Change remote management port Cisco ASA5510

Unanswered Question
Nov 15th, 2013
User Badges:

Hello!


I previously had some assistance configuring a router for inbound HTTPS traffic in this thread: https://supportforums.cisco.com/message/4026878#4026878. It has been working great.


I got a call from the customer that the web access no longer works for this product. I believe it is because the web interface for remote management is now using port 443. I can confirm this by going here: https://75.150.96.33//webviewlink/wvconnect.aspx
. That should take me to a page that says the test is successful, but I get to the login page for remote management of the Cisco appliance.


How do I change the port for remote management, or better yet, disable that service?


-Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jouni Forss Fri, 11/15/2013 - 10:15
User Badges:
  • Super Bronze, 10000 points or more

Hi,


So just to make it clear, are we talking about a situation where you have a site with an ASA firewall which has only one public IP address available that is naturally used in its external interface and originally you had forwarded port TCP/443 to an internal host/server to access a web portal and the ASA has now been enabled for ASDM access (using TCP/443) that is causing connectivity problems to the actual internal server?


If the above is the situation then if you have the CLI access to the ASA you would have to check atleast these settings


show run http


This should list the networks and interfaces from which the ASDM is reachable. It should also tell if the ASDM is enabled with the default port or if its running on nondefault port.


You should see something like


http server enable

http outside


This would mean that the ASA is configured for ASDM access


You could also use the following command to view on what ports the ASA is listening on


show asp table socket


You should probably see the TCP/443 port being listened on.


Naturally if my presumptions above are correct then someone at some point enabled the ASDM access since it shouldnt start causing problems suddenly.


You can either use the CLI connection to disable the ASDM access by clearing the "http" related configurations.


You could also change the port used with the command


http server enable


Hope this helps


- Jouni

Jouni Forss Fri, 11/15/2013 - 10:17
User Badges:
  • Super Bronze, 10000 points or more

Ah,


Must be too tired. You clearly answered some of my doubts and stated the needed information in the original post, doh Must have not registered with my brain for some reason


Though still the above "show" commands and configuration commands should help you with this situation I imagine.


- Jouni

MJones5150 Fri, 11/15/2013 - 10:24
User Badges:

Here are some resutls of the commands....


Result of the command: "show run http"

http server enable

http 192.168.2.0 255.255.255.0 inside

http 192.168.100.0 255.255.255.0 management

http 192.168.175.0 255.255.255.248 inside


Result of the command: "show asp table socket"

Proto  Socket    Local Address               Foreign Address         State

TCP    00013f0c  192.168.2.1:23              0.0.0.0:*               LISTEN

TCP    0001c104  192.168.100.1:23            0.0.0.0:*               LISTEN

SSL    00026de4  192.168.2.1:443             0.0.0.0:*               LISTEN

SSL    000282fc  192.168.100.1:443           0.0.0.0:*               LISTEN

SSL    0003147c  RDP-Outside:443             0.0.0.0:*               LISTEN

DTLS   0003c1b4  RDP-Outside:443             0.0.0.0:*               LISTEN

SSL    0ca72f5c  192.168.2.1:443             WebViewServer:58524     ESTAB

SSL    0ca81eb4  192.168.2.1:443             WebViewServer:58526     ESTAB

SSL    0cf24a64  192.168.2.1:443             WebViewServer:58740     ESTAB


RDP-Outside is configured as 75.150.96.33

WebViewServer is conifgued as 192.168.2.220


Does that help? I seem to remember it being a fairly simple process from the ASDM to change the port number it listens on, I just can't remember now what it was. I had to do it before.


-Mike

Jouni Forss Fri, 11/15/2013 - 10:30
User Badges:
  • Super Bronze, 10000 points or more

Hi,


In the CLI format the command is for example


http server enable 444


I am not sure if changing the port while connected with ASDM cuts the current connection off or will it only affect the following connections.


On the ASDM you can go to


Configuration (Top Menu Bar) -> Device Management (Bottom Left) -> Managenent Access (Drop Down Menu) -> ASDM/HTTPS/Telnet/SSH (Drop Down Menu) -> Port Number (On the actual page)


Hope this helps


- Jouni

MJones5150 Fri, 11/15/2013 - 10:52
User Badges:

I changed it to port 444 through ASDM. I can log in and access the Cisco appliance on the internal server successfully now, but now I get a new message when I go to: https://75.150.96.33//webviewlink/wvconnect.aspx
, it is for the SSL VPN service.


I found my way to a config screen for SSL VPN, tried to edit the port number for that, but it told me no changes can be made on an active interface. Do I need to shut down the entire appliance to make this change? Am I trying to make the change in the wrong spot?



-Mike

Jouni Forss Fri, 11/15/2013 - 10:55
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Try to uncheck the interface specific settings you see above and then change the port for the service.


- Jouni

Jouni Forss Fri, 11/15/2013 - 11:22
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I guess you could check the current configurations with the "packet-tracer" command


packet-racer input outside tcp 1.1.1.1 12345 443


Insert the public IP address of the ASA and replace the IP address 1.1.1.1 with something else if its not allowed according to your ACLs.


- Jouni

MJones5150 Fri, 11/15/2013 - 13:06
User Badges:

Something else happened along the way, and I had to re-create the ACL and routing rule. Once I entered those two commands, web access to the server was restored. Thank you for helping me edit the port number for remote management and the SSL VPN.


-Mike

Actions

This Discussion

Related Content