12-13-2013 03:28 PM - edited 03-11-2019 08:17 PM
Hi Everyone,
I am setting up new ASA for testing purposes.
So far it has single interface Active which is management.
I can ssh to ASA fine but ASDM is not working.
sh run http shows
sh run http
http server enable
http 172.31.20.0 255.255.255.0 management
sh run ssh
ssh 172.31.20.0 255.255.255.0 management.
Regards
MAhesh
Solved! Go to Solution.
12-14-2013 04:55 AM
Hi Mahesh
if the ASA you try to asdm is x generation, the problem is caused by the command 'ssl encryption des-sha1' all browsers will reject the ssl conection with that choise. to resolve
this you have to create another cipher for ssl, the folling will help you
'no ssl encryption des-sha1' 'ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1'
Best Regards,
12-14-2013 09:04 AM
Hi Mahesh, sorry but did you select the asdm image as source ?
asdm image disk0:/asdm-645.bin
is the asdm appropiate for your ios ?
asdm6.4 -> ASA8.4 or above = work
asdm6.4 -> ASA9.1 = dont work
Best Regards,
12-14-2013 09:13 PM
Hello,
Share the output of the following commands after the change
show run asdm
show flash | include asdm
show run ssl
What is the IP address you are using to connect?
cap capin interface management match tcp host x.x.x.x (source host) y.y.y.y (management IP address) eq 443
Then connect once and share
show cap capin
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-15-2013 01:59 PM
Please provide the rest of the outputs
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-15-2013 02:47 PM
Mahesh
I would think that the output from these 2 commands would be especially helpful
show run asdm
show flash | include asdm
HTH
Rick
12-13-2013 09:38 PM
Hi,
Did you upload ASDM image to the flash and configure it with:
asdm image flash:/-----
Please check the flash with "dir" to check if there is any existing ASDM image on the disk.
Thanks.
12-14-2013 08:32 AM
Hi Murad,
I checked dir it sows flash is there.
Regards
mahesh
12-14-2013 04:15 AM
Hello share the following
show run asdm
show flash | include asdm
show run ssl
sh version
Regards
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-14-2013 08:37 AM
Hi Julio,
sh run ssl foed not sjow any output
show flash | include asdm
111 16280544 Jun 29 2011 12:10:58 asdm-645.bin
sh run asdm
no asdm history enable
sh ver shows
up 2 days 2 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: GigabitEthernet0/0 : address is e8b7.483d.0d68, irq 9
1: Ext: GigabitEthernet0/1 : address is e8b7.483d.0d69, irq 9
2: Ext: GigabitEthernet0/2 : address is e8b7.483d.0d6a, irq 9
3: Ext: GigabitEthernet0/3 : address is e8b7.483d.0d6b, irq 9
4: Ext: Management0/0 : address is e8b7.483d.0d6c, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Regards
MAhesh
12-14-2013 04:55 AM
Hi Mahesh
if the ASA you try to asdm is x generation, the problem is caused by the command 'ssl encryption des-sha1' all browsers will reject the ssl conection with that choise. to resolve
this you have to create another cipher for ssl, the folling will help you
'no ssl encryption des-sha1' 'ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1'
Best Regards,
12-14-2013 08:43 AM
Hi Luis,
I tried above command still same thing.
Best regards
MAhesh
12-14-2013 09:04 AM
Hi Mahesh, sorry but did you select the asdm image as source ?
asdm image disk0:/asdm-645.bin
is the asdm appropiate for your ios ?
asdm6.4 -> ASA8.4 or above = work
asdm6.4 -> ASA9.1 = dont work
Best Regards,
12-14-2013 09:22 AM
Hi Luis,
I added the command asdm image disk0:/asdm-645.bin as it was not in config.
Still same thing.
Current ios is
Version 8.4(2)
Seems IOS is compatible with ASA.
Regards
MAhesh
12-14-2013 09:13 PM
Hello,
Share the output of the following commands after the change
show run asdm
show flash | include asdm
show run ssl
What is the IP address you are using to connect?
cap capin interface management match tcp host x.x.x.x (source host) y.y.y.y (management IP address) eq 443
Then connect once and share
show cap capin
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-15-2013 01:31 PM
Hi Julio,
Here is the output of
sh cap capin
3 packets captured
1: 13:23:18.895095 172.31.23.107.63448 > 172.16.17.199.443: S 2067821230:2067821230(0) win 8192
2: 13:23:21.901167 172.31.23.107.63448 > 172.16.17.199.443: S 2067821230:2067821230(0) win 8192
3: 13:23:27.896712 172.31.23.107.63448 > 172.16.17.199.443: S 2067821230:2067821230(0) win 8192
3 packets shown
I have no clue what does this output mean?
Regards
MAhesh
12-15-2013 01:59 PM
Please provide the rest of the outputs
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-15-2013 02:47 PM
Mahesh
I would think that the output from these 2 commands would be especially helpful
show run asdm
show flash | include asdm
HTH
Rick
12-15-2013 09:02 PM
Hi Everyone,
Seems it is my bad.
SSH only works from our unix jump box.
When i try ssh from my pc 172.31.23 it did not work even though ASA has been configured for that.
Seems its routing issue with the new ASA.
Will check the routing issue within our network and will update you
Thanks everyone for their help & time.
Best regards
MAhesh
12-15-2013 09:01 PM
According to the captures, I see that the source IP is different than the configured on the ASA to accept a HTTP request.
1: 13:23:18.895095 172.31.23.107.63448 > 172.16.17.199.443: S 2067821230:2067821230(0) win 8192
You mentioned in the configuration that you add this line:
http 172.31.20.0 255.255.255.0 management
In order to check this, please add:
http 0 0 management, and check if you can access it or not.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide