01-22-2013 10:30 AM - edited 03-11-2019 05:50 PM
I try to SSH and get access denied.
I try to ASDM and get "Unable to launch device manager from 172.16.252.100"
I think I am missing something. Software is 8.4(5) and running in Transparent Mode.
Inside/Outside are in bridge-group 1. No BVI is configured as we will be using Management0/0 for access.
login as: test
test@172.16.252.100's password:
Access denied
test@172.16.252.100's password:
*****
username test password 6ZER6pGUgW0KG.mQ encrypted privilege 15
!
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
!
interface Ethernet0/0
description Server Outside
nameif outside
bridge-group 1
security-level 0
!
interface Ethernet0/1
description Server Inside
nameif inside
bridge-group 1
security-level 100
!
interface Management0/0
description MGMT Access Only
nameif management
security-level 50
ip address 172.16.252.100 255.255.255.0
management-only
!
http server enable
http 172.16.252.0 255.255.255.0 management
!
ssh 0.0.0.0 0.0.0.0 management
!
asdm image disk0:/asdm-711-52.bin
!
01-22-2013 01:33 PM
Hello Robert,
From witch Ip address are you trying to connect?
Regards
01-22-2013 02:21 PM
From same subnet as the mgmt interface, 172.16.252.5.
I think if we can get the SSH resolved, it would fix it for ASDM as well.
01-22-2013 02:23 PM
cap test interface managment match tcp host 172.16.252.5 host 172.16.252.100 eq 22
cap asp type asp-drop all circular-buffer
then try to connect once and share the following:
show cap asp | include 172.16.252.5
show cap test
Share the output
01-22-2013 03:03 PM
Am trying on a different machine, 172.16.252.2
SV-YMCA-Servers# show cap asp | include 172.16.252.2
2: 15:01:00.633756 172.16.252.2.17500 > 255.255.255.255.17500: udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed
3: 15:01:00.635556 172.16.252.2.17500 > 255.255.255.255.17500: udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed
4: 15:01:00.635800 172.16.252.2.17500 > 172.16.252.255.17500: udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed
8: 15:01:30.644940 172.16.252.2.17500 > 255.255.255.255.17500: udp 111
9: 15:01:30.646786 172.16.252.2.17500 > 255.255.255.255.17500: udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed
10: 15:01:30.647046 172.16.252.2.17500 > 172.16.252.255.17500: udp 111
14: 15:02:00.643429 172.16.252.2.17500 > 255.255.255.255.17500: udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed
15: 15:02:00.645260 172.16.252.2.17500 > 255.255.255.255.17500: udp 111
16: 15:02:00.645550 172.16.252.2.17500 > 172.16.252.255.17500: udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed
21: 15:02:30.656536 172.16.252.2.17500 > 255.255.255.255.17500: udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed
22: 15:02:30.658245 172.16.252.2.17500 > 255.255.255.255.17500: udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed
23: 15:02:30.658504 172.16.252.2.17500 > 172.16.252.255.17500: udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed
SV-YMCA-Servers#
SV-YMCA-Servers#
SV-YMCA-Servers# sh cap test
10 packets captured
1: 15:01:07.283280 172.16.252.2.4098 > 172.16.252.100.22: S 873725693:873725693(0) win 64512
2: 15:01:07.283356 172.16.252.100.22 > 172.16.252.2.4098: S 1263330547:1263330547(0) ack 873725694 win 8192
3: 15:01:07.283630 172.16.252.2.4098 > 172.16.252.100.22: . ack 1263330548 win 64512
4: 15:01:07.284348 172.16.252.100.22 > 172.16.252.2.4098: P 1263330548:1263330568(20) ack 873725694 win 32768
5: 15:01:09.301498 172.16.252.100.22 > 172.16.252.2.4098: P 1263330548:1263330568(20) ack 873725694 win 32768
6: 15:01:13.327894 172.16.252.100.22 > 172.16.252.2.4098: P 1263330548:1263330568(20) ack 873725694 win 32768
7: 15:01:21.347119 172.16.252.100.22 > 172.16.252.2.4098: P 1263330548:1263330568(20) ack 873725694 win 32768
8: 15:01:37.368770 172.16.252.100.22 > 172.16.252.2.4098: P 1263330548:1263330568(20) ack 873725694 win 32768
9: 15:02:07.279694 172.16.252.100.22 > 172.16.252.2.4098: FP 1263330568:1263330568(0) ack 873725694 win 32768
10: 15:02:09.395304 172.16.252.100.22 > 172.16.252.2.4098: FP 1263330548:1263330568(20) ack 873725694 win 32768
10 packets shown
SV-YMCA-Servers#
01-22-2013 03:13 PM
Hello Robert,
What is the Mac address of that PC,
Can you check in the ASA CAM table if that address is in there? That seems to be the problem!!
01-22-2013 06:06 PM
We ran out of time and moved forward with BVI and it worked.
The MGMT IP had to be changed to match that of the network that the ASA is bridging.
Do you have a complete config that is working? We will have to revisit this when we are back onsite. I am either missing something or Management0/0 does not work with this code. OS is 8.4(5) on an ASA5510.
Thank you
01-22-2013 09:41 PM
Hello Robert,
It should be working, config is good and pretty simple.
Seems like the ASA was complaining about the MAC address not being on the CAM table,
Let's see what happens when you test it okay?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide