Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5510 with 2811 & 2821

Hello Everyone,

Can anyone help me figure out what I changed that will no longer allow me to run the ASDM from my remote location? It was working fine yesterday. I created a DMZ interface and was working on getting that up and running, but I didn't change anything relating to the HTTP SERVER commands, I did change the IP ADDRESS I had used for the DMZ, but i don't see how that would impact the ASDM connection.

The error I am getting when I run my ASDM-IDM launcher that installed fine when it was working is Unable to launch device manager from (My Static IP)

Here is my config on the ASA:

ASA5510# sh run

: Saved

:

ASA Version 9.1(4)

!

hostname ASA5510

domain-name domain.int

enable password liChAnGedfzvir2g encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd liqhNWChAngEd2g encrypted

names

dns-guard

!

interface Ethernet0/0

description LAN Interface

nameif Inside

security-level 100

ip address 10.10.1.1 255.255.255.252

!

interface Ethernet0/1

description WAN Interface

nameif Outside

security-level 0

ip address 199.195.xxx.xxx 255.255.255.240

!

interface Ethernet0/2

description DMZ

nameif DMZ

security-level 100

ip address 10.10.0.1 255.255.255.252

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

nameif management

security-level 0

no ip address

!

boot system disk0:/asa914-k8.bin

ftp mode passive

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 199.195.xxx.xxx

name-server 205.171.2.65

name-server 205.171.3.65

domain-name domain.int

object network ROUTER-2811

host 10.10.1.2

object network ROUTER-2821

host 10.10.0.2

object-group network PAT-SOURCE

network-object 10.10.1.0 255.255.255.252

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 192.168.1.0 255.255.255.0

network-object 10.10.0.0 255.255.255.252

object-group network DM_INLINE_NETWORK_2

network-object host 98.22.xxx.xxx

object-group network Outside_access_in

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu management 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any Outside

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

!

nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

access-group Outside_access_in in interface Outside

!

router rip

network 10.0.0.0

network 128.0.0.0

network 199.195.168.0

version 2

no auto-summary

!

route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Inside

http 98.22.xxx.xxx 255.255.255.255 Outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Inside

ssh 98.22.xxx.xxx 255.255.255.255 Outside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username redacted password vj4ChaNgeDB.Ksz encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:adafb271d4754ff427469de77be7fbe5

: end

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA 5510 with 2811 & 2821

Please add

aaa authentication http console LOCAL and test (if it does not make a difference which I do not think it will do).

Downgrade to Java 6. and give it a try.

Here is the link for the compatability stuff

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/release/notes/asdmrn64.html#wp261095

Table 1     Operating System and Browser Requirements

Operating System

Browser

Sun Java SE Plug-in1

Internet Explorer

Firefox2

Safari

Microsoft Windows (English and Japanese):

7

Vista

2008 Server

XP

6.0 or later2

1.5 or later

No support

6.0

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
12 REPLIES
New Member

ASA 5510 with 2811 & 2821

Hi,

From behind which interface are you trying to launch ASDM and what is you source ip?

- Prateek Verma

New Member

ASA 5510 with 2811 & 2821

I am trying to launch it from the Outside interface (Ethernet 0/1) and my source ip is 98.22.xxx.xxx.

So my current IP is 98.22.xxx.xxx:

I am trying to come in on:

interface Ethernet0/1

description WAN Interface

nameif Outside

security-level 0

ip address 199.195.xxx.xxx 255.255.255.240

I have X'd out a few numbers, but they are consistent in the config (there are no typo's).

I am able to ssh to the ASA and login to the CLI. I am also able to SSH into the CLI for both routers on the respective nat'd ports of 222 and 2222.

New Member

ASA 5510 with 2811 & 2821

Hi,

Just make sure you must have java version 7 installed on your desktop and is you run the command "show run all ssl", the ssl encryption should be 3des if it is not 3des , then remove that ssl encryption and enable ssl encryption 3des.

- Prateek Verma

New Member

Re: ASA 5510 with 2811 & 2821

I have Java on my system:

Verified Java Version

You have the recommended Java installed (Version 7 Update 51).

On the ssl, I didn't change any of that (that I can recall):

ASA5510# sh run all ssl

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1

ssl certificate-authentication fca-timeout 2

New Member

ASA 5510 with 2811 & 2821

That doesn't seem to have an impact. I am still getting the error when I try and launch the ASDM:

Unable to launch device manager from (199.195.xxx.xxx)

I am trying to launch it from work 98.22.xxx.xxx. It worked yesterday, but I m ust of done something that imapcted it, a access-list of object when I created the DMZ, but I just can't tell what.

Re: ASA 5510 with 2811 & 2821

Please add

aaa authentication http console LOCAL and test (if it does not make a difference which I do not think it will do).

Downgrade to Java 6. and give it a try.

Here is the link for the compatability stuff

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/release/notes/asdmrn64.html#wp261095

Table 1     Operating System and Browser Requirements

Operating System

Browser

Sun Java SE Plug-in1

Internet Explorer

Firefox2

Safari

Microsoft Windows (English and Japanese):

7

Vista

2008 Server

XP

6.0 or later2

1.5 or later

No support

6.0

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASA 5510 with 2811 & 2821

It still works at home from my internal network, with the current Java version and the fact that it worked yesterday I am leaning more towards something I changed by mistake.

I will try the aaa setting tomorrow from work to see if it makes a difference.

Re: ASA 5510 with 2811 & 2821

Hello,

Remember that when running things that are not "supported or recommended" weird things can happen

things to check

show run asdm

show flash

show run ssl

show run webvpn

sh run http

show run aaa

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASA 5510 with 2811 & 2821

Yup.

ASA5510# sh run asdm

asdm image disk0:/asdm-715.bin

no asdm history enable

ASA5510# sh flash:

--#--  --length--  -----date/time------  path

  112  6283        Aug 26 2013 17:21:00  backup-config

  113  27076608    Dec 27 2013 22:06:36  asa914-k8.bin

  114  2272        Dec 27 2013 22:36:40  7_0_8_0_startup_cfg.sav

  115  22834188    Dec 27 2013 22:25:38  asdm-715.bin

  122  5364        Jan 16 2014 10:37:28  startup-config

255426560 bytes total (160120832 bytes free)

ASA5510# sh run ssl

ASA5510# sh run webvpn

ASA5510# sh run http

http server enable

http 0.0.0.0 0.0.0.0 Inside

http 98.22.xxx.xxx 255.255.255.255 Outside

ASA5510# sh run aaa

aaa authentication ssh console LOCAL

Re: ASA 5510 with 2811 & 2821

Hello Mitchell,

The command was show run all ssl and it's properly configured.

With that in mind everything looks good so time to use a different PC and check. (Downgrade java and let us know how it goes)

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASA 5510 with 2811 & 2821

Ah ok, here is that command.

ASA5510# sh run all ssl

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1

ssl certificate-authentication fca-timeout 2

I did notice that when I tried the packet tracer here at home, and I plugged in my work Ip and the outside interface and did http I got a deny. When I did https I got an allow.

So I am going to try it tomorrow again and see if anything changed. I added a rule to allow https from my work IP, maybe it will help?

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https

Re: ASA 5510 with 2811 & 2821

Hello,

It should not be needed

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
487
Views
0
Helpful
12
Replies
CreatePlease to create content