09-06-2010 03:19 PM - edited 03-11-2019 11:35 AM
I am trying to access ASDM for the first time and when I type in the address, 192.168.1.1/admin, the ASA reads back:
%ASA-3-710003: TCP access denied by ACL from 192.168.1.3/54975 to inside 192.168.1.1/80.
Any idea on how to solve this? Thanks.
09-06-2010 03:25 PM
Hi,
If you're trying to access ASDM from the inside network, then you must have an ACL applied to the inside interface denying this traffic, can you check the following:
sh run acces-group
Federico.
09-06-2010 03:28 PM
Sorry new to this, how do i do that? what is the command line code?
Also, if you help me out on this to....just reloaded the ASA and now it comes up with a user name and password, i don't recall setting any of this up...can we rest this?
thanks again.
09-06-2010 03:33 PM
What if you just hit enter?
Do you have access to the CLI via telnet/SSH or console?
Federico.
09-06-2010 03:38 PM
Console, if i hit enter, i just get ask again three times and then access denied.
09-06-2010 04:22 PM
When you load https://192.168.1.1 (it looks like you did not type the "s" after "http")
ACL applied on the interface is only used for "THORUGH" the box traffic and not "TO" the box traffic. ASDM is "TO" the box traffic.
Do not use any id leave it empty and only put the password in. If you don't rememberj configuring a password leave it empty as well or use "cisco" for password.
-KS
09-06-2010 05:40 PM
Yes you're right I know the ACL is only for through-traffic (not to-the-box) but I thought there could be a ''control-plane' filtering access to the box.
Federico.
09-09-2010 12:20 PM
Still no luck with accessing the ASDM via the https://192.168.1.1/admin
here is my current config - please help - - ***Note: I am new to this, so please give CLI commands if needed***
thanks,
ASA Version 8.2(3)
!
hostname ciscoasa
domain-name 68.87.68.166
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asdm-633.bin
boot system disk0:/asa832-k8.bin
boot config disk0:/asa823.bin
ftp mode passive
dns server-group DefaultDNS
domain-name 68.87.68.166
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
access-list INBOUND extended permit tcp any any eq www
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-633.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:00:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 68.87.68.166 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect dns prsent_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:313795c28f0cd795aeaf7074f68525d6
: end
09-09-2010 12:32 PM
Hi Jonathan,
Is the problem still that you can't login? If so, try these commands:
username jonathan password jonathan priv 15
aaa authentication http console LOCAL
Once that's done, login again and specify a username of jonathan and a password of jonathan
Hope that helps.
-Mike
09-09-2010 12:35 PM
No, I can't get anything to pull up when I type in the address....internet exploer and fire
fox.
09-09-2010 12:38 PM
What does the output of this command give?:
packet-tracer in inside tcp 192.168.1.3 12345 192.168.1.1 443
Also, does SSH access work?
-Mike
09-09-2010 12:43 PM
Johnathan,
pls. remove this line
conf t
no http 192.168.1.0 255.255.255.0 outside
Now, from a computer with an ip address 192.168.1.x pls. copy and paste this link below:
Use your id and password configured on the firewall.
Let us know if this works.
-KS
09-09-2010 12:45 PM
Is this what you are looking for?
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.1 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: MGMT-TCP-INTERCEPT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.3 using egress ifc inside
adjacency Active
next-hop mac address 0013.2089.f5f1 hits 0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow
ciscoasa(config)# show ssh
Timeout: 5 minutes
Versions allowed: 1 and 2
0.0.0.0 0.0.0.0 inside
0.0.0.0 0.0.0.0 outside
09-09-2010 12:47 PM
In Firefox I get:
The Connection was rest.
09-09-2010 02:44 PM
could you pls. post the output of "sh asp table socket"
if you do not see 192.168.1.1 listening on 443, pls. do the following.
conf t
no http server en
http server en
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide