Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1736
Views
5
Helpful
3
Replies

Accessing SourceFire Module from ASDM issue

kpasa004
Level 1
Level 1

‎09-11-2020 02:33 PM

Hello,

We have a bit of an odd setup for accessing our ASA from ASDM. I will lay out the process:

 

From our VDI instance, we open putty and ssh into a management server. After we are connected to the server over port 22, we then create a tunnel to one of the firewall interfaces. For brevity we'll say the firewall interface we connect to is 192.168.1.1. The management server is on the same subnet, 192.168.1.3. Our SFR module is on a separate interface of 172.16.10.1 with the IP of 172.16.10.25. I am able to ping the SFR from the server at 192.168.1.3, but not from the firewall interface of 192.168.1.1. 

 

We log into ASDM from "localhost" once the putty tunnel is created over port 443 to 192.168.1.1. While ASDM initiates, I get an error stating the SFR cannot be reached from 192.168.1.1.

 

Once again, I can ping/ssh to the firewall interface 192.168.1.1 from 192.168.1.3. I can also ping/ssh from 192.168.1.3 to 172.16.10.25 but not from the firewall interface of 192.168.1.1. I am completely stumped and cannot figure this one out.

 

The ASA sees the SFR module as up in ASDM and ASA, but cannot connect to it to manage it.

 

Any help is greatly appreciated.

 

-Cuyler

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-13-2020 05:41 AM

It sounds like you're doing port forwarding via your ssh session. I believe that will restrict you to a single destination IP. For ASDM to manage the Firepower service module you would have to connect to both addresses - the ASA and the module.

ASDM sees the module status because it gets that from the ASA itself - effectively parsing the output of "show module sfr detail" to populate the Firepower status tab in ASDM.

kpasa004
Level 1
Level 1
In response to Marvin Rhoads

‎09-13-2020 07:45 AM

Thanks for the follow up! That's kind of what I was thinking, needed a second tunnel but was unsure. Our inside interface is a public IP but the SFR module is a private IP, so I'm not sure that I will be able to do that with two separate ssh tunnels. The only other solution I can think of is to either A) give access to my VDI instance to the internal interface of the ASA or B) make the SFR module a public IP and setup a separate ssh tunnel when connecting. This sound about right?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kpasa004

‎09-13-2020 07:49 PM

Yes something along those lines would be necessary (as I understand your setup).

Just keep in mind ASDM won't be smart enough to do any translation - it will always try to connect to the sfr address it gets from the ASA via "show module sfr detail".

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card