Problem: Cannot connect to ASDM on ASA 5505 when vlan1 network is changed from the factory default.
Hi all. I am just getting started on a new ASA 5505, working it in a test lab environment. I ran thru the initial setup wizard. During that time I specified a name for Vlan1 (changed from 'inside' to 'INTR-NET'), modified the Vlan1 IP address to use DHCP, and then populated the Device Config Access table with entries corresponding to the entire Class B network here on the local intranet. I don't recall if the factory-default network was already populated, but if it wasn't I added it as 192.168.1.0/255.255.255.0
I then saved the config, and verified that the ASA got a dhcp address using the RS-232 console. I then reconfigured the laptop I have plugged into port 0/1 with it's normal address on the intranet and discovered that I couldn't reconnect to ASDM. The ASDM client times out, and a web browser opened to https://(ASA5505's dhcp addr) fails as well.
I then used the console to add another http IP address matching the specific IP address (xxx.240.113.129/255.255.255.255) which the laptop is set for, to the list of permissible admin connections, but saw no difference.
This issue is much the same as was reported in this prior forum posting:
EXCEPT that I was already aware the admin IP address(es) needed to be registered to enable access via SSH/Telnet/HTTPS.
And, I did that step, but it is not working. I have tried adding various combinations of network ranges in the device config access list, including the specific subnet that the lab's dhcp server assigned to the ASA 5505 (xxx.240.112.0/255.255.254.0), but there is no difference. I can traceroute to the laptop and ping the Vlan1 interface from the laptop, but the https ASDM (and ssh connections too) are not successful. This is very frustrating.
The device is brand new, I see that upon boot it loads asa724-k8.bin, and the software banner says Cisco Adaptive Security Appliance Software Version 7.2(4)
Note also that, from the RS-232 console, if I reset the IP address to the static, factory default (192.168.1.1) and manually config my laptop on the same subnet, then ASDM makes the connection. Just like out of the box. But when I put it back onto our intranet and verify the DHCP lease, then ASDM is a no go.
Decided to test overriding security. I added the following:
http 0.0.0.0 0.0.0.0 INTR-NET
updated configuration then reads:
ASA5505A(config)# show running-config http
http server enable
http 0.0.0.0 0.0.0.0 INTR-NET
http xxx.240.0.0 255.255.0.0 INTR-NET
http 192.168.1.0 255.255.255.0 INTR-NET
I tested using IE. I was surprised to see that this worked. The ASA generated a new self-signed certificate with CN=(the new address)
Thinking that this may have cured the issue I restored config to the prior setting (removing 0.0.0.0) and then it was broken again.
So for now I have this override enabled, but obviously it is not acceptable, were this not in a test lab.
One final note, I took a second brand-new unit out and used the command console to assign the Vlan1 interface a static address on the INTR-NET, after removing the default dhcp-pool. I added an http entry for the INTR-NET's class B network. I also had to added a static route for Vlan1 to reach the subnet my laptop was on, but that was it. So essentially, this was a very clean repeat of the test as I did not modify anything else at all and never went into ASDM to run the setup wizard.
With just those changes the same behavior was seen. Can't make a connection to ASDM. What is with this software? Did they never test it?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :