07-04-2008 09:52 AM - edited 02-21-2020 03:48 PM
I've set up my ASA 5510 FW so that after I VPN in, I can access the ASA by ASDMing into the inside interface (172.17.193.1).
For some reason this is what happens:
1. I open up my VPN client on my workstation and connect to the outside interface of the ASA.
1. After connected, for ping testing purposes, I open up command prompt and did a "ping 172.17.193.1 -t", which is the inside interface of asa.
3. I launch ASDM client.
4. ASDM loads up until it hit 17%...at which point I get an Error window "ASDM is temporarily unable to contact the firewall". At this point, my ping test is now giving me Request Time Out. I click OK on the Error window.
5. The ping test changes from RTO back to successful ping. ASDM continues loading up until the device dashboard tab with the asdm syslog messages show up.
6. ASDM then hangs, and the ping test goes to RTO again.
7. ASDM hangs (can't click on it, can't close it down, etc) for about 2 min before it comes back alive. The ping test goes back to ping successful.
Anyone have an idea why it does that?
If I load up SSH to 172.17.193.1 by itself, it's fine.
If ASDM is hanging and I load up SSH, SSH obviously cannot connect.
07-04-2008 09:56 AM
ciscoasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password xxx
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address outside_ip 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.17.193.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxx
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list admin_access_thru_vpn extended permit ip 192.168.10.0 255.255.255.0 host 172.17.193.1
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnuserspool 192.168.10.101-192.168.10.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.17.193.0 255.255.255.0
access-group admin_access_thru_vpn in interface outside
route outside 0.0.0.0 0.0.0.0 gw_ip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http 172.17.193.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh scopy enable
ssh 172.17.193.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
07-04-2008 09:56 AM
dhcpd address 172.x.x.101-172.17.193.254 inside
dhcpd dns dns1_ip dns2_ip interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 67.x.x.78 source outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
group-policy vpnuserspolicy internal
group-policy vpnuserspolicy attributes
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
address-pools value vpnuserspool
username admin password xxxx encrypted privilege 15
username admin attributes
vpn-group-policy vpnuserspolicy
username vpnuser1 password xxx encrypted
username vpnuser1 attributes
vpn-group-policy vpnuserspolicy
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:xxx
: end
ciscoasa#
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: