Announcement

Collapse
No announcement yet.

Access 5510 via ASDM Launcher

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access 5510 via ASDM Launcher

    Hello everyone,

    I have a 5510 and it was recently upgraded to ASA 7.2(4). Somehow, I lost the ability to connect to the device via ASDM or https and I cannot get it to work. I only have access via telnet.

    I would appreciate if somebody could take a look at my configuration and help me get access via ASDM back.

    Thanks a million!


    : Saved
    :
    ASA Version 7.2(4)
    !
    hostname ciscoasa
    domain-name mydomain.com
    enable password ******* encrypted
    passwd ******** encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif inside
    security-level 100
    ip address 172.16.1.253 255.255.255.0
    !
    interface Ethernet0/1
    nameif outside
    security-level 0
    ip address public_ip 255.255.255.248
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    nameif management
    security-level 100
    ip address 192.168.200.253 255.255.255.0
    management-only
    !
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns server-group DefaultDNS
    domain-name mydomain.com
    object-group service SMTP tcp
    port-object eq smtp
    access-list IPS extended permit ip any any
    access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.1
    68.200.0 255.255.255.224
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19
    2.168.200.0 255.255.255.224
    access-list outside_access_in extended permit tcp any host public_ip eq ftp
    access-list outside_access_in extended permit tcp any host public_ip eq 222
    access-list outside_access_in remark SMTP Rule to accept email and redirect it t
    o exchangeserver
    access-list outside_access_in extended permit tcp any object-group SMTP host 192
    .168.1.5 object-group SMTP
    access-list inside_access_out extended permit tcp host 172.16.1.249 any
    access-list inside_access_out extended permit tcp host 172.16.1.249 any eq 563
    access-list inside_access_out extended permit udp host 172.16.1.249 any eq www
    access-list inside_access_out extended permit tcp any any eq ftp
    access-list inside_access_out remark Allow WWW traffic from Server Admin Subnet
    to Any
    access-list inside_access_out extended permit tcp 172.16.1.0 255.255.255.0 any e
    q www
    access-list inside_access_out remark Allow Internal TCP to VPN Clients
    access-list inside_access_out extended permit tcp 192.168.1.0 255.255.255.0 192.
    168.200.0 255.255.255.0
    access-list inside_access_out remark Allow Internal UDP to VPN clients
    access-list inside_access_out extended permit udp 192.168.1.0 255.255.255.0 192.
    168.200.0 255.255.255.0
    access-list inside_access_out remark Allow Internal ICMP to VPN Clients
    access-list inside_access_out extended permit icmp 192.168.1.0 255.255.255.0 192
    .168.200.0 255.255.255.0
    access-list inside_access_out remark Allow SSH from Oscar's to Any
    access-list inside_access_out extended permit tcp host 192.168.1.61 any eq ssh
    access-list inside_access_out remark Allow SSH from Tony's to Any
    access-list inside_access_out extended permit tcp host 192.168.1.58 any eq ssh
    access-list inside_access_out remark FTP traffic for TESTFTP system
    access-list inside_access_out extended permit tcp host 172.16.1.251 any eq ftp
    access-list inside_access_out remark Access to speakeasy.net (?)
    access-list inside_access_out extended permit tcp 192.168.1.0 255.255.255.0 host
    public_ip eq www
    access-list inside_access_out remark Access to speakeasy.net (?)
    access-list inside_access_out extended permit tcp 192.168.1.0 255.255.255.0 host
    public_ip eq https
    pager lines 24
    logging enable
    logging asdm warnings
    mtu inside 1500
    mtu outside 1500
    mtu management 1500
    ip local pool bdmpool 192.168.200.1-192.168.200.30 mask 255.255.255.0
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    asdm image disk0:/asdm512-k8.bin
    asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (inside) 1 172.16.0.0 255.255.0.0
    static (inside,outside) tcp interface ftp 172.16.1.248 ftp netmask 255.255.255.2
    55
    static (inside,outside) tcp interface 222 192.168.1.26 ssh netmask 255.255.255.2
    55
    access-group inside_access_out in interface inside
    access-group outside_access_in in interface outside
    route inside 192.168.1.0 255.255.255.0 172.16.1.254 1
    route inside 172.16.0.0 255.255.0.0 172.16.1.254 1
    route outside 0.0.0.0 0.0.0.0 20.7.97.33 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.1.61 255.255.255.255 inside
    http 192.168.1.0 255.255.255.0 inside
    http 172.16.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp identity hostname
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    group-delimiter @
    telnet 172.16.0.0 255.255.255.0 inside
    telnet 172.16.1.200 255.255.255.255 inside
    telnet 192.168.1.61 255.255.255.255 inside
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 172.16.1.0 255.255.255.0 management
    telnet timeout 5
    ssh 172.16.0.0 255.255.0.0 inside
    ssh 172.16.1.200 255.255.255.255 inside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 60
    console timeout 0
    management-access inside
    ntp server public_ip source outside
    ntp server 74.53.198.146 source outside
    ntp server 66.79.149.35 source outside
    ntp server 128.10.252.6 source outside
    ntp server 64.202.112.75 source outside
    webvpn
    enable outside
    customization DfltCustomization
    logo file disk0:/focus_cisco.gif
    customization customization1
    title text Focus 360 WebVPN Service
    login-title text Focus 360 WebVPN Login
    logo file disk0:/focus_cisco.gif
    port-forward rdp_list 3390 172.16.1.58 3389
    group-policy testgroup internal
    group-policy testgroup attributes
    wins-server value 192.168.1.1 192.168.1.6
    dns-server value 192.168.1.1 192.168.1.6
    default-domain value mydomain.com
    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server none
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec
    password-storage disable
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelall
    split-tunnel-network-list none
    default-domain none
    split-dns none
    intercept-dhcp 255.255.255.255 disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools none
    smartcard-removal-disconnect enable
    client-firewall none
    client-access-rule none
    webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria have not
    been met or due to some specific group policy, you do not have permission to us
    e any of the VPN features. Contact your IT administrator for more information
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
    group-policy webvpn_policy internal
    group-policy webvpn_policy attributes
    dns-server value 192.168.1.1
    vpn-filter none
    vpn-tunnel-protocol webvpn
    webvpn
    functions none
    customization value customization1
    port-forward value rdp_list
    group-policy bdm internal
    group-policy bdm attributes
    wins-server value 192.168.1.1 192.168.1.6
    dns-server value 192.168.1.1 192.168.1.6
    default-domain value mydomain.com
    !
    class-map my-ips-class
    match access-list IPS
    class-map class_ftp
    match port tcp range 1024 65535
    class-map class_ftp1
    match port tcp range 1 1023
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    policy-map my-ips-policy
    class my-ips-class
    ips promiscuous fail-open
    csc fail-open
    class class_ftp
    inspect ftp
    class class_ftp1
    inspect ftp
    !
    service-policy my-ips-policy interface inside
    prompt hostname context
    Cryptochecksum:0f90ce22ad570e5eb33006a1c2e6f592
    : end
    ciscoasa#

  • #2
    Re: Access 5510 via ASDM Launcher

    You have these commands, where are you trying to access from?

    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.1.61 255.255.255.255 inside
    http 192.168.1.0 255.255.255.0 inside
    http 172.16.1.0 255.255.255.0 inside


    http://ciscogeek.org/activate-asdm-a...apix-firewall/

    Did you upgrade the asdm software as well as the asa software?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Access 5510 via ASDM Launcher

      Hello Andy,

      I am using my workstation with IP 192.168.1.61 to connect. I have another subnet running which explains the 172. entries.

      I followed the commands from the link you included in your reply with no success. I do get the security warning, then get prompted for credentials and once credentials are provided, I get a 404 - "The page cannot be found".

      For the ASA upgrade, I used asa724-k8.bin and for the ASDM I used asdm-524.bin. My ASDM Launcher is v1.5(30).

      Thank you for your help.

      Oscar

      Comment


      • #4
        Re: Access 5510 via ASDM Launcher

        Looks like you are still referencing the previous version of ASDM.

        Code:
        asdm image disk0:/asdm512-k8.bin
        Based on your last post, I would think the above config line should be changed to:

        Code:
        asdm image disk0:/asdm524-k8.bin

        Comment


        • #5
          Re: Access 5510 via ASDM Launcher

          Hello there,

          With a few name changes to match the name I had given to the .bin file and iIt worked!!

          Thank you for all your help!

          Oscar

          Comment


          • #6
            Re: Access 5510 via ASDM Launcher

            Hello there,

            Accessing the ASDM via the GUI does work fine now. However, I just realized that I cannot connect to the CSC portion. I click on the Content Security tab, the "Connecting to CSC..." window shows up. The radio button is at the correct IP address (172.16.1.252 - If I ping it, it does respond); click Continue, enter the correct password and a message comes up ...

            Click image for larger version

Name:	Error.jpg
Views:	1
Size:	17.2 KB
ID:	463723

            Any help will be very appreciated!

            Oscar

            Comment

            Working...
            X