Connecting to ASA 5520 using CCP

Islam Nadim · ‎01-27-2013

Hello All,

I'm using the Cisco ASA 5520 on GNS3 .. Everything is working fine, except for one thing. The CCP .. I tried the CCP with a router and it worked, but it can't see the firewall.

I have already enabled the http server using "http server enable" and created account using "username admin priviledge 15 password admin" also enabled SSH and Telnet on the ASA

"ssh 0 0 INSIDE"

"telnet 0 0 INSIDE"

When I use the CMD to telnet to the ASA, it works just fine .. Also, when I connected a router to the ASA I could SSH to it, as well as using the PuTTy ...

Is there a way to troubleshoot? Or even a document that illustrates how to configure the ASA for CCP? Better a document for configuring the ASA from scratch

Thanks in Advance.

Marcin Latosiewicz · ‎01-27-2013

Islam,

IMHO CCP does not support connection to ASA:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_configuration_professional/v2_6/rlsnts/ccp_rel_notes.html#wp45050

and

http://www.cisco.com/en/US/docs/net_mgmt/cisco_configuration_professional_express/v2_7/rlsnts/ccp_express_rel_notes.html#wp300705

M.

Islam Nadim · ‎01-27-2013

@Marcin: Thanks for your reply.

I beg to differ .. While I was studying the CCNA Security, the guy from CBT Nuggets used the CCP with the ASA .. Also, in the exam, you use the CCP to configure/retreive info from ASA

Marcin Latosiewicz · ‎01-27-2013

Islam,

I just had a look at the release notes, it could be a documentation bug (obviously). As it stands now in the release notes, it is not supported ;-)

There are three major components to allows administration via HTTP(s)/SSH on ASA:

- ACL

- Enabling service (for HTTP) and/or generating corresponding RSA keys

- AAA statements (as required) and users.

All of those are subject to different debugging methodology.

M.

Islam Nadim · ‎01-27-2013

Thanks for the reply,

- I believe ACL would be required if connection is to pass through the ASA, not to the ASA.

- Enabling service and generating RSA keys, already done.

- AAA Statements and users, well I created a user account in the local database .. This is acceptable for the ASA to work .. I'm able to use the account to connect to the ASA via SSH and Telnet

Correct me if I'm wrong.

Marcin Latosiewicz · ‎01-27-2013

HTTP/SSH/Telnet statments are also ACLs :-)

That being said. What's goign on at the moment, are you able to use ASDM to manage device via HTTP?

Are you able to SSH into the box?

M.

Islam Nadim · ‎01-27-2013

- Can you give example for HTTP/SSH/Telnet ACL?

- When I use CCP, I get 2 different messages, the first is the device is not reachable (that is when I use HTTP) .. The second, the HTTP Service is disabled (that is when I use HTTPS)

- I can SSH normally to the box as I stated earlier .. I enabled SSH and Telnet on the box using INSIDE interface that has security-level 100 .. and tested from a different device .. SSH working fine .. Tried Telnet from Windows CMD, also worked fine ..

I really can't figure out where is the fault!! I also searched for documents for configuring the ASA 5520 but failed to find such documents

Marcin Latosiewicz · ‎01-28-2013

This is ACL:

"ssh 0 0 INSIDE"

"telnet 0 0 INSIDE"

You might not see it as such, but if you dig through ASP you will see ;-)

5520 config hasnothing specific, any ASA config guide/example will work (at least for this part)

And is the HTTPS service disabled? Are you able to telnet on port 443 to ASA? Are you able to point your browser to 443? What are results of both?

Are you able to use ASDM? We want to isolate the problem :-)

You can also turn on "debug http" to see http service debugging.

M.

Todd_Adams · ‎01-02-2014

According to the CCNA Security Cert Guide from Cisco Press (which is open in front of me) the ASA does not support the use of CCP.