Solved: Re: connecting asdm to asa over remote vpn

fercho2203 · ‎04-19-2011

People,

I have two ASA5510 with a peer to peer VPN configuration which is working pretty well.

I'm trying to connect to my remote ASA (ASA2) with ASDM on my PC through the VPN on the local ASA (ASA1)

I already connected the ASDM to ASA1 through the inside interface but I cant connect to the ASA2 the same way (over the VPN).

When I ping the ASA2 inside interface from my computer, I get the following events:

ASA1:

192.168.1.36(My PC) | 512 | 192.168.2.1 | 0 | Built outbound icmp connection

192.168.2.1(ASA2 inside interface) | 0 | 192.168.1.36 | 512 | Teardown icmp connection

ASA2

192.168.1.36(My PC) | 512 | 192.168.2.1 | 0 | Built local-host Corporativo(outside):192.168.1.36

192.168.2.1(ASA2 inside interface) | 0 | 192.168.1.36 | 512 | Built local-host identity:192.168.2.1

192.168.1.36(My PC) | 512 | 192.168.2.1 | 0 | Built inbound icmp connection

192.168.1.36(My PC) | 512 | 192.168.2.1 | 0 | Teardown icmp connection

This is my config in ASA2

Please Help!!!!!

Regards,

Fernando.

ASA Version 8.0(5)
!
hostname ciscosnq
domain-name chaco.com.bo
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.10 SNQ-Server
name 192.168.1.21 Srvplxa
name 10.30.30.30 e-Server
name 192.168.1.0 Experion-network
dns-guard
!
interface Ethernet0/0
nameif Corporativo
security-level 0
ip address 10.64.12.6 255.255.0.0
!
interface Ethernet0/1
nameif ExP_LS
security-level 90
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.2 255.255.255.0
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone BOT -4
dns server-group DefaultDNS
domain-name chaco.com.bo
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host e-Server
network-object Experion-network 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object host e-Server
network-object Experion-network 255.255.255.0
access-list Corporativo_access_in extended permit ip object-group DM_INLINE_NETW
ORK_1 192.168.2.0 255.255.255.0
access-list ExP_LS_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 Expe
rion-network 255.255.255.0
access-list ExP_LS_access_in extended permit ip 192.168.2.0 255.255.255.0 object
-group DM_INLINE_NETWORK_2
access-list ExP_LS_access_in extended permit ip host SNQ-Server host 192.168.2.1

access-list ExP_LS_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 Ex
perion-network 255.255.255.0
pager lines 24
logging enable
logging console informational
logging asdm informational
mtu Corporativo 1500
mtu ExP_LS 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (ExP_LS) 0 access-list ExP_LS_nat0_outbound
access-group Corporativo_access_in in interface Corporativo
access-group ExP_LS_access_in in interface ExP_LS
route Corporativo 0.0.0.0 0.0.0.0 10.64.12.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 management
http 192.168.1.36 255.255.255.255 ExP_LS
http 192.168.2.0 255.255.255.0 ExP_LS
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map ExP_LS_map 1 match address ExP_LS_1_cryptomap
crypto map ExP_LS_map 1 set pfs group1
crypto map ExP_LS_map 1 set peer 10.64.12.5
crypto map ExP_LS_map 1 set transform-set ESP-DES-SHA
crypto map ExP_LS_map interface ExP_LS
crypto isakmp enable Corporativo
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access ExP_LS
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 10.64.12.5 type ipsec-l2l
tunnel-group 10.64.12.5 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1fb48675183375eaf4b86e0e229fefec
: end

Somanna M.P · ‎04-20-2011

Hi Fernando,

When we try to access the ASDM on the inside interface of the ASA through an IPSEC tunnel(if the tunnel is terminating on any interface other than inside) you need to add the following commands:

ASA(config)management access inside

ASA(config) http server enable

ASA (config) http inseide

Since we are trying to access the ASDM through VPN we cannot access it on the outside interface(or where the IPSEC tunnel is terminating).

Do let me know how it goes.

Hope this helps .

Regards,

Som

P.S. Please mark this post as resolved if it has ansered your question. Do rate the helpful posts. Cheers.

View solution in original post

Somanna M.P · ‎04-20-2011

Hi Fernando,

When we try to access the ASDM on the inside interface of the ASA through an IPSEC tunnel(if the tunnel is terminating on any interface other than inside) you need to add the following commands:

ASA(config)management access inside

ASA(config) http server enable

ASA (config) http inseide

Since we are trying to access the ASDM through VPN we cannot access it on the outside interface(or where the IPSEC tunnel is terminating).

Do let me know how it goes.

Hope this helps .

Regards,

Som

P.S. Please mark this post as resolved if it has ansered your question. Do rate the helpful posts. Cheers.

fercho2203 · ‎04-20-2011

Som,

That's too bad for me.

The only port I have left is the management port then.

¿Could you please help me out with the commands to do this?

Thanx,

Fernando.

Somanna M.P · ‎04-20-2011

Thats ok Fernando you just need to enter the following commands:

ASA(config)#mangement access management //management is the name of the interface.

ASA(config)# http 10.10.10.0 255.255.255.0 management

ASA(config)#http server enable

* Assuming that the subnet you want to allow access to the ASDM is 10.10.10.0 /24.

Do let me know of you have further queries on this.

Regards,

Som

fercho2203 · ‎04-20-2011

Som,

I have the management interface on management only

management access management

http 192.168.1.0 255.255.255.0 management (subnet from ASA1)

http server enable

But I dont even have response when i try to ping.

Fernando.

fercho2203 · ‎04-20-2011

I can see the ping coming through the VPN because I get the following syslog messages but apparently I don't get a response.

192.168.1.21 512 192.168.3.1 0 Built inbound icmp connection

192.168.1.21 512 192.168.3.1 0 Teardown icmp connection

I am posting for you the latest config, maybe I am missing some NAT or something. I am pretty new in configuring routers.

ASA Version 8.0(5)
!
hostname ciscosnq
domain-name chaco.com.bo
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.10 SNQ-Server
name 192.168.1.21 Srvplxa
name 10.30.30.30 e-Server
name 192.168.1.0 Experion-network
dns-guard
!
interface Ethernet0/0
nameif Corporativo
security-level 0
ip address 10.64.12.6 255.255.0.0
!
interface Ethernet0/1
nameif ExP_LS
security-level 90
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.3.1 255.255.255.0
management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone BOT -4
dns server-group DefaultDNS
domain-name chaco.com.bo
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host e-Server
network-object Experion-network 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object host e-Server
network-object Experion-network 255.255.255.0
access-list Corporativo_access_in extended permit ip object-group DM_INLINE_NETW
ORK_1 192.168.2.0 255.255.255.0
access-list ExP_LS_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 Expe
rion-network 255.255.255.0
access-list ExP_LS_access_in extended permit ip 192.168.2.0 255.255.255.0 object
-group DM_INLINE_NETWORK_2
access-list ExP_LS_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 Ex
perion-network 255.255.255.0
pager lines 24
logging enable
logging console informational
logging asdm debugging
mtu Corporativo 1500
mtu ExP_LS 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (ExP_LS) 0 access-list ExP_LS_nat0_outbound
access-group Corporativo_access_in in interface Corporativo
access-group ExP_LS_access_in in interface ExP_LS
route Corporativo 0.0.0.0 0.0.0.0 10.64.12.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 management
http 192.168.3.0 255.255.255.0 management
http Experion-network 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map ExP_LS_map 1 match address ExP_LS_1_cryptomap
crypto map ExP_LS_map 1 set pfs group1
crypto map ExP_LS_map 1 set peer 10.64.12.5
crypto map ExP_LS_map 1 set transform-set ESP-DES-SHA
crypto map ExP_LS_map interface ExP_LS
crypto isakmp enable Corporativo
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 10.64.12.5 type ipsec-l2l
tunnel-group 10.64.12.5 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0120a02eec9f71503a084574da68c037
: end

Somanna M.P · ‎04-20-2011

Fernando,

Do add the command "Fixup protocol ICMP" which enables ICMP inspection on the ASA, and then try to ping the interface. What exactly happens when you try to access the ASDM on the management interface ?

fercho2203 · ‎04-20-2011

If I connect phisically with my PC to the management port on ASA2 it opens the ASDM correctly I even get the ping response.

The problem is when I try to find the management interface through the VPN. I dont get any response.

On both ASAs (ASA1 and ASA2) I get the "ICMP connection" and then the "Teardown ICMP connection"

Even on debugging events I dont see any other message.

Its seems like the ping doesnt reach the management interface.

Fernando.

Somanna M.P · ‎04-20-2011

Fernando,

The issue here is that the management interface subnet is not included in the cryto access-list as well as the nat exempt access-list. You need to change the crytop access-list and nat-exempt access-list on both the ASAs. You need to chage it like:

access-list ExP_LS_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 Experion-network 255.255.255.0

access-list ExP_LS_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 Experion-network 255.255.255.0

and on the NAT exempt access-list:

access-list ExP_LS_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 Experion-network 255.255.255.0

access-list ExP_LS_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 Experion-network 255.255.255.0

Please let me know if this helps.

Regards,
Som

fercho2203 · ‎04-20-2011

Som,

I got the same result trying to ping the inside interface and now trying to ping the management interface.

Dont get any response from the ASA.

After a lot of checking the configuration, I understand now the VPN is being created on the outside interface, so I should be able to connect to the inside or management interface.

I get the reply when I ping a computer on 192.168.2.10.

But I dont get any reply when I ping the inside interface 192.168.2.1.

Fernando.