cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
641
Views
0
Helpful
3
Replies

Help with http management access on ASA5525

mdarcilla
Level 1
Level 1

Hello. Hoping someone could help with this issue. 

It's been a while since I've had to access the firewall (probably the last time was when we had it installed and our vendor helped us with configuration) but for some reason I can't get to it anymore by IP address in the browser.

For Chrome, it's firing back that the connection was interrupted, while IE is complaining about turning on TLS (even though it's checked). Firefox says the connection has been reset.

We haven't updated or done anything to this guy in a while, so I'm not sure what may have happened in between then and now. I can access it just fine from telnet, just not via browser (so I could get ASDM installed). Pings to the IP address come back okay.

I'll paste in the particulars that I think are relevant and I'll try not to include unnecessary stuff. (if you're curious about the presence or lack of certain entries, just lmk and I'll check for them)

 

Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
ASA Version 9.2(1)

...

interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.100.254.1 255.255.255.0
!

asdm image disk0:/asdm-721.bin

...

user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL

http server enable
http 10.0.0.0 255.0.0.0 inside

....

 

on show ssl:

Accept connections using SSLv2 or greater and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or greater
Enabled cipher order: rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1

The usernames we use are defined and passworded with privilege 15

 

I noticed some other people have the http line marked as 'management' instead of 'inside'. is that just an older version or something?

Is there something I should look for in particular to address this?

Any help is appreciated. Thanks in advance!

1 Accepted Solution

Accepted Solutions

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

Are you trying to access the "inside" interface on the CSM server itself ?

Rest of the configuration looks good.

Note:- Make sure you have the client connected behind the Inside interface for this to work.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

3 Replies 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

Are you trying to access the "inside" interface on the CSM server itself ?

Rest of the configuration looks good.

Note:- Make sure you have the client connected behind the Inside interface for this to work.

Thanks and Regards,

Vibhor Amrodia

Yes, I'm trying to get to it from my system which is on a 10.x.x.x address, navigating to the inside address (10.100.254.1), but it doesn't resolve to the usual page that prompts to download the ADSM installer. As I mentioned, I can telnet to that address just fine, so not sure where the disconnect is.

Interestingly, SSH access doesn't seem to work either. I see entries there that should cover it though:

Here's some other tidbits in reference to my observations above.

telnet 10.0.0.0 255.0.0.0 inside
telnet 172.16.0.0 255.255.255.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh <omitted> 255.255.254.0 outside
ssh <omitted> 255.255.255.192 outside
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

...

(or are those entries for keys affecting the ssh side?) 

here's show run http's output

http server enable
http 10.0.0.0 255.0.0.0 inside
http <omitted> 255.255.255.192 outside
http <omitted> 255.255.254.0 outside
http <omitted> 255.255.255.255 outside
http 172.16.0.0 255.255.255.0 inside

In any case, what I'm trying to figure out is the http side of the problem, so not sure where else to look for that.

 

This was resolved. Looks like our web filtering was the culprit as we noticed we had access when we sent a reboot to the appliance. Fixed the IP range on that and now we're fine.

Since I couldn't mark my own post as an answer, I marked yours just to clear it.

 

Thanks for the replies.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: