cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1386
Views
0
Helpful
7
Replies

ASA5510 - Cannot SSH or ASDM To Management Interface, Transparent Mode

Robert Ho
Level 1
Level 1

I try to SSH and get access denied.

I try to ASDM and get "Unable to launch device manager from 172.16.252.100"

I think I am missing something. Software is 8.4(5) and running in Transparent Mode.

Inside/Outside are in bridge-group 1. No BVI is configured as we will be using Management0/0 for access.

login as: test

test@172.16.252.100's password:

Access denied

test@172.16.252.100's password:

*****

username test password 6ZER6pGUgW0KG.mQ encrypted privilege 15

!

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

!

interface Ethernet0/0

description Server Outside

nameif outside

bridge-group 1

security-level 0

!

interface Ethernet0/1

description Server Inside

nameif inside

bridge-group 1

security-level 100

!

interface Management0/0

description MGMT Access Only

nameif management

security-level 50

ip address 172.16.252.100 255.255.255.0

management-only

!

http server enable

http 172.16.252.0 255.255.255.0 management

!

ssh 0.0.0.0 0.0.0.0 management

!

asdm image disk0:/asdm-711-52.bin

!

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Robert,

From witch Ip address are you trying to connect?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

From same subnet as the mgmt interface, 172.16.252.5.

I think if we can get the SSH resolved, it would fix it for ASDM as well.

cap test interface managment match tcp host 172.16.252.5 host  172.16.252.100 eq 22

cap asp type asp-drop all circular-buffer

then try to connect once and share the following:

show cap asp | include 172.16.252.5

show cap test

Share the output

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Am trying on a different machine, 172.16.252.2

SV-YMCA-Servers# show cap asp | include 172.16.252.2

   2: 15:01:00.633756 172.16.252.2.17500 > 255.255.255.255.17500:  udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed

   3: 15:01:00.635556 172.16.252.2.17500 > 255.255.255.255.17500:  udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed

   4: 15:01:00.635800 172.16.252.2.17500 > 172.16.252.255.17500:  udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed

   8: 15:01:30.644940 172.16.252.2.17500 > 255.255.255.255.17500:  udp 111

   9: 15:01:30.646786 172.16.252.2.17500 > 255.255.255.255.17500:  udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed

  10: 15:01:30.647046 172.16.252.2.17500 > 172.16.252.255.17500:  udp 111

  14: 15:02:00.643429 172.16.252.2.17500 > 255.255.255.255.17500:  udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed

  15: 15:02:00.645260 172.16.252.2.17500 > 255.255.255.255.17500:  udp 111

  16: 15:02:00.645550 172.16.252.2.17500 > 172.16.252.255.17500:  udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed

  21: 15:02:30.656536 172.16.252.2.17500 > 255.255.255.255.17500:  udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed

  22: 15:02:30.658245 172.16.252.2.17500 > 255.255.255.255.17500:  udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed

  23: 15:02:30.658504 172.16.252.2.17500 > 172.16.252.255.17500:  udp 111 Drop-reason: (dst-l2_lookup-fail) Dst MAC L2 Lookup Failed

SV-YMCA-Servers#

SV-YMCA-Servers#

SV-YMCA-Servers# sh cap test

10 packets captured

   1: 15:01:07.283280 172.16.252.2.4098 > 172.16.252.100.22: S 873725693:873725693(0) win 64512

   2: 15:01:07.283356 172.16.252.100.22 > 172.16.252.2.4098: S 1263330547:1263330547(0) ack 873725694 win 8192

   3: 15:01:07.283630 172.16.252.2.4098 > 172.16.252.100.22: . ack 1263330548 win 64512

   4: 15:01:07.284348 172.16.252.100.22 > 172.16.252.2.4098: P 1263330548:1263330568(20) ack 873725694 win 32768

   5: 15:01:09.301498 172.16.252.100.22 > 172.16.252.2.4098: P 1263330548:1263330568(20) ack 873725694 win 32768

   6: 15:01:13.327894 172.16.252.100.22 > 172.16.252.2.4098: P 1263330548:1263330568(20) ack 873725694 win 32768

   7: 15:01:21.347119 172.16.252.100.22 > 172.16.252.2.4098: P 1263330548:1263330568(20) ack 873725694 win 32768

   8: 15:01:37.368770 172.16.252.100.22 > 172.16.252.2.4098: P 1263330548:1263330568(20) ack 873725694 win 32768

   9: 15:02:07.279694 172.16.252.100.22 > 172.16.252.2.4098: FP 1263330568:1263330568(0) ack 873725694 win 32768

  10: 15:02:09.395304 172.16.252.100.22 > 172.16.252.2.4098: FP 1263330548:1263330568(20) ack 873725694 win 32768

10 packets shown

SV-YMCA-Servers#

Hello Robert,

What is the Mac address of that PC,

Can you check in the ASA CAM table if that address is in there? That seems to be the problem!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

We ran out of time and moved forward with BVI and it worked.

The MGMT IP had to be changed to match that of the network that the ASA is bridging.

Do you have a complete config that is working? We will have to revisit this when we are back onsite. I am either missing something or Management0/0 does not work with this code. OS is 8.4(5) on an ASA5510.

Thank you

Hello Robert,

It should be working, config is good and pretty simple.

Seems like the ASA was complaining about the MAC address not being on the CAM table,

Let's see what happens when  you test it okay?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card