Solved: ASA5510 can't be accessed for management

darkpaw01 · ‎03-14-2013

I am trying to get an ASA5510 working in transparent mode, multi-context. I am on revision 8.2.5, so there are no bridge groups (those are enabled in 8.4).

I first set it to transparent mode, then set it to multi-context mode. I am doing trunking through the Ethernet0/0 to Ethernet0/1, and have two vlans on subinterfaces of each interface. These interfaces are in the 2nd and 3rd contexts, and all trunking between vlans is working correctly in transparent mode.

But I can't telnet or ssh to the ASA itself.

I have an IP address on the inside vlan interface in each context, and can ping tthe IP in context 2 and context 3. There is an IP also in the admin context, but I am unable to ping this. I have tried putting it in the same vlan as the 2nd context, and putting it on the management interface, but since there is a global IP only in transparent mode, I don't think the management interface is used (even though it is in the admin contexts included interfaces).

Since I can't connect to the ASA, I can't easily get the running config to post it here, even though that would likely

Can anyone offer me any input to what I'm doing wrong?

To summarize:

- transparent mode

- multi-context

- trunking (dot1q) through Eth0/0 and Eth0/1, so each interface has four sub-interfaces, each in its own vlan

- these VLANs are in each of the contexts except the admin context

- the IP of each conext is able to be pinged, but can't telnet or ssh to it

- telnet and ssh are setup for allowing a /16 subnet range access, in each context

- access-list is setup for permit ip any any and permit icmp any any on the inside and outside interface of each context

- all thru-traffic is passing correctly, but can't manage the ASA other than sitting at the console of it

What I'm going to try now is putting the admin context into one of the vlans in the trunk and see if I can use it that way.

lcambron · ‎03-14-2013

Hello Darren,

Can you check the listening ports:

show asp table socket

make sure the source IP is allow for telnet/ssh

show run telnet

show run ssh

If the client is not in the same network, then make sure you configure the default gateway.

Regard,

Felipe.

View solution in original post

darkpaw01 · ‎03-14-2013

Update...after putting the admin context also in a vlan and assigning the inside and outside interfaces, I can now ping the management IP.

But still can't telnet or ssh into it to manage it.

Here's attempting to connect from the switch that's trunked to the ASA:

QRM3750A#telnet 172.16.59.200
Trying 172.16.59.200 ...
% Connection timed out; remote host not responding

QRM3750A#ping 172.16.59.200

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.59.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
QRM3750A#

Access-list is setup to permit it, and ssh and telnet are both enabled for a /16 range that this switch is in.

lcambron · ‎03-14-2013

Hello Darren,

Can you check the listening ports:

show asp table socket

make sure the source IP is allow for telnet/ssh

show run telnet

show run ssh

If the client is not in the same network, then make sure you configure the default gateway.

Regard,

Felipe.

darkpaw01 · ‎03-15-2013

That was exactly it...it was only listening on port 23 for telnet. Odd that this somehow happened, but reloading the ASA fixed the problem.

Thanks.

Also curious...when in transparent mode, how do you configure a default gateway for management? There's no option for it in IP options.

lcambron · ‎03-15-2013

I'm glad is it working now.

the route is configured the same way as in routed mode.

route interface_name ip_address netmask gateway_ip

Note: Once the post is solved, mark it as answered so others can learn from this.

Regards,

Felipe.