Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
5
Helpful
7
Replies

ASDM for Remote ASA

Mady
Level 4
Level 4

‎07-26-2016 10:44 PM

Hi Team,

Greetings!

We have our head office and branch connected via site to site VPN. We don't have network admin on branch office so we need to manage the ASA on our head office. For now we can access the branch asa by its outside ip, but if we will use the inside ip of the ASA we cannot access it via asdm. Is there any command we need to add for us to access the ASA? Thank you very much.

Network Admin PC---HO ----VPN site to site---outside(ASA) inside

Thanks in advance!

Regards,

Mady

Labels:
0 Helpful
7 Replies 7

Dina Odeh
Level 1
Level 1

‎07-28-2016 12:56 AM

Hi Mady, 

Yes you need to enable the "management-access <interafce_name>" command on the branch office. 

Check Also the NAT and Crypto ACL for that. I mean ASA inside IP should be added in the crypto ACL, if there is a NAT then the NATTED IP should be added their. 

0 Helpful

Mady
Level 4
Level 4
In response to Dina Odeh

‎07-28-2016 01:07 AM

Hi Dina,

Thanks for your reply. the  "management-access <interafce_name>" command was already configured on the branch and the ip of the network admin was already included in the network that is allowed to flow on the site to site. Regarding to add the ASA inside ip, do we need to add the specific ip of inside interface though it is included on the allowed network?

Thank in advance for your help.:)

Regards,

Mady

0 Helpful

Dina Odeh
Level 1
Level 1
In response to Mady

‎07-28-2016 01:27 AM

Yes you need to add the ASA inside IP address of the Branch ASA. 

If you have a NAT for the ASA inside IP subnet, then you need to put the NATTED IP. 

Check also the HTTP allowed subnet configuration :) 

0 Helpful

Mady
Level 4
Level 4
In response to Dina Odeh

‎07-28-2016 01:32 AM

The only nat we have is the "no nat" for the interested network. So we just need to add the specific IP of Branch ASA inside interface on the crypto ACL. Can you elaborate more on the "HTTP allowed subnet configuration" ?

Thanks!:)

0 Helpful

Dina Odeh
Level 1
Level 1
In response to Mady

‎07-28-2016 01:42 AM

Yes you need to put the ASA inside IP in the crypto ACL. 

"sh run http" will show you what I mean :) 

0 Helpful

Mady
Level 4
Level 4
In response to Dina Odeh

‎07-28-2016 01:58 AM

I really appreciate your quick response. :)

Is this correct?:) I will add this on both HO and Branch office? Do I need to include this also in nonat?

(172.18.124.102/24)Network Admin----HO-ASA---Site to site VPN----Branch-ASA(Inside:192.168.10.1/24)

access-list outside_cryptomap extended permit ip host 192.168.10.1 172.18.124.0 255.255.255.0

Our Sh run is just:

http server enable
http 0.0.0.0 0.0.0.0 inside

And do I also need to have ACL for the network admin?

0 Helpful

Dina Odeh
Level 1
Level 1
In response to Mady

‎07-28-2016 04:05 AM

Hi Mady,

On Branch ASA, you need to have the following: 

1- Permit ip from 192.168.10.1 to 172.18.124.102 in the crypto map ACL. 

2- ADD same traffic to the NAT exempt. 

On HQ ASA, you need: 

1- Permit ip from 172.18.124.102 to 192.168.10.1 in the crypto map ACL. 

2- ADD same traffic to the NAT exempt. 

Customers Also Viewed These Support Documents