cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15029
Views
0
Helpful
25
Replies

Unable to access ADSM TCP access denied by ACL

woodjl1650
Level 1
Level 1

I am trying to access ASDM for the first time and when I type in the address, 192.168.1.1/admin, the ASA reads back:

%ASA-3-710003: TCP access denied by ACL from 192.168.1.3/54975 to inside 192.168.1.1/80.

Any idea on how to solve this?  Thanks.

25 Replies 25

Hi,

If you're trying to access ASDM from the inside network, then you must have an ACL applied to the inside interface denying this traffic, can you check the following:

sh run acces-group

Federico.

Sorry new to this, how do i do that?  what is the command line code?

Also, if you help me out on this to....just reloaded the ASA and now it comes up with a user name and password, i don't recall setting any of this up...can we rest this?

thanks again.

What if you just hit enter?

Do you have access to the CLI via telnet/SSH or console?

Federico.

Console, if i hit enter, i just get ask again three times and then access denied.

When you load https://192.168.1.1  (it looks like you did not type the "s" after "http")

ACL applied on the interface is only used for "THORUGH" the box traffic and not "TO" the box traffic. ASDM is "TO" the box traffic.

Do not use any id leave it empty and only put the password in.  If you don't rememberj configuring a password leave it empty as well or use "cisco" for password.

-KS

Yes you're right I know the ACL is only for through-traffic (not to-the-box) but I thought there could be a ''control-plane' filtering access to the box.

Federico.

Still no luck with accessing the ASDM via the https://192.168.1.1/admin

here is my current config - please help - - ***Note: I am new to this, so please give CLI commands if needed***

thanks,

ASA Version 8.2(3)
!
hostname ciscoasa
domain-name 68.87.68.166
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asdm-633.bin
boot system disk0:/asa832-k8.bin
boot config disk0:/asa823.bin
ftp mode passive
dns server-group DefaultDNS
domain-name 68.87.68.166
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
access-list INBOUND extended permit tcp any any eq www
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-633.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:00:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 68.87.68.166 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect dns prsent_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:313795c28f0cd795aeaf7074f68525d6
: end

Hi Jonathan,

Is the problem still that you can't login? If so, try these commands:

username jonathan password jonathan priv 15

aaa authentication http console LOCAL

Once that's done, login again and specify a username of jonathan and a password of jonathan

Hope that helps.

-Mike

No, I can't get anything to pull up when I type in the address....internet exploer and fire

fox.

What does the output of this command give?:

packet-tracer in inside tcp 192.168.1.3 12345 192.168.1.1 443

Also, does SSH access work?

-Mike

Johnathan,

pls. remove this line

conf t

no http 192.168.1.0 255.255.255.0 outside

Now, from a computer with an ip address 192.168.1.x pls. copy and paste this link below:

https://192.168.1.1

Use your id and password configured on the firewall.

Let us know if this works.

-KS

Is this what you are looking for?

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.1     255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: MGMT-TCP-INTERCEPT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.3 using egress ifc inside
adjacency Active
next-hop mac address 0013.2089.f5f1 hits 0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

ciscoasa(config)# show ssh
Timeout: 5 minutes
Versions allowed: 1 and 2
0.0.0.0 0.0.0.0 inside
0.0.0.0 0.0.0.0 outside

In Firefox I get:

The Connection was rest.

could you pls. post the output of "sh asp table socket"

if you do not see 192.168.1.1 listening on 443, pls. do the following.

conf t

no http server en

http server en

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: