vpn access to asa5510 asdm and ssh not working

nevyana · ‎08-08-2012

hi,

cannot access to cisco asa5510 asdm nor ssh thru anyconnect vpn, attached is the current configuration. user authetnicaties aaa locally and has admin service-type. When vpn session is established, it lets me go thru the certificate warning and when trying to install the asdm laucher its failing. ssh access is enabled but not working. i can access both asdm and ssh from the inside network, and from a pc on that network. thanks,

Jennifer Halim · ‎08-08-2012

Doesn't seem like the configuration gets attached. Can you try to attach the config again pls.

nevyana · ‎08-08-2012

ASA Version 8.2(5)

!

interface Ethernet0/0

description CONNECTION TO THE OUTSIDE INTERNET

speed 100

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.224

!

interface Ethernet0/1

speed 100

duplex full

nameif inside1

security-level 50

ip address 192.168.1.3 255.255.255.0

!

<--- More --->

interface Ethernet0/2

description CONNECTION TO DMZ

nameif DMZ

security-level 50

ip address 10.10.10.3 255.255.255.0

!

interface Management0/0

nameif management

security-level 50

ip address 192.168.3.3 255.255.255.0

management-only

!

no ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list OUTSIDE_IN extended permit tcp any host xxx.xxx.xxx.xxx eq https

access-list INSIDE1_IN extended permit ip any any log debugging

access-list splittunnel standard permit 192.168.1.0 255.255.255.0

access-list splittunnel standard permit 10.10.10.0 255.255.255.0

access-list splittunnel standard permit 192.168.3.0 255.255.255.0

access-list DMZ_IN extended permit ip any any

access-list MANAGEMENT_IN extended permit ip any any log debugging

access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.25.0 255.255.255.0

access-list no_nat extended permit ip 10.10.10.0 255.255.255.0 192.168.25.0 255.255.255.0

access-list no_nat extended permit ip 192.168.3.0 255.255.255.0 192.168.25.0 255.255.255.0

pager lines 24

logging enable

logging buffered warnings

logging asdm informational

mtu outside 1500

mtu inside1 1500

mtu DMZ 1500

mtu management 1500

mtu inside3 1500

ip local pool SSLClientPool 192.168.25.10-192.168.25.50 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (outside) 1 192.168.25.0 255.255.255.0

nat (inside1) 0 access-list no_nat

nat (inside1) 1 192.168.1.0 255.255.255.0

nat (DMZ) 0 access-list no_nat

nat (DMZ) 1 10.10.10.0 255.255.255.0

nat (management) 0 access-list no_nat

nat (management) 1 192.168.3.0 255.255.255.0

static (DMZ,outside) 68.106.158.119 10.10.10.5 netmask 255.255.255.255

static (DMZ,outside) 68.106.158.120 10.10.10.6 netmask 255.255.255.255

static (DMZ,outside) 68.106.158.121 10.10.10.21 netmask 255.255.255.255

static (inside1,outside) 68.106.158.122 192.168.1.21 netmask 255.255.255.255

access-group OUTSIDE_IN in interface outside

access-group INSIDE1_IN in interface inside1

access-group DMZ_IN in interface DMZ

access-group MANAGEMENT_IN in interface management

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa local authentication attempts max-fail 16

http server enable 444

http 192.168.3.0 255.255.255.0 management

http 10.10.10.0 255.255.255.0 DMZ

http 192.168.1.0 255.255.255.0 inside1

snmp-server host DMZ 10.10.10.6 community *****

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside1

ssh 10.10.10.0 255.255.255.0 DMZ

ssh 192.168.3.0 255.255.255.0 management

ssh timeout 30

console timeout 0

management-access inside1

!

threat-detection basic-threat

threat-detection statistics access-list

<--- More --->

no threat-detection statistics tcp-intercept

ssl trust-point localtrust outside

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value xxx.xxx.xxx.xxx

vpn-tunnel-protocol svc

default-domain value tsweb.local

address-pools value SSLClientPool

webvpn

svc ask none default svc

username admin password aTRwBojHrKxlOY88 encrypted privilege 15

username vpnadmin password 6DoIRMQXxz2uubL0 encrypted

username vpnadmin attributes

service-type admin

username vpn password T5s4rdsVFz46lQ5L encrypted

username vpn attributes

service-type remote-access

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

<--- More --->

address-pool SSLClientPool

default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

!

class-map inspection-default

match default-inspection-traffic

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

<--- More --->

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

policy-map global-policy

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Jennifer Halim · ‎08-08-2012

You would need to add the following:

ssh 192.168.25.0 255.255.255.0 inside1

http 192.168.25.0 255.255.255.0 inside1

Then you should be able to ssh and asdm to 192.168.1.3 from AnyConnect.

nevyana · ‎08-08-2012

I could download the ASDM and install it from 192.168.1.3 but still cannot lauch it with 192.168.1.3 (neither ip) and cannto ssh into the unit :-(

Jennifer Halim · ‎08-08-2012

Does it fail authentication, or you can't even establish connection to it?

Can you telnet on port 22 or 444 using command prompt to the inside interface ip from AnyConnect?

If you use the username: admin to connect, does it work?

nevyana · ‎08-08-2012

yes, i can telnet to port 444, not 22 from the inside1. On the ASDM laucher 'unable to launch device manager from 192.168.1.3", tried both admin and vpnadmin users.

nevyana · ‎08-08-2012

i am browsing cisco documentation, found this document http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/access_management.pdf

From the Configuration > Device Management > Management Access > Management Interface pane,

choose the interface with the highest security (the inside interface) from the Management Access Interface

drop-down list. Changed the security level on the management interface to higher and management-access to management. Now I am able to login with ssh. My inside interfaces where set with the same priority, maybe that could've caused an exception ?

ASDM was still failing until looking at wire shark, I am sending requestes to the mangement interfacethru port 443, changed the http server on the asa from 444 to 443. Now that is working. Phew....

thank you for your support.

Jennifer Halim · ‎08-09-2012

Ahhh, that's why i ask you to test telnet to port 444 because it is configured to accept connection on port 444

Glad to hear all is working fine now.

nevyana · ‎08-09-2012

tnx again...