There are a couple of management needs that we may have to use, one using the mgmt interface, M0/0, normally considered out-of-band management. The other is in-band-management, where we connect to the ASA over one of the other interfaces. Either way is acceptable, but there may be occasions where a large upload to or from the ASA needs to use the mgmt interface.
Out of band Access:
interface Management0/0
nameif mgmt
security-level 0
ip address 10.255.1.155 255.255.255.0
!
http server enable
!
http 10.255.10.0 255.255.255.0 mgmt
!
route mgmt 10.255.10.0 255.255.255.0 10.255.1.1 1
!
username admin password cisco123 privilege 15
!
aaa authentication http console LOCAL
This method allows us to connect to the ASA via the ASDM or Adaptive Security Device Manager. It's a Java based mgmt tool that provides a GUI for interacting with the ASA.
The HTTP server on the ASA needs to be turned on so that a webpage can be presented to a user attempting to use the ASDM. If the user is not on the same subnet, common in a network today, you'll need to point a route to reach the user out the mgmt interface. A username/password combination is needed and access needs to be granted to use the HTTP server.
Out of band Access:
interface Management0/0
nameif mgmt
security-level 0
ip address 10.255.1.155 255.255.255.0
!
http server enable
!
http 10.255.10.0 255.255.255.0 mgmt
!
route mgmt 10.255.10.0 255.255.255.0 10.255.1.1 1
!
username admin password cisco123 privilege 15
!
aaa authentication http console LOCAL
This method allows us to connect to the ASA via the ASDM or Adaptive Security Device Manager. It's a Java based mgmt tool that provides a GUI for interacting with the ASA.
The HTTP server on the ASA needs to be turned on so that a webpage can be presented to a user attempting to use the ASDM. If the user is not on the same subnet, common in a network today, you'll need to point a route to reach the user out the mgmt interface. A username/password combination is needed and access needs to be granted to use the HTTP server.
Open a web browser and issue the IP address of the mgmt interface.
The HTTP server uses a self-signed certificate, this is FireFox, click Advanced and accept the risk.
The HTTP server uses a self-signed certificate, this is FireFox, click Advanced and accept the risk.
Click on the "Install ASDM Launcher" which will download a .msi installer to install the ASDM. Remember to download and install Adobe Flash Player or the ASDM won't work.
Issue the IP address of the mgmt interface, username and password and click OK.
Because a self-signed certificate is used, you'll need to accept it, click continue.
You now have connected to the ASDM!
The other method is to connect to the ASA via SSH, you can enable SSH access the same way you did for HTTP access for out of band access. We're going to allow IOS3 to SSH into the ASA.
10.1.0.0 255.255.255.0 inside
!
aaa authentication ssh console LOCAL
IOS3#ssh -l admin 10.1.0.1
Password:
User admin logged in to ASA
Logins over the last 1 days: 2. Last login: 17:56:51 UTC Nov 24 2020 from 10.255.10.40
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
ASA> en
Password:
ASA#
ASA# show ssh sessions
SID Client IP Version Mode Encryption Hmac State Username
0 10.1.0.3 1.99 IN aes128-ctr sha1 SessionStarted admin
OUT aes128-ctr sha1 SessionStarted admin
10.1.0.0 255.255.255.0 inside
!
aaa authentication ssh console LOCAL
IOS3#ssh -l admin 10.1.0.1
Password:
User admin logged in to ASA
Logins over the last 1 days: 2. Last login: 17:56:51 UTC Nov 24 2020 from 10.255.10.40
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
ASA> en
Password:
ASA#
ASA# show ssh sessions
SID Client IP Version Mode Encryption Hmac State Username
0 10.1.0.3 1.99 IN aes128-ctr sha1 SessionStarted admin
OUT aes128-ctr sha1 SessionStarted admin