Unable to access Pix 515 via ASDM

Unanswered Question
Sep 1st, 2011
User Badges:

I am new to this company and the employees that setup this equipment is gone. The history about this box is that they had access through the ASDM untill they changed the management interfaces to Vlan 50.


The pix firewall is 192.168.50.10 and my interface to my PC is on Vlan 10 which is 192.168.10.115. I can ping 192.168.50.10 but I am unable to access this through ASDM. I believe the pix is denying me.


When I look in the config i see the ASDM image and I see that they have http server enabled.


I see my network 192.168.10.0 as inside but I don't see 192.168.50.0.


I could have just tried this but I wanted to ask someone before I did this as it's in production and I don't know to many people.


Regards


Ralph

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anu M Chacko Sat, 09/03/2011 - 10:38
User Badges:
  • Cisco Employee,

Hi Ralph,


Please check if you have allowed your network to access ASDM on the interface that yo're connected to. If you're trying to access the PIX on interface(say, is named "inside") from 192.168.10.115, you need to have:


http 192.168.10.115 255.255.255.255 inside


the "inside" interface will be in the 192.168.10.x subnet. Let me know if you have more queries.


Hope this helps!


Regards,

Anu

ralphstaiano Tue, 09/06/2011 - 11:45
User Badges:

Hi Anu


Thank you for responding to my question. It didn't work but what you said is exactly what I throught. Thanks.

Next silly ?. If i telnet into the pix by entering in the password is that the same username and password that would enter if I were entering into the ASDM?


Ralph

ralphstaiano Wed, 09/07/2011 - 08:11
User Badges:

I decided to access ASDM and console in at the same time. my tool is logging errors


I believe it's a denial from my firewall as no rule is set on this new interface so it's an inplicate denial.


the log error is showing this error when I try to log into the ASDM


TCP access denied by ACL from 192.168.40.197/7897 to intf4:192.168.40.2/443


I added this statement in


access-list intf4 extended permit tcp 192.168.40.0 255.255.255.0 interface intf4 eq https


I am getting the same error.

Anu M Chacko Wed, 09/07/2011 - 08:15
User Badges:
  • Cisco Employee,

Hi Ralph,


Please post the output of "sh run" here.


Regards,

Anu

ralphstaiano Wed, 09/07/2011 - 08:42
User Badges:


Hi Anu


I am unable to do that for security reasons.


Hi Mario

Give me a few mins and I will find out.

Mario Mastromattei Wed, 09/07/2011 - 08:33
User Badges:
  • Cisco Employee,

ASDM supports Cisco PIX Security Appliance Software Version 7.0+, is this what you have?

ralphstaiano Wed, 09/07/2011 - 09:03
User Badges:

What I can give is this


interface Ethernet4

Vlan 40

nameif intf4

security-level 8

ip address 192.168.40.2 255.255.255.0

ospf cost 10


access-list intf4 extended permit tcp 192.168.40.0 255.255.255.0 interface intf4 eq https


http server enable

http 192.168.40.0 255.255.255.0 inside


The error

TCP access denied by ACL from 192.168.40.197/7897 to intf4:192.168.40.2/443


192.168.40.197 is the PC that I am trying to connect to using the ASDM.  The intf4 is the 4th interface on the pix that is also setup on Vlan 40. I am looking at the rule that I set and I don't see what I did wrong.

ralphstaiano Wed, 09/07/2011 - 09:09
User Badges:

I am wondering if its the netmask. Could it be an inverse mask. Should I try 0.0.0.255

ralphstaiano Wed, 09/07/2011 - 10:18
User Badges:

I tried


https://192.168.40.2:444 and I get internet explorer cann't display the page. But I do not get a denial of service from the pix. No errors.


https://192.168.40.2:443 I get a denial of service and can not display the page.


When I use the ASDM software I just get a denial of service with no connection.

Anu M Chacko Thu, 09/08/2011 - 08:21
User Badges:
  • Cisco Employee,

Hey Ralph,


Sorry for getting back to you late.Can you try upgrading the ASDM version to 6.1.5? Here is the link from where you can download the ASDM image:


http://www.cisco.com/cisco/software/release.html?mdfid=279513399&flowid=4462&softwareid=280775064&release=6.1.5&rellifecycle=&relind=AVAILABLE&reltype=latest


Here is the procedure to upgrade:


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml#maintask2


Hope this helps!


Regards,

Anu

Anu M Chacko Wed, 09/07/2011 - 09:22
User Badges:
  • Cisco Employee,

Hi Ralph,


So, the ASDM version is 6.1. What about the PIX version? The inverse mask cannot be used on the PIX. What error message do you see when you try to access the ASDM? Are you trying to access using the browser or the launcher? Are you using webvpn? If yes, try changing the port to another one, like 444(http server enable 444) and then type https://192.168.40.2:444. This should take you to the ASDM page.


Also, verify the java version that you're running on your PC.


Let me know.


Regards,

Anu

ralphstaiano Wed, 09/07/2011 - 10:08
User Badges:

Mario, Anu


Made a mistake on the versions.


I made a mistake in my notes.


Cisco PIX Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)

Compiled on Fri 15-Jun-07 18:25 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Actions

This Discussion