cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

313
Views
60
Helpful
25
Replies
Highlighted
Beginner

ASA5508 - ASDM User Accounts

New to Firewall Management and need some help. firewall1.pngWe have a couple User Accounts setup in Cisco ASDM. We htought these users were for the ability to login directly to the Firewall from "outside" our network. Is that what these users are for? Do I login to our WAN IP? How do these users login. Thanks for any advise!

Everyone's tags (3)
25 REPLIES 25
Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: ASA5508 - ASDM User Accounts

Hi,
Yes, these use accounts do have admin rights to login to ASDM. To configure access to login from the outside you would need to ensure you permit access "http 0.0.0.0 0.0.0.0 outside". The users need to open a web browser, enter the outside ip address and then download ASDM.

 

The user accounts could be also be used for remote access (however they do have full admin rights, so they could manage the ASA also).

 

HTH

Highlighted
Beginner

Re: ASA5508 - ASDM User Accounts

Do I need an IP setup for HTTP? I have 3 in here for SSH.

Also, how do I know which IP address to use when I logon using web browser? Thank you for your help!

firewall2.png

Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: ASA5508 - ASDM User Accounts

You would have to permit all IP addresses on the outside interface for ASDM/HTTPS - unless you know the source, in which case define those static IP addresses.

The IP address to connect to when using the web browser is the IP address of your "outside" interface.

HTH
Highlighted
Beginner

Re: ASA5508 - ASDM User Accounts

Here is what I have under Access and NAT Rules.

 

firewall3.pngfirewall4.png

Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: ASA5508 - ASDM User Accounts

It's got nothing to do with NAT, you need to connect to the IP address assigned to the outside interface.
Highlighted
Beginner

Re: ASA5508 - ASDM User Accounts

I am believing it would be the same as the outside-network in my Network Objects.

firewall5.png

Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: ASA5508 - ASDM User Accounts

Well your outside interface IP address would be part of that object "outside-network". From ASDM go to Configuration > Device Setup > Interfaces. The public IP address named "outside" would be the IP address you need to use.
Highlighted
Beginner

Re: ASA5508 - ASDM User Accounts

Okay, I found that IP address, so now do I need to setup an Access Rule for that IP address? Thank you!!

Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: ASA5508 - ASDM User Accounts

You configure management access in ASDM as per the screenshot in your 1st reply or per my first reply, with the command "http 0.0.0.0 0.0.0.0 outside". This would permit access from any IP address on the internet to access your ASA on it's outside interface's IP address.

Highlighted
Beginner

Re: ASA5508 - ASDM User Accounts

Does it make a difference if I already have a ASDM/HTTPS setup for Management at 0.0.0.0? Not sure if I can have both. Thanks!

firewall6.png

Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: ASA5508 - ASDM User Accounts

You need it enabled on the outside interface if you are connecting from the outside interface, which it sounds like what you intend to do.
Highlighted
Beginner

Re: ASA5508 - ASDM User Accounts

I get an error when trying to add 

firewall7.png

Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: ASA5508 - ASDM User Accounts

Ok, fine...you already enabled in on the outside and management interfaces in the previous screenshot. You should just apply and save the configuration, then test connection to the outside interface IP address - from an IP address that is on the outside of the ASA (in other words don't connect from your inside network).
Highlighted
Beginner

Re: ASA5508 - ASDM User Accounts

I had not hit apply yet when I took that screenshot. So will it work if I just have the Outside set for ASDM/HTTPS and not Management?