I'm thinking you're right but the dns name does resolve properly to the IP. I can SSH to it by context name that I setup a DNS entry for. I'm wondering if either the DNS name that I use has to match the hostname of the context (and if so what is the format i.e. ASANAME/contextname) or does there have to be a PTR record for some security purpose?

See output below.

Thanks,

JouniForss wrote:
Hi,
Well if the DNS resolves to the correct IP address then I would imagine its related to ASDM related settings on the whole ASA or under specific contexts
What do the following command output say
In System Context
show run asdm
no asdm history enable
In Security Context
show run http
http server enable
http server idle-timeout 15
http 10.0.0.0 255.0.0.0 Outside

show run ssh
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1

- Jouni

Hi,

There is one clear problem there.

You have not defined the ASDM image that the ASA would use in the devices System Context space.

So your ASA doesnt know what ASDM image to use.

You need to add

asdm image flash:/.bin

- Jouni

Or actually,

I am not 100% about the default settings. It might be that the ASA could use some ASDM image even without the configuration.

But probably better to define it.

Naturally confirm that you have an ASDM image on the flash

dir flash:

- Jouni

Yes the ASA will use the latest ASDM image in flash by default. To be clear, it works fine when I access each context directly by its IP. However, I would like to define a DNS entry that I could use instead.

TIA

Jason

Nope that doesn't work either. I have an A record and PTR record that both match the ASA hostname exactly. NSLOOKUP from the client that I'm running ASDM resolves it fwd and rev. It has to be an ASA setting.

Hi,

Do you already have the ASDM installed on your computer or are you attempting to connect to the Security Context to install/run it? If you have not yet installed it, are you sure you are using https instead of http?

Since your Security Context accepts SSH from any source address behind "outside" and the ASDM accepts from 10.0.0.0/8, are the connections coming from that network for sure?

The following command might also provide some information

show run all ssl

The following command should tell what ports the ASA is listening on

show asp table socket

- Jouni

I already have ASDM installed on my client and I'm am able to connect to each context on it's outside interface. I have created DNS entries using those outside IPs and it does not work. I would think that ASDM uses the client OS to resolve the name to IP but I guess not.

sh run all ssl

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1

pri/act/FOSASADC/admin# sh asp t

pri/act/FOSASADC/admin# sh asp table s

pri/act/FOSASADC/admin# sh asp table socket

Protocol  Socket    Local Address               Foreign Address         State

SSL       00c474af  10.128.4.4:443              0.0.0.0:*               LISTEN

TCP       03f5e0af  10.128.4.4:22               0.0.0.0:*               LISTEN

TCP       0555537f  10.128.4.4:23               0.0.0.0:*               LISTEN

TCP       13c52a88  10.128.4.4:22               10.120.64.167:19110     ESTAB

Hi,

Not sure what the problem is.

We have for example 4x ASA5585-X SSP20 units. All running Multiple Context mode. Each units "admin" Security Context has a connection to management network. That management networks interface IP address is defined on our internal DNS server and everything works just fine.

I am not not sure if I have been asking questions that you have already answered. I am a bit tired and reading a networking book for several hours so my brain hurts

Have you tried monitoring the logs through the SSH connection while you have attempted to log through the ASDM connection on the ASA?

Have you tried to use Wireshark on the local machine to determine what is happening ASDM connection to the ASA?

Have you considered running "debug http " on the ASA and see what the output produces while attempting logging in with ASDM?

Also, what exactly happens with the ASDM connection attempt using DNS name? Does it simply timeout or perhaps produce some actual error message?

- Jouni