11-05-2013 01:05 PM
Hello all,
I'm completely new to Cisco networking and VPNs, I'm working on an ASA 5510 vers 8.2(5)46. Right now the unit is set up very minimally. Management access is accessible from my inside network at 192.168.2.1. I'm trying to allow remote management access by VPN. I created a clientless SSL VPN, which during the wizard process, indicated management access was by the adding /admin to the VPN's https url. Adding the /admin to the VPNs url does not get me to the VPN login, and using the /admin url from the portal returns an "Unavailable" message. Also, from the portal I can't access the ASDM using the inside network management IP, it also returns the message as "Unavailable". Again I'm new at this, any help would be greatly appreciated. Here's my config. and Thanks!
: Saved : ASA Version 8.2(5)46 ! hostname ALP5510 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 99.66.203.148 255.255.255.248 ! interface Ethernet0/1 shutdown no nameif no security-level no ip address ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! boot system disk0:/asa825-46-k8.bin ftp mode passive dns domain-lookup inside dns server-group DefaultDNS name-server 68.94.156.1 name-server 68.94.157.1 same-security-traffic permit inter-interface pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 ip local pool vpn 192.168.2.10 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-714.bin no asdm history enable arp timeout 14400 global (outside) 101 interface nat (inside) 101 0.0.0.0 0.0.0.0 nat (management) 101 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 99.66.203.150 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http server session-timeout 20 http 192.168.1.0 255.255.255.0 management http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh 192.168.2.0 255.255.255.0 inside ssh timeout 5 console timeout 0 management-access inside dhcpd address 192.168.2.3-192.168.2.10 inside dhcpd dns 68.94.156.1 68.94.157.1 interface inside dhcpd enable inside ! dhcpd address 192.168.1.3-192.168.1.10 management dhcpd dns 68.94.156.1 68.94.157.1 interface management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable outside enable inside group-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn webvpn svc ask enable group-policy eng internal group-policy eng attributes vpn-tunnel-protocol webvpn webvpn url-list value EngineerBookmarks username user1 password mbO2jYs13AXlIAGa encrypted privilege 15 username user1 attributes vpn-group-policy eng webvpn url-list value EngineerBookmarks tunnel-group test type remote-access tunnel-group test general-attributes address-pool vpn tunnel-group Engineering type remote-access tunnel-group Engineering general-attributes default-group-policy eng ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:05f3afe3383542c8f62b1873421a7484 : end asdm image disk0:/asdm-714.bin asdm location 99.66.203.150 255.255.255.255 inside no asdm history enable
Solved! Go to Solution.
11-06-2013 10:36 AM
Try to disable webvpn completely if you are able to connect then upgrade. Also please add the next:
asdm image disk0:/asdm-645.bin
FYI: I still believe it’s a bug, and by the way upgrade to asa825 interim release don't go any further because NAT concept has a configuration change that takes time to understand.
asa825-46-k8.bin
asdm-714.bin
http://software.cisco.com/download/type.html?mdfid=279916854&flowid=4373
11-06-2013 10:51 AM
Call the 800 553 2447 and explain your situation, give them the bug ID that I have posted, have them check the serial number for warranty also.
11-06-2013 11:33 AM
I upgraded the ASA to 8.2(5)46 and ASDM to 7.1(4) and there was no change. The workaround says to disable webvpn so I entered the command no webvpn but afterwards I can no longer access the vpn - how to I re-enable the web vpn?
11-06-2013 11:37 AM
Did you change the the asdm image of the unit, just reload the unit will restore the configuration but you can also run copy startup-config runnning-config
11-06-2013 11:38 AM
If you decide to reload make sure you don't save the configuration.
11-06-2013 11:39 AM
I am from TAC if you give me a number I can help you out, I think we are just going to extend this if we continue over support forum
11-06-2013 11:54 AM
Thanks, I found the command to enable webvpn so the vpn is accessible again but I'm back to where I was. The vpn wizard indicated that adding /admin to the https vpn url would allow access to ASDM. Using /admin, I can get to the cerfificate warning but after that the Page can not be found. I'm not able to get to this step:
On trying to launch ASDM, the following error message is seen,
"unable to launch device manager from x.x.x.x"
VPN management access is new to me, can you tell me what I'm supposed to be seeing? Is it the same ASDM launcher that I use when accessing the ASA using a browser on the inside network?
11-06-2013 12:03 PM
Appliance will request an IP(in your case put the inside) just like web access and it should not have a problem but as I said it seems that we are getting nowhere with the support forum and we need a webex and do a little more troubleshooting that we can't do over forum.
11-06-2013 12:16 PM
please post show tech with current configuration settings.
11-06-2013 12:34 PM
I think the issue might be because I did not add a vpn ip pool. I will make those changes and see if it works.
11-06-2013 02:38 PM
After helping with the VPN setup we need an answered here!!!
11-06-2013 02:50 PM
Got help from jumora by webex and got it working, was extremely helpful, Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: