11-11-2008 06:30 AM - edited 03-06-2019 02:24 AM
I have attached my new ASA 5505 to my computer with the network cable as described in section 5. I have verified that Firefox 3 has both Java and Javascript enabled. When I enter https://192.168.1.1 it times out with no connection.
I haved attempted to access it by connecting it to our LAN, then browsing it from various computers, both Linux and Windows. It always times out.
I have pressed and held the Reset button and tried again. No change.
The front and rear lights appear to indicate a proper connection, complete with activity.
Can you give me a hint as to what I have done wrong or should do differently or in addition ?
Solved! Go to Solution.
11-11-2008 09:48 AM
I'm glad to help! Congratulations! :-)
Thanks!
John
11-11-2008 07:39 AM
I'm not sure what the default address is, but your ASA should have come with a rollover cable. (It's a light blue, flat cable with an RJ45 connection on one end and a serial (DB9) connection on the other.)
I would connect this directly to the ASA on the console port. Open hyperterminal up on your PC, and select the appropriate com port.
The settings for Hyperterminal connection should be:
Baud Rate: 9600
Data Bits: 8
Stop Bits: 1
Parity: None
Flow Control: I leave default.
After you click connect, you can hit enter a few times to get data on the screen. Once in, check your ip addresses in there by doing a:
show ip address inside
Once you have your IP address, you should be able to get into it. Also, make sure that your LAN is addressed on the same subnet as the ASA or you'll have to put a workstation in the 192.168.1.0/24 subnet.
--John
11-11-2008 07:53 AM
Thank you. I'll do that now.
I suspect you provided some part of the answer, because my lan is not on the 1 subnet. That should not have stopped the direct connection, but it should stop the LAN attempt. Maybe with the rollover cable and hyperterminal I can change my Cisco subnet to match the LAN.
11-11-2008 08:14 AM
At CISCOASA> I entered "show ip address inside"
I got CISCOASA> ERROR: % Invalid input detected at "^" marker.
The marker points to the p in ip.
?
11-11-2008 08:17 AM
Type:
Ciscoasa> en
Hit enter...it may ask you for a password, if so, try Cisco and hit enter.
If that gets you in, type:
CISCOASA# sh ip address inside
11-11-2008 08:20 AM
Thank you for the fast response.
It did ask for a password. It rejected Cisco.
Any idea what else it could be? I'll check through my booklet.
11-11-2008 08:21 AM
cisco would be the only other one, or just try to hit enter.
11-11-2008 08:32 AM
Thank you. It was
I tried case variations and got locked out after 3 tries. My book says only to see my command line interface guide, and I can't find one in the box.
It showed me the ip, and it is indeed 192.168.1.1, How can I change that ?
11-11-2008 08:37 AM
To do that, enter the following:
ASA# sh ip address inside
Find the Interface that the 192.168.1.1 address is assigned to. I think it'll be VLAN2, but I'm not sure.
After you find that out, type:
ASA# conf t
ASA(config)# int vlan2 (or whatever interface it's on)
ASA(config-if)# ip address
So it would be like:
ip address 5.5.5.5 255.255.255.0
Don't use the above address, it's only for an example.
ASA(config-if)# exit
ASA(config)# exit
ASA# wr
Please rate if helpful. :-)
--John
11-11-2008 08:58 AM
I do want to thank you for being so patient and thorough, complete with examples.
I was sure it was Vlan1, and it kept saying it conflicted with Vlan2. So I changed it to Vlan2 and it took it. I made it 192.168.10.11 to put it on our subnet, and to avoid conflick with our yet to be removed Checkpoint firewall ending in 1.
Next I tried accessing 192.168.10.11. It timed out.
I can hit any other ip on this subnet, but not this new Cisco firewall. Do you think it has to end in a 1?
11-11-2008 09:06 AM
OK, here's what the book says.
Cisco adaptive security appliances are shipped with a factory-default configuration that enables quick startup. The ASA 5505 comes preconfigured with
* Two Vlans: VLAN1 and VLAN2
* VLAN 1 has the following properties:
- Named "inside"
- Allocated switch ports Ethernet 0/1 through Ethernet 0/7
- Security level 100
- IP address of 192.168.1.1 255.255.255.0
* VLAN2 has the following properties:
- Named "outside"
- Allocated switch port Ethernet 0/0
- Security level of 0
- Configured to obtain its IP address using DHCP
This is why I thought it would be VLan1. Also, with Vlan2 getting its ip from dhcp, it might get it from the Checkpoint firewall.
Also, with it connected to our subnet, it might start suppying IPs with its own dhcp server :O
What do you think ?
11-11-2008 09:09 AM
You're right in the fact that the private address is on VLAN1.
Oh, did you type http://192.168.1.1 or https://192.168.1.1?
Try with https. You won't be able to ping the interface unless you issue the command management-access inside.
--John
11-11-2008 09:07 AM
Hmm, no it doesn't need to. Can you post your config here? To do that, you need to record the sh run to a text file in hyperterminal.
You'll go to Transfer/Capture Text, give it a name, and it will start to record.
Then at the ASA# prompt type show run and hit spacebar all the way until you get back to the ASA# again. Then you click Transfer/Capture Text/Stop
From the sound of it, it doesn't sound like the ASA is configured for any public access yet, so you should just be able to post the config here without modifying it. Just double check there are no public addresses in the config for your security.
--John
11-11-2008 09:19 AM
Here's the link copied from by browser:
And here is the run shown:
show run
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
enable password encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.10.11 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
<--- More --->
interface Ethernet0/3
<--- More --->
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd encrypted
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
<--- More --->
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
<--- More --->
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tft
11-11-2008 09:24 AM
Well, a couple of things:
Is your workstation that you're trying to connect to the ASA with on the 192.168.1.0 network, or is it on the 192.168.10.0 network? If it's on the latter, you should connect your workstation to the back of the ASA and put your workstation statically on the 192.168.1.0 network. This will get you into it.
If you are trying to connect to it from the 192.168.10.0 network, you'll have to issue:
ASA# config t
ASA(config)# http 192.168.10.0 255.255.255.0 outside
See if that works. You won't be able to ping 192.168.1.1 from the 192.168.10.0 side. ASA doesn't support pinging the opposite side of the device (from outside interface to inside). You can either ping the outside or inside, or through the device to another host on the inside from the outside.
John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: