Solved: ASDM access through s2s tunnel group on ASA5510

danewoodall · ‎02-08-2012

For years now we've had an ASA5510 running an old version of ASA/ASDM (7.0/5.0) and couldn't access ASDM through a modern system with a recent JRE, so we didn't bother with this.

However, we've recently upgraded ASA/ASDM for purposes of adding failover and want to be able to access ASDM through our site to site tunnel. The site to site tunnel gives us access to the VLAN that the firewall is the gateway for, but not access to the firewall itself.

This side of the network is the 10.1.55.0 subnet, and that side of the network is the 192.168.1.0 subnet. I can ping devices on the 192.168.1.0 subnet, but not the firewall, (not that I really need to) and devices can ping me back. I can access ASDM through RDP or ssh into a server on the 192.168.1.0 subnet, but not directly from the 10.1.55.0 subnet.

This is the current config relative to the 10.1.55.0 subnet:

access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0

access-list untrust_cryptomap_600 extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0

access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.1.55.0 255.255.255.0

asdm location 10.1.55.0 255.255.255.0 untrust

nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp

http 10.1.55.0 255.255.255.0 untrust

trust is the name of the "inside" interface that has an IP of 192.168.1.1

untrust is the name of the "outside" interface

prod is the name of the production environment interface

and dmz of course is the name of the dmz interface

As far as I'm aware, the tunnel comes into the firewall through the untrust (public) interface, because that is the destination of the tunnel on the 10.1.55.0 subnet side.

What am I missing here that would allow asdm access through the untrust interface for the 10.1.55.0 subnet?

Julio Carvajal · ‎02-09-2012

Hello Dane,

Can you try the following:

nat (trust,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 route-lookup

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎02-08-2012

Hello Dane,

So all you want to do is to be able to access ASDM, to accomplish this you need to be able to access the trust interface on the other side.

For this:

managment-access trust.

Then give it a try.

Regards,

Julio

Do rate helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

danewoodall · ‎02-08-2012

That is already set. I can access ASDM from the trust side, it's accessing it from the untrust side (where the VPN tunnel comes across) that does not currently work.

Is the problem that since only 1 interface can be specified as having management access, that since the VPN tunnel comes across the untrust interface, that there is no way to give it access?

Julio Carvajal · ‎02-08-2012

Hello Dane,

That is correct.

Also remember than on an ASA you cannot connect to a distant interface.

So in this case the remote site will connect to the vpn and then they will be part of the inside interface so he will not be able to access the untrusted interface, just the trusted one.

Regards,

Julio

Do rate all the helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

danewoodall · ‎02-08-2012

It is a given though that in order to make the tunnel work, that it goes across the public (untrust) interface, so all my traffic from the 10.1.55.0 side is coming through the untrust interface.

The ASA in this case is the vpn. The problem I have is accessing the trust interface..

There is no way to route the traffic from untrust to trust, in order to give these VPN connections that originate outside of the network and come across the untrust interface, to access ASDM?

I guess that is the impression I'm getitng, I just want to confirm.

Edit: It just seems counter intuitive, since I can grant ASDM/HTTP access to a subnet over a non-management interface (outside), but not actually be able to access it except on a single interface that is defined as the management interface?

Julio Carvajal · ‎02-08-2012

Hello Dane,

I think I am not quite understanding your request in here.

Please correct me if I am wrong:

1inside----ASA-----1Outside2--------ASA-----Inside2

You are on Inside2 and you want to access ASDM from interface inside1 via the VPN tunell right?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

danewoodall · ‎02-08-2012

Yeah, that is right. ASDM's management interface is set to Inside1, and I can access it fine from inside 1, but not Inside2

Julio Carvajal · ‎02-08-2012

Hello Dane,

Ok good I understand the scenario.

Now you need this

http 10.1.55.0 255.255.255.0 trust

Set that up and let me know.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

danewoodall · ‎02-08-2012

Done, but still am not able to access it.

I've tried both both the outside1 IP and inside1 IP.

Julio Carvajal · ‎02-08-2012

Hello,

Hmm, that is estrange.Can you change this please:

no nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp

nat (trust,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp

Are you able to ping that interface now?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

danewoodall · ‎02-08-2012

Done, no change.

Julio Carvajal · ‎02-08-2012

Are you able to ping that interface now?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

danewoodall · ‎02-08-2012

Can ping the outside1 interface but not the inside1 interface

Julio Carvajal · ‎02-08-2012

Hello Dane,

Do you have the inspection for the ICMP protocol:

If not just add: -fixup protocol ICMP.

On Site A do a capture on the inside interface like this.

access-list capin permit tcp host x.x.x.x (Remote_host_Ip) y.y.y.y(ASA_inside_interface) eq 443

access-list capin permit tcp host .yy.y.y(ASA_inside_interface) eq 443 host x.x.x.x (Remote_host_Ip)

capture capin access-list capin interface trust.

Try to access ASDM again and finally:

Do a : - sh cap capin and provide the output you get!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

danewoodall · ‎02-08-2012

Site A being where Inside1 is?