Can only access ASDM when on VPN

Unanswered Question
Dec 15th, 2008
User Badges:

Here is the config that I believe allows ASDM access


http server enable

http 172.30.0.0 255.255.0.0 inside

http 172.20.0.0 255.255.0.0 inside

http 192.168.1.0 255.255.255.0 management



Our vpn dhcp pool is 172.30.0.x


Our internal network is 192.168.133.x


so i added the following command


http 192.168.133.0 255.255.255.0 inside


is this the correct command to allow access??


I still cant seem to connect when to the firewall via asdm.


The only way i can telnet to that fw is when i telnet to our core switch and to the fw too

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 12/15/2008 - 08:21
User Badges:
  • Green, 3000 points or more

http 192.168.133.0 255.255.255.0 inside


is this the correct command to allow access??


Yes it is for allowing that network mgmt access to fw, what seems strange to me is that you have to connect to a core switch to then telnet to the firewall, what device is routing 192.168.133.0/24 network , can you from the firewall ping any host to this net?

JORGE RODRIGUEZ Mon, 12/15/2008 - 08:50
User Badges:
  • Green, 3000 points or more

Also, what error message are you geting? are you using https as suppose to http://fw_ip


can any other subnet access asdm?


Can you also post the output of show version


nygenxny123 Mon, 12/15/2008 - 11:17
User Badges:

I get the the following message in my browser


Using https://


The connection has timed out

The server at 172.20.1.1 is taking too long to respond.


* The site could be temporarily unavailable or too busy. Try again in a few

moments.


* If you are unable to load any pages, check your computer's network

connection.


* If your computer or network is protected by a firewall or proxy, make sure

that Firefox is permitted to access the Web.


I cant ping the inside interface from my network.


Cisco Adaptive Security Appliance Software Version 7.2(1)

Device Manager Version 5.2(1)


Compiled on Wed 31-May-06 14:45 by root

System image file is "disk0:/asa721-k8.bin"

Config file at boot was "startup-config"


PHR-InternetFW up 2 years 38 days

failover cluster up 2 years 38 days


Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB


Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : ☻CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: ♥CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : ☺CNlite-MC-IPSECm-MAIN-2.04






JORGE RODRIGUEZ Mon, 12/15/2008 - 13:06
User Badges:
  • Green, 3000 points or more

can you post sanatized config , omit public ip info.


Also if you are accessing from 192.168.133.0 of 172.30.0.0 or 172.20.0.0 networks from that source host try a telnet test to either th the ip address of the inside interface of the firewall or management0/0 interface.


e.i


c:\telnet 443


or


c:\telnet 443


if you get black screen on each of the test we know connectivity is there to the freiwall on secure port 443.



Regards






nygenxny123 Mon, 12/15/2008 - 13:43
User Badges:

management ip is left at default 192.168.1.1

so that wont work


and a telnet


C:>telnet 172.20.1.1

Connecting To 172.20.1.1...Could not open connection to the host, on port 23: Co

nnect failed


C:\>telnet 172.20.1.1 443

Connecting To 172.20.1.1...Could not open connection to the host, on port 443: C

onnect failed

JORGE RODRIGUEZ Mon, 12/15/2008 - 13:58
User Badges:
  • Green, 3000 points or more

PHR-InternetFW up 2 years 38 days


question when was the last time you had access asdm on this firewall from the uptime of 2 years from those source subnets?


Actions

This Discussion