CISCO ASA 5505 - Cannot Access ASDM

Discussion in 'Network Security' started by jvanassen, Jul 2, 2013.

  1. jvanassen

    jvanassen Kilobyte Poster

    322
    2
    47
    Hi,

    I've received two Cisco ASA 5505 and am unable to connect to the ASDM on either. Ive done all the basics and but something is clearly wrong somewhere considering its happening on both.

    With the default settings on the ASA I am able to ping the ASA from the laptop and vice verse however when trying to browse to https://192.168.1.1 nothing happens at all, no errors etc. IE just shows that the page cannot be displayed, have even tried chrome.

    See running-config below:

    ASA Version 8.4(5)
    !
    hostname ciscoasa


    names
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    ftp mode passive
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    !
    object network obj_any
    nat (inside,outside) dynamic interface
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0

    dhcpd auto_config outside
    !
    dhcpd address 192.168.1.5-192.168.1.254 inside
    dhcpd enable inside
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options

    As you can see the http server is enabled. Something really odd or stupid is going on, any suggestions would be much appreciated.

    Thanks in advance.
     
    Certifications: CompTIA A+, Network+, CCENT
    WIP: ICND2 200-101
  2. Cunningfox

    Cunningfox Byte Poster

    219
    6
    27
    Do a show flash and see if the asdm files exist.
     
    Certifications: CCNP, CCNA, MCP
    WIP: ??
  3. jvanassen

    jvanassen Kilobyte Poster

    322
    2
    47
    It definetly exists and on one of them I've even tried downgrading the ASA and asdm versions.....still no luck
     
    Certifications: CompTIA A+, Network+, CCENT
    WIP: ICND2 200-101
  4. Cunningfox

    Cunningfox Byte Poster

    219
    6
    27
    Ok, the client you are trying from is in the 192.168.1.0/24 subnet right?

    If you've tried downgrading have you tried a factory reset - configure factory (iirc) - not a lot of config to put back.

    Also check that the asdm version is compatible with the IOS version, it's not mix and match.
     
    Certifications: CCNP, CCNA, MCP
    WIP: ??
  5. jvanassen

    jvanassen Kilobyte Poster

    322
    2
    47
    Correct and they can ping each other.

    I've tried a factory reset a couple of times after trying different things.

    One would guess that the asdm and ASA version they shipped it with are compatible but also I downgraded to a version of ASA and asdm that must be around two years old and also tried loading a config from a ASA that we have in use. None of this has worked.

    Very frustrating, have looked at countless articles over the last two days and it doesn't seem like I'm missing anything. Currently waiting for a po to be signed to get some smartnet support.
     
    Certifications: CompTIA A+, Network+, CCENT
    WIP: ICND2 200-101
  6. Cunningfox

    Cunningfox Byte Poster

    219
    6
    27
    Last edited: Jul 2, 2013
    Certifications: CCNP, CCNA, MCP
    WIP: ??
  7. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    Have you generated the rsa key?

    crypto key generate rsa modulus
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  8. jvanassen

    jvanassen Kilobyte Poster

    322
    2
    47
    Yea i am able to SSH to the device and i have also generated the key.

    Thanks for your suggestions so far.
     
    Certifications: CompTIA A+, Network+, CCENT
    WIP: ICND2 200-101
  9. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    run wireshark on your laptop while trying to connect and see what you see happening on the wire.....
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  10. jvanassen

    jvanassen Kilobyte Poster

    322
    2
    47
    After many days of googling and posting on the cisco community site i finally have this resolved.

    I was asked if there was a ssl encryption in the running-config.

    Upon entering "ssl encryption 3des-sha1 aes128-sha1"

    i was getting the following error: "The 3DES/AES algorithms require a VPN-3DES-AES activation key."

    I googled this error and came across the following article http://www.booches.nl/2010/12/cisco-asa-web-interface-not-working/

    which mentioned about installing this VPN-3DES-AES activation key. I went onto this Cisco site and requested this activation key that was sent to me and then re running the ssl encryption key i can finally get onto the ASDM.

    I dont fully understand why this was needed and havent had to do this before in my limited experience with ASA's. If anyone has any idea or could break this down for me it would be appreciated. I obviously understand that it was missing a license key but what exactly for etc?
     
    Certifications: CompTIA A+, Network+, CCENT
    WIP: ICND2 200-101

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.