Can only access ASDM when on VPN

Unanswered Question
Dec 15th, 2008

Here is the config that I believe allows ASDM access

http server enable

http 172.30.0.0 255.255.0.0 inside

http 172.20.0.0 255.255.0.0 inside

http 192.168.1.0 255.255.255.0 management

Our vpn dhcp pool is 172.30.0.x

Our internal network is 192.168.133.x

so i added the following command

http 192.168.133.0 255.255.255.0 inside

is this the correct command to allow access??

I still cant seem to connect when to the firewall via asdm.

The only way i can telnet to that fw is when i telnet to our core switch and to the fw too

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 12/15/2008 - 08:21

http 192.168.133.0 255.255.255.0 inside

is this the correct command to allow access??

Yes it is for allowing that network mgmt access to fw, what seems strange to me is that you have to connect to a core switch to then telnet to the firewall, what device is routing 192.168.133.0/24 network , can you from the firewall ping any host to this net?

JORGE RODRIGUEZ Mon, 12/15/2008 - 08:50

Also, what error message are you geting? are you using https as suppose to http://fw_ip

can any other subnet access asdm?

Can you also post the output of show version

nygenxny123 Mon, 12/15/2008 - 11:17

I get the the following message in my browser

Using https://

The connection has timed out

The server at 172.20.1.1 is taking too long to respond.

* The site could be temporarily unavailable or too busy. Try again in a few

moments.

* If you are unable to load any pages, check your computer's network

connection.

* If your computer or network is protected by a firewall or proxy, make sure

that Firefox is permitted to access the Web.

I cant ping the inside interface from my network.

Cisco Adaptive Security Appliance Software Version 7.2(1)

Device Manager Version 5.2(1)

Compiled on Wed 31-May-06 14:45 by root

System image file is "disk0:/asa721-k8.bin"

Config file at boot was "startup-config"

PHR-InternetFW up 2 years 38 days

failover cluster up 2 years 38 days

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : ☻CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: ♥CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : ☺CNlite-MC-IPSECm-MAIN-2.04

JORGE RODRIGUEZ Mon, 12/15/2008 - 13:06

can you post sanatized config , omit public ip info.

Also if you are accessing from 192.168.133.0 of 172.30.0.0 or 172.20.0.0 networks from that source host try a telnet test to either th the ip address of the inside interface of the firewall or management0/0 interface.

e.i

c:\telnet 443

or

c:\telnet 443

if you get black screen on each of the test we know connectivity is there to the freiwall on secure port 443.

Regards

nygenxny123 Mon, 12/15/2008 - 13:43

management ip is left at default 192.168.1.1

so that wont work

and a telnet

C:>telnet 172.20.1.1

Connecting To 172.20.1.1...Could not open connection to the host, on port 23: Co

nnect failed

C:\>telnet 172.20.1.1 443

Connecting To 172.20.1.1...Could not open connection to the host, on port 443: C

onnect failed

JORGE RODRIGUEZ Mon, 12/15/2008 - 13:58

PHR-InternetFW up 2 years 38 days

question when was the last time you had access asdm on this firewall from the uptime of 2 years from those source subnets?

Actions

This Discussion