08-21-2013 06:54 AM - edited 03-11-2019 07:28 PM
I am running a ASA5585 in multi context mode and want to access each individual context directly with ASDM by a DNS name? I can SSH to the context with this name but not using ASDM.
08-21-2013 07:13 AM
Hi,
Well if the DNS resolves to the correct IP address then I would imagine its related to ASDM related settings on the whole ASA or under specific contexts
What do the following command output say
In System Context
show run asdm
In Security Context
show run http
show run ssh
- Jouni
08-21-2013 09:46 AM
I'm thinking you're right but the dns name does resolve properly to the IP. I can SSH to it by context name that I setup a DNS entry for. I'm wondering if either the DNS name that I use has to match the hostname of the context (and if so what is the format i.e. ASANAME/contextname) or does there have to be a PTR record for some security purpose?
See output below.
Thanks,
JouniForss wrote:
Hi,
Well if the DNS resolves to the correct IP address then I would imagine its related to ASDM related settings on the whole ASA or under specific contexts
What do the following command output say
In System Context
show run asdm
no asdm history enable
In Security Context
show run http
http server enable
http server idle-timeout 15
http 10.0.0.0 255.0.0.0 Outside
show run ssh
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
- Jouni
08-21-2013 09:52 AM
Hi,
There is one clear problem there.
You have not defined the ASDM image that the ASA would use in the devices System Context space.
So your ASA doesnt know what ASDM image to use.
You need to add
asdm image flash:/
- Jouni
08-21-2013 09:54 AM
Or actually,
I am not 100% about the default settings. It might be that the ASA could use some ASDM image even without the configuration.
But probably better to define it.
Naturally confirm that you have an ASDM image on the flash
dir flash:
- Jouni
08-21-2013 10:02 AM
Yes the ASA will use the latest ASDM image in flash by default. To be clear, it works fine when I access each context directly by its IP. However, I would like to define a DNS entry that I could use instead.
TIA
Jason
08-21-2013 11:58 AM
What are you using for your internal dns server? Make a ptr there
Sent from Cisco Technical Support Android App
08-21-2013 12:21 PM
Nope that doesn't work either. I have an A record and PTR record that both match the ASA hostname exactly. NSLOOKUP from the client that I'm running ASDM resolves it fwd and rev. It has to be an ASA setting.
08-21-2013 12:30 PM
Hi,
Do you already have the ASDM installed on your computer or are you attempting to connect to the Security Context to install/run it? If you have not yet installed it, are you sure you are using https instead of http?
Since your Security Context accepts SSH from any source address behind "outside" and the ASDM accepts from 10.0.0.0/8, are the connections coming from that network for sure?
The following command might also provide some information
show run all ssl
The following command should tell what ports the ASA is listening on
show asp table socket
- Jouni
08-21-2013 12:48 PM
I already have ASDM installed on my client and I'm am able to connect to each context on it's outside interface. I have created DNS entries using those outside IPs and it does not work. I would think that ASDM uses the client OS to resolve the name to IP but I guess not.
sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
pri/act/FOSASADC/admin# sh asp t
pri/act/FOSASADC/admin# sh asp table s
pri/act/FOSASADC/admin# sh asp table socket
Protocol Socket Local Address Foreign Address State
SSL 00c474af 10.128.4.4:443 0.0.0.0:* LISTEN
TCP 03f5e0af 10.128.4.4:22 0.0.0.0:* LISTEN
TCP 0555537f 10.128.4.4:23 0.0.0.0:* LISTEN
TCP 13c52a88 10.128.4.4:22 10.120.64.167:19110 ESTAB
08-21-2013 12:57 PM
Hi,
Not sure what the problem is.
We have for example 4x ASA5585-X SSP20 units. All running Multiple Context mode. Each units "admin" Security Context has a connection to management network. That management networks interface IP address is defined on our internal DNS server and everything works just fine.
I am not not sure if I have been asking questions that you have already answered. I am a bit tired and reading a networking book for several hours so my brain hurts
Have you tried monitoring the logs through the SSH connection while you have attempted to log through the ASDM connection on the ASA?
Have you tried to use Wireshark on the local machine to determine what is happening ASDM connection to the ASA?
Have you considered running "debug http
Also, what exactly happens with the ASDM connection attempt using DNS name? Does it simply timeout or perhaps produce some actual error message?
- Jouni
08-21-2013 04:46 PM
I just created an A record for my ASA and could get to it via ASDM-Launcher with the format NAME:PORT
ASDM-Launcher does use whatever DNS source you have set up. Type in google.com and watch it try to contact a device until it times out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide