07-26-2013 04:34 PM - edited 03-11-2019 07:17 PM
Hi Wonderful People of This Community
Yet another ASDM issue. We can't seem to figure it out. Please help! We can't access the https webpage nor via ASDM (obviously).
ASA 5505
: Saved
:
ASA Version 8.4(6)
!
hostname mtcdcasa
domain-name default.domain.invalid
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa846-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set myset esp-des esp-md5-hmac
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username asiuser password xxxxxxxxxxxxxxxxx encrypted privilege 15
username ciscoadmin password xxxxxxxxxxxxxxx encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6caeb80eb470224a319763d1ecee9377
: end
mtcdcasa#
Solved! Go to Solution.
07-26-2013 04:44 PM
Hello Milkboy,
This is the issue:
VPN-3DES-AES : Disabled perpetual
U need to enable that license: Get it free here:
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-26-2013 04:37 PM
Hello,
What´s the ASA model you have
can you share show ssl
and show version
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-26-2013 04:40 PM
SHOW SSL
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: des-sha1
Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 dhe-aes128-sha1 dhe-aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled
SHOW VERSION
Cisco Adaptive Security Appliance Software Version 8.4(6)
Device Manager Version 7.0(2)
Compiled on Fri 26-Apr-13 09:00 by builders
System image file is "disk0:/asa846-k8.bin"
Config file at boot was "startup-config"
mtcdcasa up 14 mins 18 secs
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is 1cdf.0f5c.ec3f, irq 11
1: Ext: Ethernet0/0 : address is 1cdf.0f5c.ec37, irq 255
2: Ext: Ethernet0/1 : address is 1cdf.0f5c.ec38, irq 255
3: Ext: Ethernet0/2 : address is 1cdf.0f5c.ec39, irq 255
4: Ext: Ethernet0/3 : address is 1cdf.0f5c.ec3a, irq 255
5: Ext: Ethernet0/4 : address is 1cdf.0f5c.ec3b, irq 255
6: Ext: Ethernet0/5 : address is 1cdf.0f5c.ec3c, irq 255
7: Ext: Ethernet0/6 : address is 1cdf.0f5c.ec3d, irq 255
8: Ext: Ethernet0/7 : address is 1cdf.0f5c.ec3e, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 50 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Serial Number: JMX144541LQ
Running Permanent Activation Key: 0xa01b547d 0xd4e262dd 0xdc031d40 0xb00010ec 0x48291eba
Configuration register is 0x1
Configuration has not been modified since last system restart.
07-26-2013 04:44 PM
Hello Milkboy,
This is the issue:
VPN-3DES-AES : Disabled perpetual
U need to enable that license: Get it free here:
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-26-2013 04:56 PM
ANSWER
Ah yes that was it. Thanks. This was a really old RMA firewall. After activating the new key we also had to issue this command:
ssl encryption 3des-sha1 aes128-sha1 rc4-md5 rc4-sha1
Thanks again.
07-26-2013 05:23 PM
Exactly,
You got it,
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: