I've received two Cisco ASA 5505 and am unable to connect to the ASDM website on either. Ive done all the basics and but something is clearly wrong somewhere considering its happening on both.
With the default settings on the ASA I am able to ping the ASA from the laptop and vice verse however when trying to browse to https://192.168.1.1 nothing happens at all, no errors etc. IE just shows that the page cannot be displayed, have even tried chrome. Java is installed.
See running-config below:
ASA Version 8.4(5)
switchport access vlan 2
ip address 192.168.1.1 255.255.255.0
ip address dhcp setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
As you can see the http server is enabled. Something really odd or stupid is going on, any suggestions would be much appreciated.
Thanks in advance.
Solved! Go to Solution.
I tried "no webvpn" command and then write mem. Still no luck browsing to the ASDM.
The ASA came with an ASDM image onit obviously and i have also tried downgrading the ASDM and ASA's to a much older version, still not luck.
I even loaded an ASA & ASDM image onto the ASA device and loaded a config from a live ASA we have here onto this but still no luck.
Did you upload an ASDM image to the ASA and configure it "asdm image flash:/ ..." ?
Please follow below link.
Remember to rate all of the helpful posts.
Thanks for this link but none of the issues in there are the issue im having.
Thank you all for your help so far, no luck yet though....
try using ASDM 7.1(3) instead.
see compatibility matrix below:
Thanks Andrew, through your hint ive finally got it working after quite a few days.
Upon entering "ssl encryption 3des-sha1 aes128-sha1"
i was getting the following error: "The 3DES/AES algorithms require a VPN-3DES-AES activation key."
I googled this error and came across the following article http://www.booches.nl/2010/12/cisco-asa-web-interface-not-working/
which mentioned about installing this VPN-3DES-AES activation key. I went onto this Cisco site and requested this activation key and after installing the key that was sent to me and then re running the ssl encryption key i can finally get onto the ASDM.
I dont fully understand why this was needed and havent had to do this before in my limited experience with ASA's could some perhaps break this down for me and give me a little explanation. Would be much appreciated.
Explanation is simple. All the modern browsers and java engines do not support legacy encryptions for ssl (you can thing of DES as legacy one). And unless you have strong encryption (3DES/AES) enabled on your ASA and ssl-encryption command entered, connection can't be established, cause in that case ASA only works with DES for encryption, while java and any todays browser requires 3DES as a minimum.
Hope that helps.
Thanks for the explanation, that makes sense. Find it a bit strange how these new ASA's didnt come with the key already installed though.
It's simple again. Here in Russia, for example, use of devices with strong-encryption is heavily monitored and controlled by some regulatory bodies. So you can't just simply buy something, like ASA with strong encryption enabled. It just won't pass the toll (If u don't have special permission, of course). So it all comes from regulatory requirements in different countries. It makes possible for Cisco to sell things in those kind of countries, making the choise of enabling features to be of those, who buy.