Unable to access ADSM TCP access denied by ACL

Unanswered Question
Sep 6th, 2010

I am trying to access ASDM for the first time and when I type in the address, 192.168.1.1/admin, the ASA reads back:

%ASA-3-710003: TCP access denied by ACL from 192.168.1.3/54975 to inside 192.168.1.1/80.

Any idea on how to solve this?  Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 09/06/2010 - 15:25

Hi,

If you're trying to access ASDM from the inside network, then you must have an ACL applied to the inside interface denying this traffic, can you check the following:

sh run acces-group

Federico.

woodjl1650 Mon, 09/06/2010 - 15:28

Sorry new to this, how do i do that?  what is the command line code?

Also, if you help me out on this to....just reloaded the ASA and now it comes up with a user name and password, i don't recall setting any of this up...can we rest this?

thanks again.

woodjl1650 Mon, 09/06/2010 - 15:38

Console, if i hit enter, i just get ask again three times and then access denied.

Kureli Sankar Mon, 09/06/2010 - 16:22

When you load https://192.168.1.1  (it looks like you did not type the "s" after "http")

ACL applied on the interface is only used for "THORUGH" the box traffic and not "TO" the box traffic. ASDM is "TO" the box traffic.

Do not use any id leave it empty and only put the password in.  If you don't rememberj configuring a password leave it empty as well or use "cisco" for password.

-KS

Federico Coto F... Mon, 09/06/2010 - 17:40

Yes you're right I know the ACL is only for through-traffic (not to-the-box) but I thought there could be a ''control-plane' filtering access to the box.

Federico.

woodjl1650 Thu, 09/09/2010 - 12:20

Still no luck with accessing the ASDM via the https://192.168.1.1/admin

here is my current config - please help - - ***Note: I am new to this, so please give CLI commands if needed***

thanks,

ASA Version 8.2(3)
!
hostname ciscoasa
domain-name 68.87.68.166
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asdm-633.bin
boot system disk0:/asa832-k8.bin
boot config disk0:/asa823.bin
ftp mode passive
dns server-group DefaultDNS
domain-name 68.87.68.166
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
access-list INBOUND extended permit tcp any any eq www
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-633.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:00:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 68.87.68.166 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect dns prsent_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:313795c28f0cd795aeaf7074f68525d6
: end

mirober2 Thu, 09/09/2010 - 12:32

Hi Jonathan,

Is the problem still that you can't login? If so, try these commands:

username jonathan password jonathan priv 15

aaa authentication http console LOCAL

Once that's done, login again and specify a username of jonathan and a password of jonathan

Hope that helps.

-Mike

woodjl1650 Thu, 09/09/2010 - 12:35

No, I can't get anything to pull up when I type in the address....internet exploer and fire

fox.

mirober2 Thu, 09/09/2010 - 12:38

What does the output of this command give?:

packet-tracer in inside tcp 192.168.1.3 12345 192.168.1.1 443

Also, does SSH access work?

-Mike

Kureli Sankar Thu, 09/09/2010 - 12:43

Johnathan,

pls. remove this line

conf t

no http 192.168.1.0 255.255.255.0 outside

Now, from a computer with an ip address 192.168.1.x pls. copy and paste this link below:

https://192.168.1.1

Use your id and password configured on the firewall.

Let us know if this works.

-KS

woodjl1650 Thu, 09/09/2010 - 12:45

Is this what you are looking for?

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.1     255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: MGMT-TCP-INTERCEPT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.3 using egress ifc inside
adjacency Active
next-hop mac address 0013.2089.f5f1 hits 0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

ciscoasa(config)# show ssh
Timeout: 5 minutes
Versions allowed: 1 and 2
0.0.0.0 0.0.0.0 inside
0.0.0.0 0.0.0.0 outside

Kureli Sankar Thu, 09/09/2010 - 14:44

could you pls. post the output of "sh asp table socket"

if you do not see 192.168.1.1 listening on 443, pls. do the following.

conf t

no http server en

http server en

-KS

woodjl1650 Thu, 09/09/2010 - 18:10

Protocol  Socket    Local Address               Foreign Address         State

SSL       00029c5f  192.168.1.1:443             0.0.0.0:*               LISTEN

TCP       0007c40f  192.168.1.1:22              0.0.0.0:*               LISTEN

SSL       0008693f  174.56.139.62:443           0.0.0.0:*               LISTEN

DTLS      000aeb3f  174.56.139.62:443           0.0.0.0:*               LISTEN

TCP       000cb8af  174.56.139.62:22            0.0.0.0:*               LISTEN

woodjl1650 Thu, 09/09/2010 - 18:41

Also I noticed this while booting:

WARNING: BOOT variable added, but not a valid image disk0:/asdm-633.bin
*** Output from config line 39, "boot system disk0:/asdm-..."
WARNING: BOOT variable added, but unable to find disk0:/asa832-k8.bin
*** Output from config line 40, "boot system disk0:/asa83..."
.WARNING: This command will not take effect until interface '

Kureli Sankar Thu, 09/09/2010 - 19:53

That is the problem. You don't seem to have a valid asdm image in the flash.

dir flash:

make sure the file is in the flash and then remove the line you have and add the correct file name.

conf t

no asdm image disk0:/asdm-633.bin

asdm image flash:/

Once done issue a "sh ver" and make sure the asdm image version shows up and then try to access asdm https://192.168.1.1

If you do not have asdm image in the flash then, you have to tftp it to the firewall. The command is "copy tftp flash:"

ASDM image can be downloaded here: http://tools.cisco.com/squish/a5338C

You can download asdm-625-53.bin what will match the ASA code 8.2.3 that you are running on this ASA.

You can remove both these lines from the config:

conf t

no boot system disk0:/asdm-633.bin
no boot system disk0:/asa832-k8.bin

-KS

woodjl1650 Fri, 09/10/2010 - 00:34

Still have this warming coming up:

.WARNING: This command will not take effect until interface 'outside' has been a
ssigned an IPv4 address
*** Output from config line 83, "ssh 0.0.0.0 0.0.0.0 outs...

Updated the asdm image, but still no luck with being able to load it via the web browser.

Current config is as follows:

ASA Version 8.2(3)
!
hostname ciscoasa
domain-name 68.87.68.166
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa823-k8.bin
boot config disk0:/asa823.bin
ftp mode passive
dns server-group DefaultDNS
domain-name 68.87.68.166
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
access-list INBOUND extended permit tcp any any eq www
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:00:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 68.87.68.166 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
enable outside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect dns prsent_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7429abb7acb541d726574752e84f753d
: end

Kureli Sankar Fri, 09/10/2010 - 04:47

That warning is ok. It is because you do not have an IP address assigned to the outside interface.

Remove this line pls.

conf t

boot config disk0:/asa823.bin

Also, I still do not see a "asdm image" line in the config.

Does "sh ver" show asdm loaded at all?

Is there a valid asdm file in the flash for the 8.2.3 code you are running?

Did you download asdm from the link that I mentioned?

Once you are done with everything that I mentioned post the outpout of the following:

sh run boot

sh run asdm

sh ver

sh run http

sh asp table socket

sh ip

sh nameif

Let me know.

-KS

woodjl1650 Fri, 09/10/2010 - 05:30

What is the correct way load the asdm?

I believe I used:

asdm image disk0:/asdm-625.bin

Kureli Sankar Fri, 09/10/2010 - 05:42

That syntax is correct provided when you do a "dir flash:" you do really see that file asdm-625.bin in flash.

-KS

sachinga.hcl Fri, 09/10/2010 - 05:46

HI Jonathan,

Please check the documentaion in this regard:

http://www.cisco.com/en/US/products/ps6121/products_installation_and_configuration_guides_list.html

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/start.html

As reading it would help you a lot , and also further you can discuss any issues you are facing in this regard.

I am worried ablut as your ASDM is not working after a lot of efforts but I believe it would definitely be a good experience for you if this is your first time with ASA/ASDM.

Keep up your hard work and you will be very good in all this soon.

Also get in touch with us.

HTH

Sachin Garg

Message was edited by: sachinga.hcl

Message was edited by: sachinga.hcl

Message was edited by: sachinga.hcl

Message was edited by: sachinga.hcl

abinjola Fri, 09/10/2010 - 06:30

Jonathan, to help my investigation please test the following and let me know

a)Remove the command "http server enable" and then retype it, do you get the error message"Could not start Admin error"

b)if you configure "http server enable port 8080" are you able to access ASDM on 8080 like https://x.x.x.x:8080

Send me the above results and I may be able to help

--regards

woodjl1650 Fri, 09/10/2010 - 12:28

Stupid question, how do I do this?

Remove this line pls.

conf t

boot config disk0:/asa823.bin

dir flash gives me = Error opening disk0:/flash (No such file or directory)

sh run boot
boot system disk0:/asa823-k8.bin
boot config disk0:/asa823.bin

ciscoasa(config)# sh run asdm
asdm image disk0:/asdm-625.bin
no asdm history enable

ciscoasa(config)# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(3)
Device Manager Version 6.2(5)

Compiled on Fri 06-Aug-10 07:51 by builders
System image file is "disk0:/asa823-k8.bin"
Config file at boot was "disk0:/asa823.bin"

ciscoasa up 11 hours 54 mins

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04

0: Int: Internal-Data0/0    : address is 0023.5ec2.63a8, irq 11
1: Ext: Ethernet0/0         : address is 0023.5ec2.63a0, irq 255
2: Ext: Ethernet0/1         : address is 0023.5ec2.63a1, irq 255
3: Ext: Ethernet0/2         : address is 0023.5ec2.63a2, irq 255
4: Ext: Ethernet0/3         : address is 0023.5ec2.63a3, irq 255
5: Ext: Ethernet0/4         : address is 0023.5ec2.63a4, irq 255
6: Ext: Ethernet0/5         : address is 0023.5ec2.63a5, irq 255
7: Ext: Ethernet0/6         : address is 0023.5ec2.63a6, irq 255
8: Ext: Ethernet0/7         : address is 0023.5ec2.63a7, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 10
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

Serial Number: JMX1248Z1DW
Running Activation Key: 0xc701ee79 0x64f122fd 0x54a0f944 0xa900cca0 0x840e1d80
Configuration register is 0x1
Configuration last modified by enable_15 at 17:53:57.929 UTC Sun Jan 6 2008

ciscoasa(config)# sh asp table socket


Protocol  Socket    Local Address               Foreign Address         State
TCP       00078f6f  192.168.1.1:22              0.0.0.0:*               LISTEN
SSL       0009411f  174.56.139.62:443           0.0.0.0:*               LISTEN
DTLS      000b159f  174.56.139.62:443           0.0.0.0:*               LISTEN
TCP       000c038f  174.56.139.62:22            0.0.0.0:*               LISTEN
SSL       041b995f  192.168.1.1:443             0.0.0.0:*               LISTEN

ciscoasa(config)# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask
Method
Vlan1                    inside                 192.168.1.1     255.255.255.0
CONFIG
Vlan2                    outside                174.56.139.62   255.255.248.0
DHCP
Current IP Addresses:
Interface                Name                   IP address      Subnet mask
Method
Vlan1                    inside                 192.168.1.1     255.255.255.0
CONFIG
Vlan2                    outside                174.56.139.62   255.255.248.0
DHCP

iscoasa(config)# show nameif
Interface                Name                     Security
Vlan1                    inside                   100
Vlan2                    outside                    0

Kureli Sankar Fri, 09/10/2010 - 19:05

Everything looks good.

Sorry I missed a "no" in front of the line.

conf t

no boot config disk0:/asa823.bin

This should work without any problem. Have them try another computer/laptop and/or another browser.

Watch the logs again. You can also collect captures.

cap capin int inside match tcp any ho 192.168.1.1 eq 443

Try to access asdm and issue "sh cap capin" and post the output.

Tell us exactly what happens when you issue https://192.168.1.1 on the browser.

-KS

Actions

This Discussion