01-01-2008 02:16 PM - edited 03-12-2019 05:56 PM
Hello,
I just upgraded my Cisco PIX 515E-R-DMZ with PIX software 8.0(3) : as recommended on http://www.cisco.com/en/US/customer/docs/security/pix/pix80/release/notes/prn803.html I first loaded the PIX 8.0(3) image, then restarted the device to complete with ASDM upgrade. Since the PIX restarted, everytime I try to connect to it, I get a connection reset message :
- Using ASDM Launcher, it says "Unable to launch ASDM from xx.xx.xx.xx Connection reset
- Using HTTPS, by typing https://xx.xx.xx.xx I get a "The connection was reset" message.
It means I cannot access my PIX anymore at this time. Any suggestion?
Thanks.
01-01-2008 04:12 PM
Hi Frederic, this is what I think is happening, you should have tftp both the 8.0(3) as well as the corresponding asdm version for 8.0 into pix then reboot, but because you upgraded the code and not asdm, asdm previous version is having issues loading with the new pix code. If in fact asdm was also upgraded in this process then I would suggest to tftp asdm image again into pix.. let us know if you need fruther assistance..
Rgds
Jorge
01-01-2008 08:31 PM
Hi Frederic
First, uninstall any previous version of ASDM from your PC
Then in CLI, type dir and check the ASDM image name. Then issue the following command
asdm image flash:/xxx.bin
Also make sure http server enable and http server x.x.x.x inside commands are issued
Regards
01-02-2008 03:21 AM
Ok I could connect using SSH, and copied the correct ADSM bin (6.0.3). The problem still persists, even with that ASDM version. I still get the same messages.
The "show version" command displays :
Cisco PIX Security Appliance Software Version 8.0(3)
Device Manager Version 6.0(3)
Compiled on Tue 06-Nov-07 19:50 by builders
System image file is "flash:/pix.bin"
Config file at boot was "startup-config"
01-02-2008 06:57 AM
Frederic,
Could your HTTP server possibly have been disabled or enabled on a different port? Maybe the PC that you are trying to access with is not in the http server's acl?
"show run http" will reveal any problems there.
Thanks,
-=Blayne
01-02-2008 08:54 AM
Ok think I'm finding some clues, thanks everyone for the replies.
Before upgrading, I was always accessing the PIX ASDM through a VPN connection, with the inside interface IP. Seems that the 8.0(3) has screwed something in the config, and that those packets are now dropped.
I added a "http 0.0.0.0 0.0.0.0 outside" (just as a temporarily fix to check), and now I can access the ASDM from outside with no problem, even when I'm not connected to the VPN (by using the outside interface IP)
I would like to access the ASDM using my inside IP (192.168.X.1), once connected to the VPN that has a pool like 192.168.Y.0/24. I've got a rule that says "access-list outside_access_in extended permit ip 192.168.Y.0 255.255.255.0 any". Right now in the ASDM list I've got :
http 0.0.0.0 0.0.0.0 outside
http 192.168.X.0 255.255.255.0 inside
http 192.168.Y.0 255.255.255.0 outside
I'm not sure of the last one: is that correct ?
01-02-2008 09:07 AM
the last one make perfect sence as long as you are comming from the 192.168.Y.0 network
but it should be http 192.168.Y.0 255.255.255.0 inside.
I understand you issue http 0.0.0.0 0.0.0.0 outside but it is best to not use this statament if your outside faces internet public network , instead you can use ssh 0.0.0.0 0.0.0.0 outside if you ever want to connnect to pix from the outside interface.
Rgds
Jorge
01-02-2008 09:12 AM
I noticed some changes in the config since the upgrade.
Before - PIX 7.0(2)
group-policy AdminAccess attributes
[...]
nac disable
Now - PIX 8.0(3)
nac-policy AdminAccess-nac-framework-create nac-framework
reval-period 36000
sq-period 300
group-policy AdminAccess attributes
[...]
AdminAccess-nac-framework-create
Could the behavior change with my VPN connection be related to that new lines ?
Also noticed that since the upgrade, there is another new line : "dynamic-access-policy-record DfltAccessPolicy"
01-02-2008 09:24 AM
Thanks Jorge. I changed for "http 192.168.Y.0 255.255.255.0 inside", but still get the "The connection was reset" when trying to connect to https://192.168.X.1 or accessing with ASDM launcher (once connected to the VPN)
The "http 0.0.0.0 0.0.0.0 outside" statement is just as a temporary fix, as I'm not really confortable with the CLI (and Cisco products in general). I'll remove it immediatly after fixing this :-)
01-02-2008 09:54 AM
Ok seems that the problem can be fixed by adding the command "management-access inside". That command was not in the previous config, and it was working perfectly without it. Is there any problem / considerations to add that command ?
Other question: can I safely put "nac-settings none" instead of "nac-settings value AdminAccess-nac-framework-create", considering the way the nac policy is defined right now :
nac-policy AdminAccess-nac-framework-create nac-framework
reval-period 36000
sq-period 300
01-02-2008 12:48 PM
Frederic glad you got it resolved with management-access inside, how could I have missed that! this will allow pix management through the vpn tunnel.., this is a good one to remember, I use vpn concentrator instead of asa and vpn ip-pool using external DHCP windows server.
personally have not play with nac in asa, someone may provide you with right answer.
Rgds
Jorge
07-22-2008 07:41 PM
Dear Jorge,
I have the same problem, I am not able to access PIX through ASDM as well as SSH. From inside network we are trying to this access on inside IP address of PIX firewall. Here one more thing It was working till yesterday.
Getting "Unable to luach ASDM from 1.x.x.x. Connection reset" but I can take control of secondary standby PIX firewall.
It is PIX 515E and IOS 7.0.1
Can you plz help in this??
07-23-2008 09:18 AM
Vrushali , will reply through your other thread..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: