Solved: ASDM is not working in outside interface

praveenku · ‎07-27-2013

Hi,

I am new to ASA. I have got ASA 5510 and was trying to enable ASDM access through outside interface. but its not working for me.. . I have configured a public ip in outside interface and enabled ssh and asdm. SSH is working but asdm is not working. It is a test enviorment so i havent configured any ACL yet.

VPN-TEST# show version

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders

System image file is "disk0:/asa821-k8.bin"

Config file at boot was "startup-config"

VPN-TEST up 4 hours 33 mins

Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: Ethernet0/0 : address is d0d0.fd1d.8758, irq 9

1: Ext: Ethernet0/1 : address is d0d0.fd1d.8759, irq 9

2: Ext: Ethernet0/2 : address is d0d0.fd1d.875a, irq 9

3: Ext: Ethernet0/3 : address is d0d0.fd1d.875b, irq 9

4: Ext: Management0/0 : address is d0d0.fd1d.8757, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 50

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

SSL VPN Peers : 2

Total VPN Peers : 250

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled

This platform has a Base license.

VPN-TEST# show run http

http server enable

http 0.0.0.0 0.0.0.0 outside

VPN-TEST# show run asdm

asdm image disk0:/asdm-621.bin

asdm history enable

Could anyone please help me to find out what i am missing?

Kind Regards,

Praveen

mabuarja · ‎07-28-2013

thats it , please add all ciphers combination using the command "ssl encryption" , please add them in one line beside each others , and you can use "?" to check the available combinations.

Regards,

Mohammad

View solution in original post

Marvin Rhoads · ‎07-27-2013

Several things I would ask:

Is asdm-621.bin present on disk0?

Can you reach your test workstation from the outside interface? Is that where you successfully ssh from?

Is there any firewall or router ACL in the path between your workstation and the ASA?

Does the ASA log show anything when you try without success to launch ASDM?

What error specifically do you see?

praveenku · ‎07-28-2013

Hi Marvin,

Thanks for your reply.

** Is asdm-621.bin present on disk0? **

VPN-TEST# show flash:

--#-- --length-- -----date/time------ path

92 16275456 Apr 25 2010 02:44:00 asa821-k8.bin

93 11348300 Apr 25 2010 04:56:04 asdm-621.bin

**Can you reach your test workstation from the outside interface? Is that where you successfully ssh from?**

I was trying to reach it from my home and i can ping my home station from outside interface.

** Is there any firewall or router ACL in the path between your workstation and the ASA? **

There is no firewall configured.

**Does the ASA log show anything when you try without success to launch ASDM? **

I cant see any logs... IS there any specail command to enable login ?

** What error specifically do you see? **

It shows the webpage is not available.

praveenku · ‎07-28-2013

Hi Marvin,

I was trying to get ASDM through my outside interface ip like https://outside_interface_ip

praveenku · ‎07-28-2013

Hi,

There is no ACL is configured in my ASA and when ever i try to access the ASDM from any ip outside it shows the following error

%ASA-3-710003: TCP access denied by ACL from 86.28.147.194/50378 to outside:5.250.178.42/80

%ASA-3-710003: TCP access denied by ACL from 86.28.147.194/50377 to outside:5.250.178.42/80

%ASA-3-710003: TCP access denied by ACL from 86.28.147.194/50376 to outside:5.250.178.42/80

%ASA-3-710003: TCP access denied by ACL from 86.28.147.194/50378 to outside:5.250.178.42/80

but i dont understand where this ACL came from.

mabuarja · ‎07-28-2013

Hi

Please share the below :

show run ssl

show asp table socket

And try to access it with https not http , as teh logs seens above showed that the connection blocked was on port 80 .

Also, can you ping the outside interface from the machine you are trying ASDM access from ( ping or ssh ) ?

Regards,

Mohammad Abu Arja

praveenku · ‎07-28-2013

Hi Mohammad,

Thanks for your reply. Below shows the requested output

VPN-TEST# show run ssl

ssl encryption des-sha1

VPN-TEST# show asp table socket

Protocol Socket Local Address Foreign Address State

SSL 0000821f 5.250.178.42:443 0.0.0.0:* LISTEN

TCP 0001360f 5.250.178.42:22 0.0.0.0:* LISTEN

TCP 00233d68 5.250.178.42:22 5.250.176.254:43716 ESTAB

VPN-TEST#

Yes i can ping and ssh to the box from the machine which i am trying to access ASDM.

Kind Regards,

Praveen

mabuarja · ‎07-28-2013

thats it , please add all ciphers combination using the command "ssl encryption" , please add them in one line beside each others , and you can use "?" to check the available combinations.

Regards,

Mohammad

praveenku · ‎07-28-2013

Hi Mohammed,

Excellent!!... that worked... Thank you very much for your help.

Kind Regards,

Praveen