Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASDM 524 not working on PIX 515e 7.2.4(30)

Hi,


I've been struggling to get ASDM (PDM) installed and running on my PIX 515e.

The PIX IOS version is 7.2.4(30)

The ASDM version I've copied to flash is 524.


I've followed the Cisco documentation verbatim, however I still cannot connect via the Java ASDM client or via http.

When I try to connect via http, my PIX shows the following error:

"tcp access denied by acl from..."

I do not this this is a security (ACL) issue as I've tested after opening everything up and still no luck.


Please let me know if you can help me figure this one out.

Here's my running config (w/ the relevant statements prepended with ">>>"):

----------------------------------------------

show run

: Saved

:

PIX Version 7.2(4)30

hostname ########

domain-name ########

enable password ######## ########

passwd ######## ########

names

dns-guard

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address ###.###.###.### 255.255.255.248

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.16.1.250 255.255.255.0

boot system flash:/image.bin

ftp mode passive

dns server-group DefaultDNS

domain-name ########

access-list acl_in extended permit icmp any any

access-list acl_in extended permit icmp any any echo-reply

access-list acl_in extended permit icmp any any time-exceeded

access-list acl_in extended permit icmp any any unreachable

access-list acl_in extended deny ip host ###.###.###.### any

access-list acl_in extended permit tcp any host ###.###.###.### eq ####

...

access-list acl_in extended permit tcp any host ###.###.###.### range #### ####

access-list acl_in extended permit tcp any host ###.###.###.### eq #### log

access-list acl_out extended permit ip any any

access-list acl_out extended permit tcp host 10.16.1.125 any eq ####

access-list acl_out extended deny tcp any any eq smtp

access-list ACL_pdgs extended permit tcp any host ###.###.###.### eq #### log

access-list ACL_pdgs extended permit tcp any host ###.###.###.### eq #### log

access-list ACL_pdgs extended permit tcp any host ###.###.###.### eq #### log

access-list acl_pri_in extended permit ip any any

pager lines 24

logging enable

logging standby

logging console warnings

logging monitor errors

logging buffered informational

logging trap informational

logging asdm informational

logging host inside 10.16.1.13

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

>>> asdm image flash:/asdm-524.bin

>>> asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 10.16.0.0 255.255.0.0

nat (inside) 1 10.160.0.0 255.255.0.0

static (inside,outside) tcp ###.###.###.### ftp 10.16.1.105 ftp netmask 255.255.255.255

...

static (inside,outside) tcp ###.###.###.### #### 10.16.1.52 #### netmask 255.255.255.255

static (inside,outside) ###.###.###.### 10.16.1.125 netmask 255.255.255.255

no threat-detection statistics tcp-intercept

access-group acl_in in interface outside

access-group acl_pri_in in interface inside

access-group acl_pri_in out interface inside

route outside 0.0.0.0 0.0.0.0 ###.###.###.### 1

route inside 10.1.0.0 255.255.0.0 10.16.1.254 1

route inside 10.3.0.0 255.255.0.0 10.16.1.254 1

route inside 10.16.0.0 255.255.0.0 10.16.1.254 1

route inside 10.18.0.0 255.255.0.0 10.16.1.254 1

route inside 10.19.0.0 255.255.0.0 10.16.1.254 1

route inside 10.100.0.0 255.255.0.0 10.16.1.254 1

route inside 10.160.0.0 255.255.0.0 10.16.1.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa authentication telnet console LOCAL

>>> http server enable

>>> http 10.16.1.0 255.255.255.0 inside

snmp-server host inside 10.16.4.155 community public

snmp-server location ########

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

no sysopt connection permit-vpn

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.16.0.0 255.255.0.0 inside

telnet timeout 60

ssh timeout 5

ssh version 1

console timeout 5

dhcpd auto_config outside

priority-queue outside

tftp-server outside 199.120.223.1 /pix.cfg

username superroot password oazMD.5jOUdNYLKe encrypted privilege 15

class-map CM_pdgs

match access-list ACL_pdgs

class-map inspection_default

match default-inspection-traffic

policy-map PM_pdgs

class CM_pdgs

  priority

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

service-policy global_policy global

service-policy PM_pdgs interface outside

prompt hostname context

Cryptochecksum:89cbb84d365653943ab73a186b130019

: end

----------------------------------------------

1 ACCEPTED SOLUTION

Accepted Solutions
Red

ASDM 524 not working on PIX 515e 7.2.4(30)

Hey That's awesome!!!!! M glad its solved.

You can mark the thread as resolved now.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
14 REPLIES
Red

ASDM 524 not working on PIX 515e 7.2.4(30)

Can you please share the complete log that you arer getting?

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASDM 524 not working on PIX 515e 7.2.4(30)

Hi Varun,

Sure, np. Here are the console messages after I attempt a connection in Chrome (http://10.16.1.250) from a machine directly connected to the inside interface w/ a static IP of 10.16.1.155:

%PIX-3-710003: TCP access denied by ACL from 10.16.1.155/56111 to inside:10.16.1.250/80

%PIX-3-710003: TCP access denied by ACL from 10.16.1.155/56112 to inside:10.16.1.250/80

%PIX-3-710003: TCP access denied by ACL from 10.16.1.155/56113 to inside:10.16.1.250/80

%PIX-3-710003: TCP access denied by ACL from 10.16.1.155/56111 to inside:10.16.1.250/80

%PIX-3-710003: TCP access denied by ACL from 10.16.1.155/56112 to inside:10.16.1.250/80

%PIX-3-710003: TCP access denied by ACL from 10.16.1.155/56113 to inside:10.16.1.250/80

%PIX-3-710003: TCP access denied by ACL from 10.16.1.155/56112 to inside:10.16.1.250/80

%PIX-3-710003: TCP access denied by ACL from 10.16.1.155/56111 to inside:10.16.1.250/80

%PIX-3-710003: TCP access denied by ACL from 10.16.1.155/56113 to inside:10.16.1.250/80

Red

ASDM 524 not working on PIX 515e 7.2.4(30)

Plz do:

https://10.16.1.250

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASDM 524 not working on PIX 515e 7.2.4(30)

Yup already tried that to no avail.

(Fyi that I get no console messages via https, only via http)

SSL configuration issue maybe?

Thanks!

Red

ASDM 524 not working on PIX 515e 7.2.4(30)

the configuration part is fine, can you paste the output of;

show run all ssl

Try anyother brwoser as well.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASDM 524 not working on PIX 515e 7.2.4(30)

Hi Varun,

I tried IE via http and https...nothing.

Here's the output for ya...thanks!

PD-PIX00# show run all ssl

ssl server-version any

ssl client-version any

ssl encryption des-sha1

Red

Re: ASDM 524 not working on PIX 515e 7.2.4(30)

Do this:

no ssl encryption des-sha1

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

The browser might be rejecting with that cipher.

waiting for your response.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASDM 524 not working on PIX 515e 7.2.4(30)

Ok thanks.

Tried this and gor the output below.

Do I really need SSL to run ASDM internally?

PD-PIX00(config)#

PD-PIX00(config)#

PD-PIX00(config)# no ssl encryption des-sha1

PD-PIX00(config)# ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

                                     ^

ERROR: % Invalid input detected at '^' marker.

PD-PIX00(config)# ssl enc ?

configure mode commands/options:

  3des-sha1    Indicate use of 3des-sha1 for ssl encryption

  aes128-sha1  Indicate use of aes128-sha1 for ssl encryption

  aes256-sha1  Indicate use of aes256-sha1 for ssl encryption

  des-sha1     Indicate use of des-sha1 for ssl encryption

  rc4-md5      Indicate use of rc4-md5 for ssl encryption

PD-PIX00(config)#

PD-PIX00(config)# ssl encryption rc4-md5 aes128-sha1 aes256-sha1 3des-sha1

The 3DES/AES algorithms require a VPN-3DES-AES activation key.

Red

ASDM 524 not working on PIX 515e 7.2.4(30)

Your device doesn't seem to have the 3des license, the browser communicates with the ASA, using anyone of these cipher codes, we included everything, since we do not know what cipher code would be used by your browser, try just removing the 3des-sha1 from the encryption and access the ASDM, if it still doesn't work, then download the 3des from here, its free of cost:

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=119

That should resolve your issue.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Red

ASDM 524 not working on PIX 515e 7.2.4(30)

Keep this handy as well:

https://supportforums.cisco.com/docs/DOC-15016#comment-7361

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASDM 524 not working on PIX 515e 7.2.4(30)

Hey thanks Varun, I'll give it a try and will let you know if it works.

FYI to viewers of this post, paste the link above w/o the "https://" for it to work.

New Member

ASDM 524 not working on PIX 515e 7.2.4(30)

Hi Varun,

Perfect thanks it now works fine on my backup PIX however now not on my main PIX ?!?!?

Below (at the bottom) is my running config on my main PIX. Any idea why it doesn't work on this one?

There is a warning about not having 128MB of memory which shows up on BOTH PIX when issuing a "show ver". It's curious that asdm on backup PIX however works but the main pix doesn't. Eitherway, I've just order 128MMB or memory for both PIX as they need this amount w/ f/w version 7.x. The error message is included below.

In the meantime, for the post, here are the steps I used to get ASDM to work on my backup PIX (variables listed between <>):

Pix 7.2(4).30 using PDM version 5.24 (via file “asdm-524.bin”)

1. Install/use Firefox (latest version ok) - May work also w/ IE or Chrome.

2. Install java runtime 1.6, 32bit (jre-6u12-windows-i586-p-s.exe) - Latest Oracle Java 32bit or 64 bit does not seem to work in Windows 7 64bit

3. >copy tftp:///asdm-524.bin flash:asdm-524.bin

4. >config t

#asdm image flash:/ asdm-524.bin

#http server enable

#http 255.255.255.255 inside

#activation-key

#show run all ssl

#no ssl encryption

#ssl encryption rc4-md5 aes128-sha1 aes256-sha1 3des-sha1

#write mem

#reload

-----------------------

  *************************************************************************

  **                                                                     **

  **  **** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ****  **

  **                                                                     **

  **  !!!  ---> Insufficient Memory for UR/FO/FO-AA License(s) <--- !!!  **

  **                                                                     **

  **  Minimum 128 Mb needed for UR/FO/FO-AA License(s) on this platform! **

  **                                                                     **

  *************************************************************************

-----------------------

Running config for main PIX where ASDM does not work:

show run

: Saved

:

PIX Version 7.2(4)30

!

terminal width 511

hostname  ######

domain-name  ######

enable password  ###### ######

passwd  ###### ######

names

dns-guard

!

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address ###.###.###.### ###.###.###.###

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.16.1.250 255.255.255.0

<--- More --->

!

interface Ethernet2

shutdown

nameif intf2

security-level 4

no ip address

!

interface Ethernet3

shutdown

nameif intf3

security-level 6

no ip address

!

interface Ethernet4

shutdown

nameif intf4

security-level 8

no ip address

!

interface Ethernet5

shutdown

nameif intf5

security-level 10

no ip address

boot system flash:/image.bin

ftp mode passive

dns server-group DefaultDNS

domain-name ######

access-list acl_in extended permit icmp any any

access-list acl_in extended permit icmp any any echo-reply

access-list acl_in extended permit icmp any any time-exceeded

access-list acl_in extended permit icmp any any unreachable

access-list acl_in extended deny ip host  ###.###.###.### any

access-list acl_in extended permit tcp any host  ###.###.###.### eq ###

...

access-list acl_in extended permit tcp any host  ###.###.###.### eq ### log

access-list acl_out extended permit ip any any

access-list acl_out extended permit tcp host 10.16.1.125 any eq smtp

access-list acl_out extended deny tcp any any eq smtp

access-list ACL_pdgs extended permit tcp any host  ###.###.###.### eq ### log

access-list ACL_pdgs extended permit tcp any host  ###.###.###.### eq ### log

access-list ACL_pdgs extended permit tcp any host  ###.###.###.### eq ### log

pager lines 24

logging enable

logging standby

logging console debugging

logging monitor emergencies

logging buffered informational

logging trap informational

logging asdm informational

logging host inside 10.16.1.13

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-524.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 10.16.0.0 255.255.0.0

nat (inside) 1 10.160.0.0 255.255.0.0

static (inside,outside) tcp ###.###.###.### ###  ###.###.###.### ### netmask 255.255.255.255

...

static (inside,outside) ###.###.###.### ###  ###.###.###.### ### netmask 255.255.255.255

no threat-detection statistics tcp-intercept

access-group acl_in in interface outside

route outside 0.0.0.0 0.0.0.0 ###.###.###.## 1

route inside 10.1.0.0 255.255.0.0 10.16.1.254 1

route inside 10.3.0.0 255.255.0.0 10.16.1.254 1

route inside 10.16.0.0 255.255.0.0 10.16.1.254 1

route inside 10.18.0.0 255.255.0.0 10.16.1.254 1

route inside 10.19.0.0 255.255.0.0 10.16.1.254 1

route inside 10.100.0.0 255.255.0.0 10.16.1.254 1

route inside 10.160.0.0 255.255.0.0 10.16.1.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa authentication telnet console LOCAL

http server enable

http 10.16.1.0 255.255.255.0 inside

snmp-server host inside 10.16.4.155 community public

snmp-server location ######

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

no sysopt connection permit-vpn

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.16.0.0 255.255.0.0 inside

telnet timeout 60

ssh timeout 5

ssh version 1

console timeout 5

dhcpd auto_config outside

!

priority-queue outside

tftp-server outside 199.120.223.1 /pix.cfg

ssl encryption rc4-md5 aes128-sha1 aes256-sha1 3des-sha1

username superroot password oazMD.5jOUdNYLKe encrypted privilege 15

!

class-map CM_pdgs

match access-list ACL_pdgs

class-map inspection_default

match default-inspection-traffic

!

!

policy-map PM_pdgs

class CM_pdgs

  priority

<--- More --->

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

service-policy PM_pdgs interface outside

prompt hostname context

<--- More --->

Cryptochecksum:e9df393ff6470a8e1bd9f24828a335c5

: end

New Member

ASDM 524 not working on PIX 515e 7.2.4(30)

OK SOLVED...

I couldn't connect to the main PIX as I was coming from a different subnet. So I made the change(below) and viola!!! it works now:

# no http 10.16.1.0 255.255.255.0 inside

# http 10.16.0.0 255.255.0.0 inside

Thanks for all your help!

Simon

Red

ASDM 524 not working on PIX 515e 7.2.4(30)

Hey That's awesome!!!!! M glad its solved.

You can mark the thread as resolved now.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
1958
Views
0
Helpful
14
Replies