Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3419
Views
60
Helpful
25
Replies

ASA5508 - ASDM User Accounts

wynneitmgr
Level 3
Level 3

‎04-06-2020 06:10 AM

New to Firewall Management and need some help. firewall1.pngWe have a couple User Accounts setup in Cisco ASDM. We htought these users were for the ability to login directly to the Firewall from "outside" our network. Is that what these users are for? Do I login to our WAN IP? How do these users login. Thanks for any advise!

0 Helpful
25 Replies 25

Rob Ingram
VIP
VIP

‎04-06-2020 06:44 AM

Hi,
Yes, these use accounts do have admin rights to login to ASDM. To configure access to login from the outside you would need to ensure you permit access "http 0.0.0.0 0.0.0.0 outside". The users need to open a web browser, enter the outside ip address and then download ASDM.

 

The user accounts could be also be used for remote access (however they do have full admin rights, so they could manage the ASA also).

 

HTH

wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎04-06-2020 07:00 AM

Do I need an IP setup for HTTP? I have 3 in here for SSH.

Also, how do I know which IP address to use when I logon using web browser? Thank you for your help!

firewall2.png

0 Helpful

Rob Ingram
VIP
VIP
In response to wynneitmgr

‎04-06-2020 07:04 AM

You would have to permit all IP addresses on the outside interface for ASDM/HTTPS - unless you know the source, in which case define those static IP addresses.

The IP address to connect to when using the web browser is the IP address of your "outside" interface.

HTH

wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎04-06-2020 07:26 AM

Here is what I have under Access and NAT Rules.

 

firewall3.pngfirewall4.png

0 Helpful

Rob Ingram
VIP
VIP
In response to wynneitmgr

‎04-06-2020 07:32 AM

It's got nothing to do with NAT, you need to connect to the IP address assigned to the outside interface.

wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎04-06-2020 07:43 AM

I am believing it would be the same as the outside-network in my Network Objects.

firewall5.png

0 Helpful

Rob Ingram
VIP
VIP
In response to wynneitmgr

‎04-06-2020 07:53 AM

Well your outside interface IP address would be part of that object "outside-network". From ASDM go to Configuration > Device Setup > Interfaces. The public IP address named "outside" would be the IP address you need to use.

wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎04-06-2020 08:21 AM

Okay, I found that IP address, so now do I need to setup an Access Rule for that IP address? Thank you!!

0 Helpful

Rob Ingram
VIP
VIP
In response to wynneitmgr

‎04-06-2020 08:26 AM

You configure management access in ASDM as per the screenshot in your 1st reply or per my first reply, with the command "http 0.0.0.0 0.0.0.0 outside". This would permit access from any IP address on the internet to access your ASA on it's outside interface's IP address.

0 Helpful

wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎04-06-2020 08:38 AM

Does it make a difference if I already have a ASDM/HTTPS setup for Management at 0.0.0.0? Not sure if I can have both. Thanks!

firewall6.png

0 Helpful

Rob Ingram
VIP
VIP
In response to wynneitmgr

‎04-06-2020 08:44 AM

You need it enabled on the outside interface if you are connecting from the outside interface, which it sounds like what you intend to do.

wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎04-06-2020 08:52 AM

I get an error when trying to add 

firewall7.png

0 Helpful

Rob Ingram
VIP
VIP
In response to wynneitmgr

‎04-06-2020 08:58 AM

Ok, fine...you already enabled in on the outside and management interfaces in the previous screenshot. You should just apply and save the configuration, then test connection to the outside interface IP address - from an IP address that is on the outside of the ASA (in other words don't connect from your inside network).

wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎04-06-2020 09:02 AM

I had not hit apply yet when I took that screenshot. So will it work if I just have the Outside set for ASDM/HTTPS and not Management?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card