Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

remote access for a ASA 5510???

Status
Not open for further replies.
eiregobragh

eiregobragh

Technical User
Joined
Oct 15, 2008
Messages
75
Location
IE
Guys,
on site at the moment and trying to set up remote access for my newly installed 5510 ASA. Problem is I can't ping my outside public IP address from the internet eventhough I've allowed ICMP.

My goal is to have remote access to the ASA via the internet so I don't have to come back to the data centre.

Any tips? Am I missing something basic?

Thanks a MILLION

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

 
Sort by date Sort by votes
can you post your current config??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Here you go:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.0(4)
!
hostname ASA001
domain-name celerity.com
enable password V0RU7zDAC6ofTFw3 encrypted
passwd V0RU7zDAC6ofTFw3 encrypted
names
!
interface Ethernet0/0
nameif failover
security-level 0
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.200 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 84.51.225.9 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner exec Celerity Cisco ASA 5510
banner login Celerity Cisco ASA 5510
banner motd Celerity Cisco ASA 5510
banner asdm Celerity Cisco ASA 5510
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name celerity.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu failover 1500
mtu outside 1500
no failover
failover lan unit primary
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
!
router rip
passive-interface inside
passive-interface outside
passive-interface management
version 2
!
route outside 0.0.0.0 0.0.0.0 84.51.225.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 management
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.255 management
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.3-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username paulkil password bltvC6XEsTM4t.Hn encrypted privilege 15
username tommonks password 4jeyc0Y7wDv6nia2 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a7d87492994abf1b8ebfdbd6e6263541
: end

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

 
Upvote 0 Downvote
what kind of remote access are you looking for; ipsec, ssl, or simply passthrough of RDP/VNC to a host on the inside??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
I just want to be able to telnet, ssh, https to the Device so I can configure it remotely.

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

 
Upvote 0 Downvote
just so you know, this is a security risk

add the following:
Code: 
ASA(config)# ssh <management_ip> 255.255.255.255 outside
ASA(config)# http <management_ip> 255.255.255.255 outside
i would disable any and all telnet access to the device

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thanks so much.

Just to be clear;

ssh <management_ip> 255.255.255.255 outside

where <management_ip> is the IP address of the management interface???

I'm off site now so I'll try again tomorrow.

Thanks again :-)

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

 
Upvote 0 Downvote
sorry, I meant to include more direction. the IP(s) that you allow to connect for SSH/HTTPS should be defined here. lock this down as much as possible.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Hi,
for some reason it started working via HTTPS and ASDM without me changing anything. Weird!!!

Thanks for your help though :-)



Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

 
Upvote 0 Downvote
yep, the http 0.0.0.0 0.0.0.0 outside line enables anyone to access your device from the outside...HUGE security risk, HUGE

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thanks for the heads up, I'll take that out ASAP.

is "https 0.0.0.0 0.0.0.0 outside" better?

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

 
Upvote 0 Downvote
actually, http is https in this sense (kinda confusing). if you know the source ip's that you will be remotely accessing the device from, i would put those in. for example, if i know i will be managing this device from home and my ip is 12.12.12.1 i would put http 12.12.12.1 255.255.255.255 outside. obviously remove the http 0.0.0.0 0.0.0.0 outside statement. this will make it more secure.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
OK thanks very much. Unfortunately my ISP assigns IP addresses via DHCP so it changes every so often. Though what you say makes total sense.

Thanks,

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Miluis
  • Locked
  • Question Question
How necessary is an antivirus?
Replies
3
Views
637
Rick998
Rick998
intel233
  • Locked
  • Question Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
1K
intel233
intel233
Sameer258
  • Locked
  • Question Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
1K
Johnkite
Johnkite
phjames
  • Locked
  • Question Question
Replacement for ASA-5510
Replies
1
Views
391
ADB100
ADB100

Part and Inventory Search

Sponsor

Back
Top