Web access to ASA 5505

Unanswered Question
Sep 6th, 2010

I am configuring a Cisco ASA 5505 I still have access to the firewall through my pre installed ASDM, but if I try and web broswe I get page cannot be displayed and the following entry in my firewall

6Sep 06 201013:57:5210.0.1.775304810.0.1.90443Teardown TCP connection 498 for outsideDynamic:10.0.1.77/53048 to identity:10.0.1.90/443 duration 0:00:00 bytes 7 TCP Reset-I

I have configured the firewall to allow management from this IP address.

HELP PLEASE

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Mon, 09/06/2010 - 06:12

Is 10.0.1.77 the host where you are trying to connect from, and 10.0.1.90 the ASA interface?

Can you share the following configuration:

sh run interface

sh run http

martinbuffleo Mon, 09/06/2010 - 06:54

Outside dynamic is the iterface that I am trying to connect through.

sh run int

!
interface Vlan1
nameif outside
security-level 0
ip address 172.16.61.230 255.255.255.0
ospf cost 10
ospf network point-to-point non-broadcast
ospf authentication null
!
interface Vlan2
description Inside currently configured for 192.168.3.129  was 129
nameif inside
security-level 100
ip address xxx.xx.xx.xx 255.255.255.0
!
interface Vlan3
description Interface for dynamic connections
no forward interface Vlan1
nameif outsideDynamic
security-level 0
dhcp client route distance 2
ip address dhcp setroute
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
shutdown
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
shutdown
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2

Sh run http


http server enable
http 10.0.1.80 255.255.255.255 outside
http 10.0.1.0 255.255.255.0 outsideDynamic
http 0.0.0.0 0.0.0.0 outsideDynamic
http 172.16.30.0 255.255.255.0 outside
http SH_Data 255.255.255.0 inside
http 62.xxx.222.0 255.255.255.240 outsideDynamic
http 172.16.30.0 255.255.255.0 outsideDynamic
http SH_Svr_RODC 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside

Nagaraja Thanthry Mon, 09/06/2010 - 07:02

Hello,

Can you please post the output of following command:

packet-tracer input outsideDynamic tcp 10.0.1.77 1024 10.0.1.90 443 detailed

Make sure that 10.0.1.90 is the IP assigned to the interface.

Regards,

NT

martinbuffleo Mon, 09/06/2010 - 07:07

packet-tracer input outsideDynamic tcp 10.0.1.77 1024 10.0.1.90 443$

Phase: 1
Type: CP-PUNT
Subtype: l2-selective
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xd7e38290, priority=12, domain=punt, deny=false
        hits=16648, user_data=0xd86906f0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xd820e518, priority=1, domain=permit, deny=false
        hits=33255, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.1.90       255.255.255.255 identity

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xd81dfa18, priority=121, domain=permit, deny=false
        hits=990, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip=10.0.1.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0

Phase: 6
Type: MGMT-TCP-INTERCEPT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xd8210750, priority=0, domain=mgmt-tcp-intercept, deny=false
        hits=1355, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xd8210d28, priority=0, domain=permit-ip-option, deny=true
        hits=735, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.1.77 using egress ifc outsideDynamic
adjacency Active
next-hop mac address 0021.70a9.3b22 hits 0

Result:
input-interface: outsideDynamic
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

Nagaraja Thanthry Mon, 09/06/2010 - 07:11

Hello,

It seems like the firewall is allowing port 443 traffic. Have you configured

anything else on that interface (like WebVPN)? How are you trying to access

ASDM? Through ASDM application or through IE/Firefox?

Regards,

NT

martinbuffleo Mon, 09/06/2010 - 07:27

I can even https and ASDM accross my site to site VPN to the "inside"

interface

Nagaraja Thanthry Mon, 09/06/2010 - 07:30

Hello,

So, if I understand you correctly, you are able to access ASDM through

10.0.1.77 workstation. But you are not able to access https://10.0.1.90 via

the same device. Are you running ASDM on a different port (other than 443)?

Also, what browser you are using?

Regards,

NT

martinbuffleo Mon, 09/06/2010 - 07:58

You are correct

IE 8

And it did work until I loaded my config on to it.

Not moved the port number that I am aware of.

Nagaraja Thanthry Mon, 09/06/2010 - 08:17

Hello,

Can you please post your entire running configuration here? I suspect that

when you loaded your entire configuration, you might have accidentally

included all traffic from that interface to be encrypted.

Regards,

NT

Actions

This Discussion