Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

Hello all,

I'm completely new to Cisco networking and VPNs, I'm working on an ASA 5510 vers 8.2(5)46.  Right now the unit is set up very minimally.  Management access is accessible from my inside network at 192.168.2.1.  I'm trying to allow remote management access by VPN.  I created a clientless SSL VPN, which during the wizard process, indicated management access was by the adding /admin to the VPN's https url.  Adding the /admin to the VPNs url does not get me to the VPN login, and using the /admin url from the portal returns an "Unavailable" message.  Also, from the portal I can't access the ASDM using the inside network management IP, it also returns the message as "Unavailable".  Again I'm new at this, any help would be greatly appreciated.  Here's my config.  and Thanks!

: Saved
:
ASA Version 8.2(5)46 
!
hostname ALP5510
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 99.66.203.148 255.255.255.248 
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa825-46-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 68.94.156.1
 name-server 68.94.157.1
same-security-traffic permit inter-interface
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn 192.168.2.10
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 99.66.203.150 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http server session-timeout 20
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.2.3-192.168.2.10 inside
dhcpd dns 68.94.156.1 68.94.157.1 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.3-192.168.1.10 management
dhcpd dns 68.94.156.1 68.94.157.1 interface management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 enable inside
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 webvpn
  svc ask enable
group-policy eng internal
group-policy eng attributes
 vpn-tunnel-protocol webvpn
 webvpn
  url-list value EngineerBookmarks
username user1 password mbO2jYs13AXlIAGa encrypted privilege 15
username user1 attributes
 vpn-group-policy eng
 webvpn
  url-list value EngineerBookmarks
tunnel-group test type remote-access
tunnel-group test general-attributes
 address-pool vpn
tunnel-group Engineering type remote-access
tunnel-group Engineering general-attributes
 default-group-policy eng
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:05f3afe3383542c8f62b1873421a7484
: end
asdm image disk0:/asdm-714.bin
asdm location 99.66.203.150 255.255.255.255 inside
no asdm history enable

2 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

I am from TAC if you give me a number I can help you out, I think we are just going to extend this if we continue over support forum

Value our effort and rate the assistance!
Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

After helping with the VPN setup we need an answered here!!!

Value our effort and rate the assistance!
26 REPLIES
New Member

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

With help from jumora I have internet access working on the inside interface, still working on the vpn issue though...

Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

enable

config t

webvpn
no enable inside

Try to access the ASDM

Value our effort and rate the assistance!
New Member

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

I've edited my original post and added the updated config. I'll give it a try...

Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

But I think that the issue is that you don't have ASDM image if not this could be related to:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtu02353

Value our effort and rate the assistance!
Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

can you get me a show version and show disk0

Value our effort and rate the assistance!
New Member

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

Result of the command: "show version"

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders

System image file is "disk0:/asa825-k8.bin"

Config file at boot was "startup-config"

ALP5510 up 20 days 7 hours

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: Ethernet0/0         : address is 4403.a707.25f6, irq 9

1: Ext: Ethernet0/1         : address is 4403.a707.25f7, irq 9

2: Ext: Ethernet0/2         : address is 4403.a707.25f8, irq 9

3: Ext: Ethernet0/3         : address is 4403.a707.25f9, irq 9

4: Ext: Management0/0       : address is 4403.a707.25fa, irq 11

5: Int: Not used            : irq 11

6: Int: Not used            : irq 5

Licensed features for this platform:

Maximum Physical Interfaces    : Unlimited

Maximum VLANs                  : 100      

Inside Hosts                   : Unlimited

Failover                       : Active/Active

VPN-DES                        : Enabled  

VPN-3DES-AES                   : Enabled  

Security Contexts              : 2        

GTP/GPRS                       : Disabled 

SSL VPN Peers                  : 2        

Total VPN Peers                : 250      

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled 

AnyConnect for Cisco VPN Phone : Disabled 

AnyConnect Essentials          : Disabled 

Advanced Endpoint Assessment   : Disabled 

UC Phone Proxy Sessions        : 2        

Total UC Proxy Sessions        : 2        

Botnet Traffic Filter          : Disabled 

This platform has an ASA 5510 Security Plus license.

Serial Number: JMX17128011

Running Activation Key: 0x7719dc5d 0xf82807f8 0x2ce1ed7c 0xa9184c0c 0x881c27bf

Configuration register is 0x1

Configuration last modified by enable_15 at 18:56:25.810 UTC Tue Nov 5 2013

New Member

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

Result of the command: "show disk0"

--#--  --length--  -----date/time------  path

  106  15390720    Mar 19 2013 08:00:42  asa825-k8.bin

  107  16280544    Mar 19 2013 09:58:06  asdm-645.bin

  108  28672       Jan 01 1980 00:00:00  FSCK0000.REC

    3  4096        Jan 01 2003 00:02:44  log

   10  4096        Jan 01 2003 00:02:58  crypto_archive

   11  4096        Jan 01 2003 00:03:02  coredumpinfo

   12  43          Jan 01 2003 00:03:02  coredumpinfo/coredump.cfg

  110  4096        Jan 01 1980 00:00:00  FSCK0001.REC

  111  12998641    Mar 19 2013 09:55:16  csd_3.5.2008-k9.pkg

  112  4096        Mar 19 2013 09:55:20  sdesktop

  145  1462        Mar 19 2013 09:55:20  sdesktop/data.xml

  113  6487517     Mar 19 2013 09:55:24  anyconnect-macosx-i386-2.5.2014-k9.pkg

  114  6689498     Mar 19 2013 09:55:28  anyconnect-linux-2.5.2014-k9.pkg

  115  4678691     Mar 19 2013 09:55:30  anyconnect-win-2.5.2014-k9.pkg

  116  28672       Jan 01 1980 00:00:00  FSCK0002.REC

  117  4096        Jan 01 1980 00:00:00  FSCK0003.REC

255320064 bytes total (192106496 bytes free)

New Member

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

Thanks but still no access

Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

Yeah its the bug that I mentioned:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtu02353

Value our effort and rate the assistance!
Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

Symptom:

Unable to launch ASDM when webvpn is enabled on ASA.

Conditions:

ASA running version 8.2.5 and ASDM 6.4.5/6.3.4

Webvpn enabled on ASA.

On trying to launch ASDM, the following error message is seen,

"unable to launch device manager from x.x.x.x"

Configuring http server on a different port(4443,8888 etc) does not help.

Workaround:

Webvpn  needs to be disabled completely from ASA with the command "no webvpn".  Disabling it from the interface is not sufficient.

Value our effort and rate the assistance!
Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

1st Found-In

1st Found-in

8.2(5)

Fixed-In

Fixed-in

8.4(3.10)

8.4(4)

9.0(1)

9.1(1)

9.0(0.99)

100.7(18.13)M

100.8(0.82)M

100.8(24.40)M

100.8(27.1)M

100.7(6.66)M

100.7(13.61)M

100.8(32.7)M

100.8(11.13)M

8.7(0.1)

8.2(5.27)

100.7(20.4)M

8.4(3.99)

100.9(2.1)M

100.9(0.1)M

Value our effort and rate the assistance!
New Member

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

Let me add some detail to my "no access" answer.  Before I entered the commands, adding /admin to the https vpn url would result in "Page not found".  After I made the change I can get to the certificate warning but when I tried to continue to page then I would get Page not found.

Sounds like I need to update version?

Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

Yes, just update and let me know if you need assistance I can help just tell me where to reach you.

Value our effort and rate the assistance!
Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

Try to disable webvpn completely if you are able to connect then upgrade. Also please add the next:

asdm image disk0:/asdm-645.bin

FYI: I still believe it’s a bug, and by the way upgrade to asa825 interim release don't go any further because NAT concept has a configuration change that takes time to understand.

asa825-46-k8.bin

asdm-714.bin

http://software.cisco.com/download/type.html?mdfid=279916854&flowid=4373

Value our effort and rate the assistance!
Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

Call the 800 553 2447 and explain your situation, give them the bug ID that I have posted, have them check the serial number for warranty also.

Value our effort and rate the assistance!
New Member

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

I upgraded the ASA to 8.2(5)46 and ASDM to 7.1(4) and there was no change.  The workaround says to disable webvpn so I entered the command no webvpn but afterwards I can no longer access the vpn - how to I re-enable the web vpn?

Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

Did you change the the asdm image of the unit, just reload the unit will restore the configuration but you can also run copy startup-config runnning-config

Value our effort and rate the assistance!
Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

If you decide to reload make sure you don't save the configuration.

Value our effort and rate the assistance!
Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

I am from TAC if you give me a number I can help you out, I think we are just going to extend this if we continue over support forum

Value our effort and rate the assistance!
New Member

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

Thanks, I found the command to enable webvpn so the vpn is accessible again but I'm back to where I was.  The vpn wizard indicated that adding /admin to the https vpn url would allow access to ASDM.  Using /admin, I can get to the cerfificate warning but after that the Page can not be found.  I'm not able to get to this step:

On trying to launch ASDM, the following error message is seen,

"unable to launch device manager from x.x.x.x"

VPN management access is new to me, can you tell me what I'm supposed to be seeing?  Is it the same ASDM launcher that I use when accessing the ASA using a browser on the inside network?

Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

Appliance will request an IP(in your case put the inside) just like web access and it should not have a problem but as I said it seems that we are getting nowhere with the support forum and we need a webex and do a little more troubleshooting that we can't do over forum.

Value our effort and rate the assistance!
Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

please post show tech with current configuration settings.

Value our effort and rate the assistance!
New Member

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

I think the issue might be because I did not add a vpn ip pool.  I will make those changes and see if it works.

Silver

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

After helping with the VPN setup we need an answered here!!!

Value our effort and rate the assistance!
New Member

ASA 5510 ver. 8.2(5) Management access through clientless VPN?

Got help from jumora by webex and got it working, was extremely helpful, Thanks!

506
Views
0
Helpful
26
Replies
CreatePlease login to create content