Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cannot Access ASDM Website

Hi,

I've received two Cisco ASA 5505 and am unable to connect to the ASDM website on either. Ive done all the basics and but something is clearly wrong somewhere considering its happening on both.

With the default settings on the ASA I am able to ping the ASA from the laptop and vice verse however when trying to browse to https://192.168.1.1 nothing happens at all, no errors etc. IE just shows that the page cannot be displayed, have even tried chrome. Java is installed.

See running-config below:

ASA Version 8.4(5)
!
hostname ciscoasa


names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options

As you can see the http server is enabled. Something really odd or stupid is going on, any suggestions would be much appreciated.

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

Cannot Access ASDM Website

Is this present in the config?: ssl encryption 3des-sha1 aes128-sha1

18 REPLIES
Bronze

Re: Cannot Access ASDM Website

'no webvpn' and try again?

Sent from Cisco Technical Support iPhone App

New Member

Cannot Access ASDM Website

I tried "no webvpn" command and then write mem. Still no luck browsing to the ASDM.

The ASA came with an ASDM image onit obviously and i have also tried downgrading the ASDM and ASA's to a much older version, still not luck.

I even loaded an ASA & ASDM image onto the ASA device and loaded a config from a live ASA we have here onto this but still no luck.

Bronze

Re: Cannot Access ASDM Website

Did you upload an ASDM image to the ASA and configure it "asdm image flash:/ ..."  ?

Regards,
Mashal Alshboul

------------------ Mashal Shboul
New Member

Cannot Access ASDM Website

Hi Jason,

You need to define path of ASDM where it is located in flash?

Regards

Mahesh

New Member

Cannot Access ASDM Website

This has been done also:

asdm image disk0:/asdm-711-52.bin

New Member

Cannot Access ASDM Website

Hi jason,

Please follow below link.

http://www.cisco.com/en/US/products/ps6121/products_tech_note09186a0080aaeff5.shtml

Remember to rate all of the helpful posts.

Regards

Pankaj

New Member

Cannot Access ASDM Website

Hi,


Thanks for this link but none of the issues in there are the issue im having.

Thank you all for your help so far, no luck yet though....

Cannot Access ASDM Website

hi jason,

try using ASDM 7.1(3) instead.

see compatibility matrix below:

http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

New Member

Re: Cannot Access ASDM Website

Thanks John, il give this a go also

Cannot Access ASDM Website

Is this present in the config?: ssl encryption 3des-sha1 aes128-sha1

New Member

Re: Cannot Access ASDM Website

Not as far as i can see......

Is this something that should be there?

Thanks

Re: Cannot Access ASDM Website

It is.

New Member

Cannot Access ASDM Website

Thanks Andrew, through your hint ive finally got it working after quite a few days.

Upon entering "ssl encryption 3des-sha1 aes128-sha1"

i was getting the following error: "The 3DES/AES algorithms require a VPN-3DES-AES activation key."

I googled this error and came across the following article http://www.booches.nl/2010/12/cisco-asa-web-interface-not-working/

which mentioned about installing this VPN-3DES-AES activation key. I went onto this Cisco site and requested this activation key and after installing the key that was sent to me and then re running the ssl encryption key i can finally get onto the ASDM.

I dont fully understand why this was needed and havent had to do this before in my limited experience with ASA's could some perhaps break this down for me and give me a little explanation. Would be much appreciated.

New Member

Cannot Access ASDM Website

Looks like you didnt go though the document which i gave you earlier ..

same was there too.

Regards

Pankaj

Cannot Access ASDM Website

I'll give you some points, cause i noticed that this info was in the doc you've provided

Cannot Access ASDM Website

Explanation is simple. All the modern browsers and java engines do not support legacy encryptions for ssl (you can thing of DES as legacy one). And unless you have strong encryption (3DES/AES) enabled on your ASA and ssl-encryption command entered, connection can't be established, cause in that case ASA only works with DES for encryption, while java and any todays browser requires 3DES as a minimum.

Hope that helps.

New Member

Cannot Access ASDM Website

Thanks for the explanation, that makes sense. Find it a bit strange how these new ASA's didnt come with the key already installed though.

Re: Cannot Access ASDM Website

It's simple again. Here in Russia, for example, use of devices with strong-encryption is heavily monitored and controlled by some regulatory bodies. So you can't just simply buy something, like ASA with strong encryption enabled. It just won't pass the toll (If u don't have special permission, of course). So it all comes from regulatory requirements in different countries. It makes possible for Cisco to sell things in those kind of countries, making the choise of enabling features to be of those, who buy.

736
Views
4
Helpful
18
Replies
CreatePlease login to create content