ASA ASDM Access on the Outside Interface

Answered Question
Aug 1st, 2010

We have three ASA5510s, each configured for ssh and http access on the outside interface(s).  One of them has aaa with users/passwords set for both ssh and http.  I can access the ASA configured for aaa from the designated host allowed into the outside interface normally using aaa credentials.  When I try to access either of the other two, they will not accept the enable login password.  The aaa configured ASA is version 8.2, with ASDM 6.21.  The other two are both ASA version 7.0 with ASDM 5.07.  Does the ASA require aaa to be configured for https access?  How can I make these other two accept login for ASDM access?  Thank you!

Correct Answer by Panos Kampanakis about 6 years 6 months ago

If you don't have aaa configured then for ASDM you should use empty username and the enable password.


Also you can use the "aaa authenticate http console LOCAL" and use a username/pwd of a priv 15 user to login to ASDM.


To troubleshoot what is failing you can enable "debug http" and "debug aaa" on the ASA to see why the user is rejected.


I hope it helps.


PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Panos Kampanakis Mon, 08/02/2010 - 10:39

If you don't have aaa configured then for ASDM you should use empty username and the enable password.


Also you can use the "aaa authenticate http console LOCAL" and use a username/pwd of a priv 15 user to login to ASDM.


To troubleshoot what is failing you can enable "debug http" and "debug aaa" on the ASA to see why the user is rejected.


I hope it helps.


PK

pootboy69 Thu, 08/19/2010 - 06:01

I'd like to thank everyone for their support!  It turns out that there was never anything wrong with the configurations on either ASA.  Yesterday, I upgraded the ASA firmware to v8.2(2) and the ASDM to v 6.6(3).  Once I did that, I could access the inside address of the remote ASA with either the ASDM or through ssh.  I don't understand why this would have made such a difference, but perhaps some Cisco genius could explain it.  In any case, I am going to upgrade our fouth remote ASA to the same revision levels, so I can have direct access to them.  Thanks again, everyone!


Regards,


Wolf

Actions

This Discussion