each store. do I instead need to say plug the management port into the backbone switch of each store or is there another command that I'm missing on either the Switches or ASA's?

Hello Kelvin,

I would like to apologize for the delay in the response, I've been a little busy, to answer your question if you want to access the ASDM using the guest network and this one can reach the ASA firewall or it is a directly connected network you will need to enable the http command in the ASA for the guest network, Example:

http 192.168.1.0 255.255.255.0 guestnetwork
where 192.168.1.0 is the subnet of the guest network
and guestnetwork is the name of the interface where the guest network can be reached by the ASA

Regards,

Well no not through the guest network We'd like it to go through the Management Port. See the ASA's connected as such: Ethernet 0 is set as outside and going out through the world on the modem provided. Ethernet 1 is going back to a switch we have configured within that store for just that store's wifi. since our physical locations are beyond range of the wifi AP's there's no way for us to use them for ASDM. Then the management port is going back into the configured switch for the wifi's. traffic from the store with machines on the wifi go though a different port on the switch to the rest of the network which is tunneled through a VPN to the other stores and the office. Guest traffic on the wifi go through to the wifi switch and then are filtered in a different gig port to the ASA's Ethernet 1 port and is then sent through the Ethernet 0 to the modem of the store. the management port is going through an unsetup port on the wifi switch but it has the no shutdown command entered on it.

 

Honestly I'm really confused on all this. I think a config example at this point would be the best course

 

Hi Kelvin,

 

I think  now I have a better picture, so if you want to access the ASA using ASDM  using the management interface, then the port where the management interface is connected to the switch should be configured, for example:

 

On the ASA  side:

The  management interface must be configured:

ciscoasa(config)# nterface Management0/0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#nameif management
ciscoasa(config-if)#security-level 90
ciscoasa(config-if)#ip address 192.168.1.1 255.255.255.0 

 

For the ASDM on the management port:

ciscoasa(config)# http 192.168.1.0 255.255.255.0 management

ciscoasa(config)# http x.x.x.x y.y.y.y management

 

 

Please take into account to replace x.x.x.x and y.y.y.y for the network space and mask from where you are trying to access the ASA using its management ip adress in my example it is 192.168.1.1, 

 

 

 

I need to know something how are you trying to access the ASA outside the store, from a vpn such as a site to site vpn, a remote access vpn? the VPN is configured in the ASA or the switch?

 

Our setup is actually a MPLS setup. We have the ASA's MAC address for the management port listed in the ASA saved on the DHCP server as a reserved IP. See after entering the commands listed above the connection is still refused. The ASDM on the subnet that I'd like to be able to see the ASA's on the other subnets on the MPLS connection. I went out and tried the public IP address listed by a tracker and still no luck, later removed it when it failed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: