ASDM access for ASA5510-SSM

rkojima · ‎07-19-2005

Can ASDM manage SSM from remote site? For example,

when I try to access to the SSM with ASDM (Configuration > Features > IPS) through the outside int of ASA, the reply is "IP address of the management port is unreachable".

Management port ip address: 10.1.9.1

SSM ip address: 10.1.9.201/24, gw 10.1.9.1 (default)

[SSM config]

access-list 10.1.9.0/24

service web-server

enable-tls true

exit

Management port is directly connected to SSM, and ping is successful bidirectionally.

If I connect my PC to SSM directly, I can see IPS config with ASDM.

I don't know what's wrong, and please tell me how to use this management port.

Thanks in advance,

marcabal · ‎07-19-2005

The best way to try and debug a problem like is to try and connect to the sensor using IDM from the same box where you attempting to use ASDM.

Open your web browser and type:

https://10.1.9.201

If your web browser can bring up IDM for the SSM, then ASDM running on that machine should also be able to reach SSM for configuration.

If your web browser can not bring up IDM, then ASDM will not work either.

Here are some things to consider:

The SSM external port should be considered to be just like any other machine on your internal network. There is no special communication between the SSM external port and the ASA.

When thinking about remote access to the SSM, it is best to treat the SSM as if it was just any other web server on your internal network. The external box (where you are running ASDM) needs to have a route to it, and be able to web browse to it.

In your example where the ASA management IP is 10.1.9.1, and the SSM IP is 10.1.9.201, then yes the ASA management port can ping the SSM IP, but that is no different than the ASA management port being able to ping any other machine that may be on the 10.1.9.0 network.

The ASA management port by default does Not route traffic in or out of that interface. By default it is configured as a management only port. This management of the ASA itself, and sessioning to the SSM, but NOT management of the SSM through the SSM's IP (which is what ASDM has to do).

This means that any box on any other interface of the ASA can Not route through the ASA to talk to a different IP (like the SSM IP) that is on the same network as the ASA management port. A box running ASDM can not route through the ASA through the ASA Management port to connect to the SSM IP.

The SSM IP needs to be on a network that IS routable through the ASA in order to an external box running ASDM to connect to it.

You have 2 choices here:

1) Move the SSM port to a network on one of the Other interfaces of the ASA that is routable. Like maybe into your DMZ.

or

2) Make the ASA management port into a normal port. (Remove the management-only configuration on the port) So that the management port Can route packets in and out of the 10.1.9.0 network.

Some other things to consider for remote management using ASDM (or IDM) through the ASA to the SSM.

1) The ASA will need to be able to route traffic from the SSM to the other interfaces of the ASA.

2) The ASA will need to have a policy/access-lists that allow the ASDM box to web browse (port 443) to the SSM.

3) If the ASA external interface has an Internet IP Address, then the ASA will need to have a NAT/PAT configuration for the SSM translating the SSM's 10.1.9.201 address to an Internet routable address/port. Just the same as would be needed for external access to a webserver in the DMZ.

NOTE: If NAT/PAT is done for the SSM addrem then when ASDM is run the user will need to override the default 10.1.9.201 address and 443 port in the connection to the SSM and put in the NAT/PAT address and port for ASDM to connect the SSM.

(If using IDM you would need to connect with https://nataddress:patport)

rkojima · ‎07-19-2005

Thanks for your detailed reply. I will try.