dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1632
share rss forum feed

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Anav

Re: [Info] Virgin ASA 5505 Admin and VPN on Top

One other thing, and to satisfy my curiousity, can you get into the CLI and issue a "show version,"
or check in ADSM about the licence levels the ASA has? -- should say something to the effect of
"Licenced Features" and "This device has a [x] Licence."

Regards

HELLFIRE
Premium
join:2009-11-25
kudos:18

1 edit
reply to Anav
Okay, so this was bugging me, so I couldn't sleep...

http server enable 3334
http server session-timeout 60
http 192.168.1.0 255.255.255.0 backup-admin
http 192.168.24.0 255.255.255.0 Main-Lan
http kk.kkk.kk.kkk 255.255.255.255 outside
 

Looks like the above config is valid... Like I said, from a security perspective, I trust
http/s management sessions as far as I can kick them, but if you're insistent to use them
Anav...

The only other thing I can suggest is lock down the LAN IPs that can access ADSM rather than
opening it up to the entire subnet, just as good security practice.

The last thing you should need to get ADSM access working is the following lines :

aaa authentication http console local
!
username [user1] password [password1] encrypted
username [user2] password [password2] encrypted
...
 

According to Cisco's notes, no further firewall rules should be needed at this point.
Easiest test would be to try from both the LAN interfaces and from the outside as follows
from a web browser and log in with the user/passwords above.

https://[your ip address]:3334/admin
 

Regards


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

2 edits
reply to Anav
Hi guys,

Yes my intent was to initially access the adsm/router via https using the port 3334 or whatever it ends up being. I then once I get vpn working intend to do https inside the vpn tunnel for best security. But at this point that seems a distant router config issue. In the meantime, by all means how do I use sshv2 instead for router admin purposes. I dont have access to certificates (can I use what I assume is a built-in router one)?

The actual access to the LANPCs is limited to two computers and two or three people so not worried about the subnet persay.

The license is the basic license only NOT the plus license, so I can only have two sslvpns, 3 interfaces (one being the dmz (vlan1 admin-backup, that can only have internet access which is fine and what we are using the admin lan vlan12 main lan, and of course the outside interface..)

I will look at acl rules again but what is posted is what is put out by asdm........... not sure how I can change it.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Anav
Base SSH config via CLI is as follows :

config t
crypto key zeroize rsa default -- nukes any existing keys on the ASA
domain-name [domain name]
crypto key generate rsa general-keys modulus [512, 768, 1024, 2048] -- obviously the longer the modulus the better the security
ca save all
ssh ver 2
ssh [inside | outside]
ssh timeout [minutes]
 

Start looking for a 9pin to USB adapter so you can use the ASA CLI. I will admit coming from a
GUI background to CLI operation it can be alittle daunting config and operation-wise, but there
is nearly nothing the CLI can't do over the GUI.

said by Anav:

The license is the basic license only NOT the plus license, so I can only ...

So long as you're aware of the limitations of the Base Licence, which says 3 VLANs, no 802.1q
trunking, and IIRC, inside->outside, DMZ->outside, but not DMZ->inside functionality.

Let us know how it goes.

Regards


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Yup aware of license limitations, they wont impede the install or use behind the router. Have my serial ready. Will look at ssh...
I am doing ssh over serial cable or over ethernet from laptop??

I have used console and cli and telnet on zywall and USG routers but never as a main programming tool.

HELLFIRE
Premium
join:2009-11-25
kudos:18

1 edit
reply to Anav
said by Anav:

I am doing ssh over serial cable or over ethernet from laptop??

I died alittle inside over that comment Anav [/facepalm]

...but SSH / IP connectivity is NOT involved in console connections.
Seeya here Monday, okay?

Regards

edit: FYI, the question above is the Cisco equivalent of asking "where's the ANY key?"


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

4 edits
Well Im losing track of which connection am using for which interface LOL. Yes the serial cable is for the console connection only ya funny man. And ssh using an asa local certificate is a pain, it says I dont have a valid directory to store the certificate

Here is the snipped from my rules for nat , that have been re-inserted LOL

arp timeout 14400
nat (Main-Lan,outside) source dynamic any interface
nat (backup-admin,outside) source dynamic any interface
nat (outside,Main-Lan) source static any any destination static tfs-server tfs-server service OpM2 OpM2
nat (outside,Main-Lan) source static any any destination static tfs-server tfs-server service OpM1 OpM1
nat (outside,Main-Lan) source static any any destination static tfs-server tfs-server service OpM3 OpM3
nat (outside,Main-Lan) source static any any destination static tfs-server tfs-server service inputhttp OpM1
nat (outside,Main-Lan) source static any any destination static tfs-server tfs-server service TFS TFS
nat (outside,Main-Lan) source static any any destination static tfs-server tfs-server service RDP RDP
route Main-Lan 0.0.0.0 255.255.255.255 ab.abc.def.225 1
timeout xlate 3:00:00

I did get a warning during the asdm apply, which correctly pointed out that there is a bit of an overlap in that I have port 5080(opm1) being forwarded to the TFS server. I also have port translation rule that ingests port 80 (inputhttp) and translates it to 5080 (opm1).
This is not an issue on any other router I have used.

Have entered via console and had a look at the show commands etc. Still wondering how to setup ssh into the router vice https

At work, NO INTERNET. Lan works fine. :-(((((((
changed static route to
route outside 0.0.0.0 0.0.0.0 ab.abc.def.225 1

--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Anav
BINGO adding the static route outbound did the trick after configuring it properly. All traffic on the outbound interface should be pointed to the next hop. Funny that has to be added.

Now do I need something for all incoming traffic??

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Anav
Question Anav, have you given the CLI a shot yet? I'm still trying to figure out where the ASA
is asking for a certificate for SSH config...

Regards


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

1 edit
No I havent, I need to get this up pronto ie working and then will have the luxury of learning the CLI. (Mesmorizing some of the major commands, and being able to use others from a list, and then putting them in the proper syntax, is not exactly sexy.
Maybe I will see what I can read up on today.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Anav
Been ANOTHER crazy week at work... otherwise I'd fire up my own ASA and ADSM to see what I can do to help.

Earliest MAY be the weekend, unfortunately. Hope upper management isn't breathing down your neck and
you're not disheartened by the experience Anav.

Regards


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
I started a new thread which I think narrows down the issues.
Will test my hypo thesis today.