Hello Adam,
Thanks for clearing this up.
Put any ip address of your choice on the management interface and designate
it preferably as a management-only interface.
Enable the http server and allow http connections to the management
interface from a limited set of users (http subnet subnet mask interface)
Also enable SSL to the management interface to open HTTPS sessions.
Create a username & password on the ASA and also use the local database to
authenticate the http/SSH sessions.
Test it out and let me know if it works for you:
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside (This command specifies who is allowed to access
the inside interface via http)
Create a username of your preference
Make sure asdm file is available
For instance asdm-625-53.bin matches for asa822-k8.bin
Then try https://(ip address of ASA) from an allowed IP address!
Best Regards,
On Sun, Jun 6, 2010 at 10:17 PM, adam gibs <adamgibs7_at_gmail.com> wrote:
> Hello Karim,
>
> Please see below the factory configs:
>
> hostname ciscoasa
> enable password 8Ry2YjIyt7RRXU24 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> names
> !
> interface GigabitEthernet0/0
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface GigabitEthernet0/1
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface GigabitEthernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface GigabitEthernet0/3
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Management0/0
> nameif management
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> management-only
> !
> ftp mode passive
> pager lines 24
> logging asdm informational
> mtu management 1500
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> no asdm history enable
> arp timeout 14400
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> http server enable
>
> http 192.168.1.0 255.255.255.0 management
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec security-association lifetime seconds 28800
> crypto ipsec security-association lifetime kilobytes 4608000
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> dhcpd address 192.168.1.2-192.168.1.254 management
> dhcpd enable management
> !
> threat-detection basic-threat
> threat-detection statistics access-list
> no threat-detection statistics tcp-intercept
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect esmtp
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> !
> service-policy global_policy global
> prompt hostname context
>
> what u have suggested is correct for my scenario but i want to clear things
> more. Can u suggest now by watching the default configs from factory.
>
> Thanks
>
>
>
>
> On Sun, Jun 6, 2010 at 11:01 PM, karim jamali <karim.jamali_at_gmail.com>wrote:
>
>> Hi Adam,
>>
>> Note as far as I know the management interface doesn't come with a default
>> ip address assigned.
>>
>> aaa authentication http console LOCAL
>> aaa authentication ssh console LOCAL
>> http server enable
>> http 0.0.0.0 0.0.0.0 inside (This command specifies who is allowed to
>> access the inside interface via http)
>> Create a username of your preference
>>
>> Make sure asdm file is available
>> For instance asdm-625-53.bin matches for asa822-k8.bin
>>
>> Then try https://(ip address of ASA) from an allowed IP address
>> in the list.
>>
>> Best Regards,
>>
>> On Sun, Jun 6, 2010 at 9:53 PM, adam gibs <adamgibs7_at_gmail.com> wrote:
>>
>>> Hello Friends,
>>>
>>> When I change the management interface default IP (192.168.1.1) and
>>> change
>>> to any other IP ,and when i try to access it is not accessible by HTTPS,
>>> but
>>> when i again change to default it is accessible also i have tried to
>>> access
>>> through inside IP though it is not accessible, I think i have to change
>>> the
>>> command in factory default configs
>>>
>>> i.e http 192.168.1.0 255.255.255.0 management
>>>
>>> when i will change the above command from default to INSIDE IP ADDRESS
>>> SUBNET it should be accessible?????? Am i right ???
>>>
>>> Thanks
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> KJ
>>
>
>
-- KJ Blogs and organic groups at http://www.ccie.netReceived on Mon Jun 07 2010 - 00:10:44 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 09:11:37 ART