Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4940
Views
0
Helpful
10
Replies

ASDM connection to ASA in Multi Context Transparent mode.

mahesh18
Level 6
Level 6

‎12-03-2013 06:45 PM - edited ‎03-11-2019 08:12 PM

Hi Everyone,

We have two Different Transparent ASA in multi context mode at  two different sites.

On  one site i can login  via ASDM directly to context ASA  with name IP address.

Other site to ASDM login to say context  ASA  hostname  asa5520 i have to ASDM  login to asa15x5520 once i login there then under context i can

see the  context hostname asa5520 and i have to click on connect.

Need to understand why i can not do ASDM login to Context ASA hostname asa5520 directly via its hostname or IP?

Regards

MAhesh

1 person had this problem
Labels:
0 Helpful
10 Replies 10

Jouni Forss
VIP Alumni
VIP Alumni

‎12-03-2013 11:46 PM

Hi,

Can't say I have worked that much with the Transparent ASA firewall. Very very little actually.

But to my understanding your are describing 2 different situations. One where you are logging into the admin context of the ASA and the other one where you are connecting to a user context directly rather than the admin context.

In our Multiple Context mode ASAs I typically only allow management access through the admin context and that is allowed through a closed network that is not accessible from the external network.

If you want to allow management connection directly to the user context then I would suggest going through the configurations of the security context to which you cannot connect directly so that it has the needed configurations for the management connection.

Without knowing the actual environment its hard to say anything specific. Even more so for me since I don't deal much with Transparent ASAs

- Jouni

0 Helpful

mahesh18
Level 6
Level 6
In response to Jouni Forss

‎12-04-2013 07:30 AM

Hi Jouni,

I need to access context ASA hostname  asa5520 via ASDM directly.

From ssh i can access context ASA asa5520 directly without going to admin context.

Only issue is with ASDM access.

Any idea what config i should look for in the ASA?

Regards

Mahesh

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎12-04-2013 07:58 AM

Hi,

For the Management configurations you might want to check

show run http

show run ssh

show run telnet

The above will view what kind of management connections are allowed to the firewall. (inside the context)

You can issue the following command to see what the ASA uses for authentication (local or aaa server)

show run aaa

- Jouni

0 Helpful

mahesh18
Level 6
Level 6
In response to Jouni Forss

‎12-06-2013 12:15 PM

Hi Jouni,

Both firewalls at different sites have same config in regards to

sh run http

sh run ssh

sh run telnet

sh run aaa

Regards

Mahesh

0 Helpful

johnlloyd_13
Level 9
Level 9

‎12-04-2013 12:25 AM

hi mahesh,

if i understand it correctly, i would suspect that context 'asa5520' is not configured as the 'admin' context.

you could verify in CLI using the show context command and look for the * where admin context is assigned.

0 Helpful

mahesh18
Level 6
Level 6
In response to johnlloyd_13

‎12-04-2013 07:20 AM

Hi John,

Hostname ASA 5520 is not admin context.

My issue is i can not access  to hostname asa5520 via ASDM directly.

SSH works fine to context name asa5520 directly.

To access this hostname i have to ASDM to hostname asa15x5520 which is admin then go to context asa5520.

At our other site with same environment i can access the context ASA directly via ASDM.

Regards

Mahesh

0 Helpful

Marius Gunnerud
VIP
VIP
In response to mahesh18

‎12-07-2013 11:36 AM

Could you please post a full sanitized configuration of the context you are trying to access directly?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎12-07-2013 04:58 PM

Hi MArius.

Thanks for looking into this.

here is the config below


: Saved
:
ASA Version 8.6(1)2
!
firewall transparent
hostname BlueNet
domain-name x.com

names
!
interface BVI3
ip address 172.16.3.15 255.255.254.0
!
interface GigabitEthernet0/2.3
nameif BlueNet
bridge-group 3
security-level 95
!
interface GigabitEthernet0/3.3
nameif BlueNet_en
bridge-group 3
security-level 5

dns server-group DefaultDNS
domain-name x.com



pager lines 24
logging enable
logging timestamp
logging trap informational
logging history informational
logging asdm informational
logging facility 21
logging permit-hostdown
mtu BlueNet 1500
mtu BlueNet_en1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group BlueNet_access_in in interface BlueNet
access-group BlueNet_en_access_in in interface BlueNet_en
route BlueNet 0.0.0.0 0.0.0.0 172.16.3.254 1
timeout xlate 3:00:00
timeout conn 72:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server SSCNetworkprotocol radius
aaa-server SSCNetwork(BlueNet) host 172.16.10.10
key *****
authentication-port 1812
aaa-server SSCNetwork(BlueNet) host 172.31.10.10
key *****
authentication-port 1812
user-identity default-domain LOCAL
aaa authentication enable console SSCNetworkLOCAL
aaa authentication ssh console SSCNetworkLOCAL
aaa authentication http console SSCNetworkLOCAL
http server enable
http 172.17.99.0 255.255.255.0 BlueNet
http 172.31.23.0 255.255.255.0 BlueNet
http 172.16.10.220 255.255.255.255 BlueNet
telnet timeout 5
ssh 172.17.99.0 255.255.255.0 BlueNet
ssh 172.31.23.0 255.255.255.0 BlueNet
ssh 172.16.3.5 255.255.255.255 BlueNet
ssh 172.16.0.232 255.255.255.255 BlueNet
ssh timeout 10
ssh version 2
no threat-detection statistics tcp-intercept

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
Cryptochecksum:9d8746dc32cbb7be84504e881f6f3d9c
: end
no asdm history enable

Best reagrds

MAhesh

0 Helpful

Marius Gunnerud
VIP
VIP
In response to mahesh18

‎12-09-2013 12:32 AM

Is this a new ASA you are setting up?

Which IP does the PC you are connecting from have?

Are you able to ping 172.16.3.15 from the PC you are connecting from?

Is you PC located off the BlueNet interface or the BlueNet_en interface?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎12-09-2013 07:36 AM

Hi Marius,

this is not new ASA its already  in production.

i am connecting from IP 172.31.23.107.

Yes i can ping the IP 172.16.3.15.

My PC is located off the blueNet interface.

Regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card