06-11-2009 08:50 AM - edited 03-10-2019 04:39 AM
I have the management address of 192.168.1.1 on my asa5510 and an address of 192.168.1.2 on the ssm-10.
Both the mangement of the asa and the ssm-10 are plugged into my switch. I can access the adsm and manage my asa but cannot access the ssm-10 from the adsm. I clicked on configure, then IPS and put in the 192.168.1.2 address for my IPS and a popup box comes up stating an error connecting to the device.
Any help would be greatly appreciated.
06-11-2009 10:48 AM
Is your ASDM on the same 192.168.1.0 network?
If not, then have the routes been properly setup to connect between the ASDM machine and the SSM?
Presumably the ASA will be the SSM's default router, was this configured in the SSM's default router configuration?
By default the management interface of the ASA will Not route packets, so you will need some configuration modifications on the ASA to route through the management interface.
Has the ASA configuration been setup to allow the ASDM connection in through the firewall to the SSM? Access-lists or NAT rules may be needed to allow the connection.
Has the ASDM machine's IP Address been added into the SSM's access-list as an allowed ip address?
You may also want to try an SSH to the SSM's IP, and an HTTPS connection directly to the SSM. If HTTPS works, then ASDM should be able to connect.
You might also try running "show version" on the SSM's CLI and ensure that both mainApp and Analysis Engine are "Running".
06-11-2009 11:25 AM
Not sure how to even respond, I am by no means a firewall guru.
There are no static routes from the mangement port of the firewall to the ssm. guess that needs to happen.
Can I connect directly to the ssm-10 via ethernet to the management port and open up the asdm to manage the IPS?
06-11-2009 11:32 AM
1) Connect your PC to the same switch and vlan as the management ports of both the ASA and SSM
2) Give it an IP address in the same subnet as the ASA and SSM
3) From the ASA CLI session to the SSM, and run setup to add you PCs IP Address into the SSM's access-list
Then you should be able to run ASDM and connect to the SSM for the IPS screens.
To connect to the SSM from any other network will require proper configuration of routing in the ASA, and possible NAT/PAT and/or access-lists in order to allow through a connection to the SSM.
Similar to allowing through an external HTTPS connection to a web server in your DMZ.
06-11-2009 12:56 PM
Ok,
I connected to the ssm via the CLI and sessioned in using session 1.
I added my address of 192.168.1.4/32 to the access list.
I am now getting the following error:
through the device packet to/from management-only network is denied tcp:src management:192.168.1.4/2453 dst 192.168.1.6/443
I did read something about a security + license as opposed to a base license. the base license will not allow traffic through the management device.
Shouldnt I be able to open the adsm with the 192.168.1.6 address of the ssm-10?
06-11-2009 01:10 PM
What is the address of your SSM?
Is it 192.168.1.2 as in your original post, or 192.168.1.6?
Is this message coming from the ASA console? Or from something else.
If your ASDM machine is on the same vlan and subnet as the SSM, then the connection to the SSM should not be going to the ASA. The ASDM will connect to the ASA for the firewall configuration and control, but when going to the IPS screens it should be directly connecting to the IPS SSM's external command and contol IP and should not be getting to the ASA at all.
can you try opening a browser on your ASDM machine and connecting to your sensor with https://192.168.1.6 (or .2 whichever is your SSM address), and then click the button to start IDM.
If IDM starts up, then ASDM should work as well. If IDM won't start up, then there be something wrong in your wiring or configuration.
06-12-2009 05:08 AM
the 192.168.1.2 is the asa management address, the 192.168.1.6 is the IPS management address. Both management ports and my computer are connected to the same switch.
I sessioned into the IDS from the CLI and added my computers address of 192.168.1.4 to the access list of the IPS.
I tried to open a web browser and attempted to connect to http://192.168.1.6 and nothing happens.
The message I was referring to was coming from the ASDM when connected to the ASA.
Going to try and restart from scratch to see if I missed anything.
I did run show version and the 2 things you mentioned are showing "running".
V/R
06-12-2009 07:03 AM
Got it!
DOH!
I had a route on my laptop
192.168.1.6 255.255.255.255 192.168.1.1
When atttempting to connect, the data would go to the firewall management port and attempt to then connect to the ssm-10 at 192.168.1.6.
I deleted the route and Shazzam, a connection via https.
thanks for all your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide