Can the interface of management firepower & ASA-Inside interface be on separate subnet?

Similar Questions

• Can not handle the ASA inside the interface of Site to Site VPN

  Hi all

  I was deploying new site to site between ASA 8.0 (HQ) and ASA 8.4 (branch). Everything works fine but I have a problem on the ASA-reach remote that I can't manage branch ASA with inside the interface IP address.

  My setup on remote ASA

  management-access inside

  ICMP allow any inside

  SSH 0.0.0.0 0.0.0.0 inside

  SNMP-server host inside 10.0.1.101 communitry test-snmp version 2 c

  My Test

  -ping of the AC for inside the interface of remote ASA

  • Client time-out see demand
  • When debug icmp on ASA remote then ASA show only ICMP request to HQ no response back from remote ASA

  I'm not sure whether it's a bug on ASA 8.4 or not because I can manage a remote other ASA what version 8.0 software HQ

  Thanks in advance

  Do not know what 8.4 version you use, but it is broken in the 8.4 (2), I stumbled upon the upgrade from same problem. SSH and ASDM will not connect through a VPN L2L interface inside. This worked well in 8.4 (1).

  CSCtr16184

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr16184

  [email protected] / * /.

• I can't ping the interface inside of asa or telnet, when I came across the anyconnect vpn

  Hey Cisco net guys pro

  When I connect via anyconnect VPN to ASA 9.x, OS, I cannot ping inside
  the interface of asa or telnet, but I could ping at the interface of the router address
  ASA, the same two subnet

  Telnet 0.0.0.0 0.0.0.0 inside

  ICMP allow any insid

  Hi Ibrahim.

  Try 'inside access management' and let us know how it rates.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• ASA - upgrade to 8.4, impossible to ping inside the interface via IPSec VPN

  We have configured a site 5, site to site VPN scenario.   Last week, we have upgraded 2 devices ASA 5505 to 8.4.2.   Before the upgrade, our monitoring software would ping the inside interface from remote devices to confirm VPN tunnels were established, as well as the addresses of remote devices and the outside of the ASA.   While we were on 8.2, remote equipment successfully ping the inside interface.   After that we went to 8.4.2 we can do a ping to this interface.   We looked at the newspapers and we see the ICMP traffic that is listed in the newspaper, but the remote equipment does not receive back icmp traffic.   We can ping successfully from local hardware interface inside and the external interface of remote devices successfully.  In addition, we can ping material behind the two devices in both directions successfully.

  We are unable to remotely manage the device through the VPN tunnel

  Net is:

  ASA #1 inside 10.168.107.1 (running ASA 8.2)

  ASA #2 inside 10.168.101.1 (running ASA 8,4)

  Server 1 (behind the ASA #1) 10.168.107.34

  Server 2 (behind the ASA #2) 10.168.101.14

  Can ping server 1 Server 2

  Can ping server 1 to 1 of the SAA

  Can ping server 2-ASA 2

  Can ping server 2 to server 1

  Can ping server 2 ASA 1

  Can ping ASA 2 ASA 1

  can not ping ASA 1 and 2 of the ASA

  can not ping server 1 and 2 of the ASA

  cannot access the ASA 2 https for management interface, nor can the ASDM software

  Here is the config on ASA (attached) 2.

  Any thoughts would be appreciated.

  Hey Joseph,.

  Most likely, you hit this bug:

  CSCtr16184            Details of bug

  To-the-box traffic switches vpn hosts after upgrade to 8.4.2.

  Symptom: After the upgrade of the ASA to 8.4.2 all management traffic to employment (including the) ICMP/telnet/ssh/ASDM) hosts via the VPN (L2L or remote access VPN) can fail the IP access address to the administration. Conditionsof : 1. the problem occurs if ASA is on 8.4.2. Not been seen on 8.4.1. 2. the user directly logged in the face of internal interfaces no problem with ICMP/telnet/ssh/AMPS in their respective interfaces. Workaround: The problem goes back to a Manual NAT statement that straddles the address IP-access to the administration. The NAT must have both the source areas and destination. Add the keyword "research route" at the end of the statement by NAT solves the problem. Ex: IP address access to the administration Interface of the ASA is 192.168.1.1. ! Statement by NAT overlapping: NAT obj destination - 192.168.1.0 obj - 192.168.1.0 Shared source (indoor, outdoor) VPN-vpn-obj static obj! New declaration: NAT obj destination - 192.168.1.0 obj - 192.168.1.0 Shared source (indoor, outdoor) public static obj - vpn vpn-obj-research route

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr16184

  HTH,

  Raga

• Cannot ping ASA inside the interface via VPN

  Hello

  I have a scenario with tunel VPN between a router and ASA and can ping subnet behind ASA subnet behind the router (and), but I cannot ping the ASA inside the interface on the VPN tunnel. I need to access the remote location ASDM. How can it be done?

  Thanks for your suggestions.

  Remi

  Hello

  You must have the 'inside access management' command configured on the SAA.

  If you run a 8.3 software or newer on the SAA, should also look at the configuration 'nat' IF the above command solves your problem

  -Jouni

• ASA 5540 - cannot ping inside the interface

  Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.

  In the ASDM, I see messages like this:

  ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.

  This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.

  interface Vlanx

  IP x.x.x.x 255.255.255.0

  IP broadcast directed to 199

  IP accounting output-packets

  IP pim sparse - dense mode

  route IP cache flow

  load-interval 30

  Has anyone experiences the problem like this before? Thanks in advance for any help.

  Can you post the output of the following on the ASA:-

  display the route

  And the output of your base layer diverter: -.

  show ip route<>

  HTH >

• tunnel upward but not ping of the asa inside interface

  Dear all

  I am establishing a tunnel vpn between cisco asa 5510 and a cisco router. The tunnel is up, and I can ping both cryptographic interfaces. Also, from the console of the asa I can ping to the router lan interface but the router I can not ping the lan interface of the asa, this message appears in the log

  % ASA-3-713042: unable to find political initiator IKE: Intf liaison_BLR, Src: 128.2

  23.125.232, DST: 129.223.123.234

  Here is the config of the equipment.

  I was able to successfully establish an ipsec with an another ROUTER 1841 tunnel. I have 1 hub site and 3 remotes sites with asa as a hub.

  Help, please.

  Your crypto that ACLs are not matching. They must be exact mirror of the other.

  In addition, you can consider setting the levels of security for the interfaces. They are all at 0. The value internal/private those a higher value.

  Let me know how it goes.

  PS. If you find this article useful, please note it.

• Configure the module of firepower ASA IP address

  Hello

  today I tried to configure the IP address of the late ASA power module. But unfortunately I failed. The firewall is in the direction of the situation and also do have not any router on the LAN. So, I stop the management interface and configure the IP of firepower on the network server management. But unfortunately I can not ping the gateway IP address that is actually one of the interface of the firewall. It is the series x 5525 firewall. So this isn't a any interface dedicated to management of firepower. It would be nice to know where I made the mistake? I recharge and recovery of the module and I consider the State as always state of recovery. So my question is looking for there is a problem with the module itself?

  Module status

  SH module

  Model serial number of map mod
  ---- -------------------------------------------- ------------------ -----------
  0 ASA 5525 - X with SW, GE, 1 GE Mgmt, AC 8 data
  IPS unknown n/a
  cxsc unknown n/a
  SFR unknown n/a

  MAC mod Fw Sw Version Version Version Hw address range
  ---- --------------------------------- ------------ ------------ ---------------
  0 f  1.0                                                2.1(9)8      9.2(3)
  ips                                                         N/A          N/A
  cxsc                                                       N/A          N/A
  sfr                                                         N/A          N/A

  The Application name of the SSM status Version of the Application of SSM mod
  ---- ------------------------------ ---------------- --------------------------
  IPS unknown current Image number does not apply
  cxsc unknown No. current Image does not apply

  Data on the State of mod aircraft compatibility status
  ---- ------------------ --------------------- -------------
  0 to Sys does not apply
  IPS does not is not Applicable
  cxsc does not not Applicable
  SFR recover not Applicable

  Config firewall Interface

  #Interface IP-Address OK? Method State Protocol
  GigabitEthernet0/0 10.101.106.115 YES CONFIG upward upwards
  GigabitEthernet0/1 10.106.106.115 YES CONFIG upward upwards
  GigabitEthernet0/2 10.103.254.254 YES CONFIG upward upwards
  GigabitEthernet0/3 10.0.210.254 YES CONFIG upward upwards
  GigabitEthernet0/4 10.100.254.254 YES CONFIG upward upwards
  GigabitEthernet0/5 10.107.253.115 YES CONFIG upward upwards

  #interface GigabitEthernet0/1
  Speed 1000
  full duplex
  nameif Server
  security-level 70
  IP 10.106.106.115 255.255.0.0

  Fire power management configuration

  Host name: 1 Swiss francs
  Configuration Management Interface

  Configuration IPv4: static
  IP address: 10.106.251.253
  Network mask: 255.255.0.0
  Gateway: 10.106.106.115

  IPv6 configuration: Stateless autoconfiguration

  Configuration of DNS:
  Domain: XXX.local
  Search:
  XXX.local
  DNS server:
  10.101.251.2
  10.201.251.2

  Any help will be greatly appreciated.

  Thank you

  Sari

  Sari,

  Even if there is not a physical module services fire power management port, it uses Management0/0 port to connect to the module of SFR.  If you like on the same VLAN as your server VLAN on the SAA plug Management0/0 port on a switch that is sharing the network server VLAN and give the module SFR an IP address on the same subnet.

  Make sure that you remove the statement under interface Management0/0 nameif. Here is an example:

  interface Management0/0
  management only
  No nameif
  security-level 100
  no ip address

• Not able to ping inside the interface from outside

  Hello

  I'm trying to stimulate a new network like the diagram of the topology below:

  Topology

  However, I have a problem:

  ASA:

  I can ping to:

  192.168.200.1 (Site_RTR IP, int fa0/1)

  192.168.200.2 (ASA vlan interface IP, outside interface)

  10.133.95.12 (DC_RTR, int fa0/1)

  10.133.200.1 (ASA vlan interface IP, inside the interface)

  10.133.200.23 (machine)

  The RTR website, I can do a ping to:

  10.133.95.12

  192.168.200.1

  192.168.200.2

  10.133.200.23 (machine)

  but not

  10.133.200.1 (ASA vlan interface IP, inside the interface)

  Question 1:

  It is possible to access / ping back to this address within the IP Interface from outside?

  Question 2:

  As all subnets 10.0.0.0/8 will go through the interface on the outside, however for the internet traffic, out thru interfacera outside 2.

  I haven't set up any nat, is correct to nat all out for outside2?

  NAT (inside outside2) source Dynamics one interface

  Configuration

  Thanks for the help.

  JJ

  Hi JJ,

  If you plan doing a ping within the IP address of the interface, while the traffic is coming from any interface other than inside, you won't able to ping inside the IP address of the interface.

  This is by design, and you cannot change it by any ACL or other settings.

  Thank you
  Ishan
  Please do not forget to select a correct answer and rate useful posts

• Allow specific access through the Interfaces ASA 5510

  Hi all

  In my quest to learn Cisco IOS and devices, I need help in smoothing traffic, or access lists, allowing traffic between internal interfaces on the SAA specifically.

  I have an ASA 5510:

  WAN/LAN/DMZ ports labled E0/0 (LAN), E0/1 (WAN), E0/2 (DMZ).

  Connected to the port E0/0 is a 2811 router

  Connected to the port E0/1 is the (external) Internet

  Connected to the port E0/2 is a 2821

  (I'll add a 3745 for VOIP) port E0/3, but it has not yet happened.

  I want to allow traffic between the 2821 and the 2811 routers so that devices on the networks behind them can talk to each other.

  I've specified specific subnets between the ASA and the routers because I want to learn how to shape traffic behind routers, as well as on the ASA. So behind the routers I have different VLANS, but I'm not restrict access between them, still, at least I don't think I am. But as it is, behind the 2821 devices cannot access the DNS / DOMAIN SERVER that is located behind the 2811. Right now I have the routers DHCP power, who works there. Currently devices behind the router 2821-3560 switch cannot access the domain server, primary dns server.

  How can I set the ASA to allow traffic to flow between the two routers and their VLANS?

  Here's the configs of each device and I have also included my switch configs, incase something should be set on them. I only removed the passwords and the parts of the external IP address. I appreciate the help in which States to create and on which devices.

  I think it is best that I put the links to the files of text here.

  Thank you!

  You must remove the following statements on the two routers:
  -# ip nat inside source... overload
  -for each # ip nat inside/outside interface, if they have configured.

  Remove ads rip of the networks that are not directly connected:
  -2821: 172.16.0.0, 192.168.1.0, 199.195.xxx.0
  -2811: 199.195.xxx.0
  -ASA: 128.0.0.0

  No way should be added to the routers, since he is the one by default, put in scene to ASA.

  Check the tables of routing on routers and the ASA.

  On ASA:

  -Remove:
  object-group network # PAT - SOURCE
  # nat (indoor, outdoor) automatic interface after PAT-SOURCE dynamic source

  -create objects of the networks behind the LAN router and enable dynamic NAT:
  network object #.
  subnet
  NAT (inside, outside) dynamic interface

  -review remains NAT rules.

  -to set/adjust the lists access penetration on the interfaces. Do not forget to allow the rip on the LAN and DMZ interfaces.

  -Disable rip on the outside interface.

• ASA 5510 Configuration. How to set up 2 outside the interface.

  Hello

  I have Cisco ASA 5510 and the desktop, I want to create a new route to another (external) router to my ISP.

  The workstation I can Ping ASA E0/2 interface but I cannot ping the router ISP B inside and outside of the interface.

  I based my setup on the existing configuration. which so far is working

  interface Ethernet0/0
  Outside of the interface description
  nameif outside
  security-level 0
  IP 122.55.71.138 address 255.255.255.2
  !
  interface Ethernet0/1
  Inside the interface description
  nameif inside
  security-level 100
  IP 10.34.63.252 255.255.240.0
  !
  interface Ethernet0/2
  Outside of the interface description
  nameif outside
  security-level 0
  IP 121.97.64.178 255.255.255.240
  !

  Global 1 interface (outside)

  global (outside) 2 interface (I created this for E0/2)
  NAT (inside) 0 access-list sheep

  NAT (inside) 1 10.34.48.11 255.255.255.255 (work: router ISP inside and outside interface E0/0)

  NAT (inside) 2 10.34.48.32 255.255.255.255 (work: E0/2 router ISP on the inside interface only but cant outside ping).

  Route outside 0.0.0.0 0.0.0.0 122.55.71.139 1 (work)

  Route outside 10.34.48.32 255.255.255.255 121.97.64.179 1 (the new Road Test)

  Router ISP, that a job can ping and I can access the internet

  interface FastEthernet0/0
  Description Connection to ASA5510
  IP 122.55.71.139 255.255.255.248
  no ip redirection
  no ip proxy-arp
  IP nat inside
  automatic duplex
  automatic speed
  !
  the interface S0/0
  IP 111.54.29.122 255.255.255.252
  no ip redirection
  no ip proxy-arp
  NAT outside IP
  !
  IP nat inside source static 122.55.71.139 111.54.29.122
  IP http server
  IP classless
  IP route 0.0.0.0 0.0.0.0 Serial0/0

  FAI 2

  interface FastEthernet0/0 (SAA can ping this interface)
  Description Connection to ASA5510
  IP 121.97.64.179 255.255.255.248
  no ip redirection
  no ip proxy-arp
  IP nat inside
  automatic duplex
  automatic speed
  !
  interface E0/0 (ASA Can not ping this interface)
  IP 121.97.69.122 255.255.255.252
  no ip redirection
  no ip proxy-arp
  NAT outside IP
  !
  IP nat inside source static 121.97.64.179 121.97.69.122
  IP http server
  IP classless
  IP route 0.0.0.0 0.0.0.0 E0/0

  CABLES

  ASA to router ISP B (straight cable)

  Router ISP in the UDI (straight cable)

  Hope you could give some advice and the solution for this kind of problem please

  Hello

  Are you able to ping the router IP of the interface of the device of the ASA? If so, try a trace of package on the device of the SAA for traffic to the IP address of the router.

  Thank you and best regards,

  Maryse Amrodia

• The services configuration of firepower on Cisco asa 5506 with ASDM

  I have a few 5506 firewalls, and they are fully licensed with services of power, control, Protection, URL filtering, malware. I have intend running and configuration of all of this on the 5506 by ASDM. I was wondering if there are guides for a basic configuration and the implementation of policies available. Something to show a basic configuration which would technically begin inspection of traffic and work. Then I can edit and make changes to my taste.

  Thank you

  My recommendation to clients is to look at the Cisco Live, BRKSEC-2018presentation. Please refer to the 56 slide from for a good overview of how policies are installed in a module of firepower.

  There are also a number of other detailed guides available in the FireSIGHT Management Center product support page should you care to learn more about customization and operations. You can also find the series of videos of ASA FirePOWER on request to Labminutes.com useful to guide you on execution of operations of your system.

• The AIP - SSM to unused ASA connection interface

  Hi people,

  Perhaps, someone has already raised this issue, but I was unable to find anything relevant. We have an ASA with an unused interface (gig0/3). The sensor of the AIP - SSM is physically connected to this interface with the following IP settings:

  Sensor (192.168.2.2/30,192.168.2.1)---interface ASA (192.168.2.1/30)

  It's basically point to point connectivity, and I can reach the ASA of the sensor and the other way around.

  This design is dictated by the lack of a free port on the switch.

  Technically, it should work without any problems, but I can't seem to be able to reach the sensor. There is a switch between my PC and the sensor and the switch has the corresponding static route added. I can reach the switch sensor.

  Is there a security feature hidden I don't know that prevent communication with the sensor.

  And ACL of the sensor allows the traffic to all networks (0.0.0.0/0)

  With the sensor acl set to 0.0.0.0/0, the sensor must be allowing connectivity.

  You can use the 'View of package' command on the sensor to look at packets on the interface command and control to see if the packets are what makes the sensor.

  You say that you have a static route on your switch for the switch reach your sensor. Do you know if your PC is configured to use the switch as the computer's default router. If the PC is to use a different default router, then the other router should also the static route.

  The other possibility is that the SAA itself can be deny traffic.

  Since this is an ASA connected to the MSS interface, the traffic must be routed through the ASA. Standard firewall rules apply to this traffic. The security level of the interfaces can prevent traffic, and an ACL may be necessary in order to allow the circulation of your PC be routed to the SSM.

  NOTE: If you don't want to have to worry about roads, the other alternative is to make the network between the ASA and SSM to be an isolated network that only 2 machines know.

  You can then use PAT static to map a port on the inside of the ASA interface with the address of the SSM 443 https port and map a second port of the SAA within the interfaces to the address of the SSM SSH port.

  How your home PC would simply plug the ASA IP using these specific ports and the ASA would do the translation of port and transmit on the MSS.

  The SSM address could also be dynamically PAT would have on the SAA within the address, so SSM could start the connection to other machines on the inside network.

  Another alternative if you have addresses available on your inside network IP is to use static NAT instead of PAT. And just go forward and has the ASA statically map an IP network on IP of the SSM on the network that only the ASA and the SSM inside could know.

  In both cases the network between the ASA and SSM would not routable at, and you wouldn't have to worry of reproducing static routes anywhere.

  SIDE NOTE: A separate network for the SSM you Becase you will also need to NAT or PAT address of the SSM for the ASA to outside interface. In this way the SSM will be able to connect to Internet to download cisco.com auto updates, and/or pull overall correlation of servers cisco information. It's probably the same configuration that you would already other internal addresses, and just to be sure, you cover the SSM since you have it on a separate subnet.

• Several outside networks ASA - 1 outside the Interface

  Example scenario:

  A 20.0.0.0 (primary) site

  Site B 30.0.0.0 (primary)

  Greetings,

  I don't see being a problem from a point of view routing with 2 routers on each site and advertisements via BGP. We will announce the two networks at each site. However, mainly single site will get 20.0.0.0 traffic and site B will get 30.0.0.0 traffic. No problem with the NAT and so on.

  What I do not know how to deal with right now is if site B fails and the site began to receive the 30.0.0.0 traffic. There is just a single link between the router and firewall, site with the 20.x.x.x network. Any recommendations how A site can receive 30.0.0.0 transparent if site B goes bankrupt? (from a Point of view of ASA/NAT)

  Thank you

  Chris

  It is reasonable to assume that your ASA has a road the 30.0.0.0 network she is inside the interface?

  If so

  static (inside, outside) 30.0.0.0 30.0.0.0 netmask 255.0.0.0

  as long as the traffic to 30.0.0.0 is forwarded to the external interface of the firewall site has it can then accept this traffic and will forward it on internally.

  If I understand you, let me know.

  Jon

• Allow access to a single host separate interface on the inside of the interface

  I use a Cisco PIX 515E ASA 8.0 (3) - two separate networks, one on each interface running...

  I have a separate network interface 'Wireless' intentionally because I share wireless with my neighbor and don't want it on my LAN 'inside '. I sometimes want to use the wireless myself, but only need to access my printer to 192.168.21.6

  How can I access the interface 192.168.21.6 wireless (just tcp/udp port 9100 I think). I've experimented with static controls, but could not operate? I need to create a separate IP such as 192.168.22.6 and map that to 192.168.21.6 inside the interface to be able to print?

  static (inside, wireless) tcp 192.168.22.6 9100 192.168.21.6 9100 netmask 255.255.255.255

  ACL not already allow ALL IP traffic between areas (except the RISKY PORTS) so no need to change that to make this work.

  You can also make static identity in which wireless users can access the printer using its original address. But this will create problems with the neighbor :).

  Please rate if useful.

  Concerning

  Farrukh