Question

Locked

Unable to use ASDM with Cisco ASA 5510

By ckdunn ·
I am not a Cisco tech, but am now responsible for an ASA 5510. The former admin was adding an access rule when he was kicked out of the ASDM interface. Since then I am not able to use the ASDM except on the Management interface (previously I could access it on the "inside" interface from my laptop). If I were to post my config here, could someone take a look and point me in the right direction to possibly fix this?

: Saved
: Written by admin at 17:23:36.592 MST Wed Jan 28 2009
!
ASA Version 7.2(2)
!
hostname scsasa
domain-name xxxxxxxxxxxxx.com
enable password encrypted
names
name 10.1.2.2 scswhq
name 10.2.2.2 scswww
name 10.1.0.0 insidelan
name 10.2.2.0 dmzlan
name 10.128.1.2 scsguestwap
name 10.1.7.0 VPNaddresses
name 10.2.2.30 external2
name 10.2.2.3 edgesrv1-ext
name 10.2.2.151 edgesrv1-int
name 10.2.2.20 TrainSrv
name 10.2.2.12 paris description Harris DLS
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 216.xxx.xxx.xxx 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.192.0
!
interface Ethernet0/2
nameif ServerDMZ
security-level 50
ip address 10.2.2.1 255.255.255.0
!
interface Ethernet0/3
nameif PublicAccess
security-level 20
ip address 10.128.1.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/v722/asa722-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name silvercreeksystems.com
object-group service scswhq tcp
description Global services provided by scswhq: http, https, smtp
port-object eq www
port-object eq https
port-object eq smtp
object-group service ftp tcp
port-object eq ftp-data
port-object eq ftp
object-group service scswhq-internal tcp
description Internal services for DMZ: cifs, dns, http, https, ldap, netbios-ssn, rtvscan, smtp
port-object eq www
port-object eq domain
port-object eq netbios-ssn
port-object eq https
port-object eq smtp
port-object eq cifs
port-object eq ldap
port-object eq 2967
object-group service scswhq-udp udp
port-object eq netbios-ns
port-object eq netbios-dgm
port-object eq kerberos
port-object eq domain
port-object eq ntp
port-object eq 389
port-object eq 88
object-group service scswww tcp
group-object ftp
port-object eq www
port-object eq ssh
port-object eq https
port-object eq smtp
port-object eq 88
port-object eq ldap
port-object eq 8530
object-group service dlo tcp
port-object eq www
port-object eq 2229
object-group service nfs tcp
description Ports needed for nfs export
port-object eq 2049
port-object eq sunrpc
port-object eq 626
port-object eq 923
object-group service dloadmin tcp
port-object eq netbios-ssn
port-object eq 2229
port-object eq 3306
port-object eq 445
group-object nfs
object-group service test tcp
port-object range sip 5064
port-object eq www
port-object eq https
object-group service scswww-external tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service MSEdge tcp-udp
description Microsoft Edge Server Ports
port-object eq 443
port-object eq www
port-object eq sip
port-object range 5061 5062
port-object eq 1443
object-group service scswhq-dmz tcp
description From DMZ to scswhq
port-object eq 123
port-object eq 8530
port-object eq www
port-object eq https
port-object eq kerberos
port-object eq ldap
port-object eq smtp
port-object eq 88
object-group service winlogin tcp
port-object eq 445
port-object eq ldap
port-object eq ldaps
port-object eq netbios-ssn
object-group service HPQueue tcp
port-object eq 9001
access-list outside_access_in extended permit tcp any host 216.xxx.xxx.xxx object-group scswhq
access-list outside_access_in extended permit tcp any host 216.xxx.xxx.xxx object-group dlo
access-list outside_access_in extended permit tcp any host 216.xxx.xxx.xxx object-group scswww-external
access-list outside_access_in extended permit tcp any host 216.xxx.xxx.xxx object-group dlo
access-list outside_access_in extended permit tcp any host 216.xxx.xxx.xxx object-group dlo
access-list outside_access_in extended permit tcp any host 216.xxx.xxx.xxx object-group MSEdge
access-list outside_access_in extended permit tcp any host 216.8xxx.xxx.xxx object-group scswhq
access-list outside_access_in extended permit tcp any host 216.xxx.xxx.xxx object-group dlo
access-list inside_nat0_outbound extended permit ip insidelan 255.255.0.0 dmzlan 255.255.255.0
access-list inside_nat0_outbound extended permit ip any VPNaddresses 255.255.255.0
access-list ServerDMZ_nat0_outbound extended permit ip dmzlan 255.255.255.0 VPNaddresses 255.255.255.0
access-list ServerDMZ_access_in extended permit tcp host scswww host scswhq
access-list ServerDMZ_access_in extended permit tcp dmzlan 255.255.255.0 host scswhq object-group scswhq-dmz
access-list ServerDMZ_access_in extended permit udp dmzlan 255.255.255.0 host scswhq object-group scswhq-udp
access-list ServerDMZ_access_in extended permit tcp host scswww insidelan 255.255.0.0 gt 1023
access-list ServerDMZ_access_in extended permit tcp host scswww object-group ftp any
access-list ServerDMZ_access_in extended permit tcp host scswww host scsguestwap gt 1023
access-list ServerDMZ_access_in extended permit tcp host scswww VPNaddresses 255.255.255.0 gt 1023
access-list ServerDMZ_access_in remark external2 to ext2admin
access-list ServerDMZ_access_in extended permit tcp host external2 host 10.1.2.101 object-group dloadmin
access-list ServerDMZ_access_in remark edgesrv1-int to commsrv1
access-list ServerDMZ_access_in extended permit ip host edgesrv1-int host 10.1.2.14
access-list ServerDMZ_access_in extended permit tcp host edgesrv1-ext any eq 5061
access-list ServerDMZ_access_in extended permit tcp host TrainSrv host scswhq object-group winlogin
access-list ServerDMZ_access_in extended permit tcp host paris host 10.1.2.57 eq sqlnet
access-list ServerDMZ_access_in extended permit tcp host paris host 10.1.2.16 object-group dloadmin
access-list ServerDMZ_access_in extended permit tcp dmzlan 255.255.255.0 any eq www inactive
access-list ServerDMZ_access_in extended permit tcp dmzlan 255.255.255.0 any eq https inactive
access-list ServerDMZ_access_in extended permit tcp host 10.2.2.25 host scswhq object-group winlogin inactive
access-list ServerDMZ_access_in extended permit ip host 10.2.2.25 host 10.1.2.7 inactive
access-list ServerDMZ_access_in extended permit tcp host TrainSrv host 10.1.2.7 eq 1433
access-list ServerDMZ_nat0_inbound extended permit ip dmzlan 255.255.255.0 insidelan 255.255.0.0
access-list PublicAccess_access_in extended permit ip host scsguestwap any
access-list CiscoVPN_splitTunnelAcl standard permit insidelan 255.255.0.0
access-list CiscoVPN_splitTunnelAcl standard permit dmzlan 255.255.255.0
pager lines 24
logging enable
logging buffer-size 65536
logging trap warnings
logging asdm warnings
logging from-address cicsoasa@silvercreeksystems.com
logging recipient-address lbernstone@silvercreeksystems.com level errors
logging facility 23
logging host inside 10.1.2.5
logging ftp-server scswww / ciscoasa S8V3eTt3
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu ServerDMZ 1500
mtu PublicAccess 1500
mtu management 1500
ip local pool VPNpoolNEW VPNaddresses-10.1.7.99 mask 255.255.192.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any ServerDMZ
asdm image disk0:/v722/asdm-522.bin
asdm location scswhq 255.255.255.255 inside
asdm location 10.1.2.5 255.255.255.255 inside
asdm location scswww 255.255.255.255 ServerDMZ
asdm location dmzlan 255.255.255.0 ServerDMZ
asdm location 10.2.2.7 255.255.255.255 ServerDMZ
asdm location scsguestwap 255.255.255.255 PublicAccess
asdm history enable
arp timeout 14400
global (outside) 1 216.xxx.xxx.xxx-216.xxx.xxx.xxx netmask 255.255.255.0
global (outside) 10 interface
global (inside) 1 10.1.6.141 netmask 255.255.192.0
global (ServerDMZ) 192 interface
global (PublicAccess) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
nat (ServerDMZ) 0 access-list ServerDMZ_nat0_outbound
nat (ServerDMZ) 0 access-list ServerDMZ_nat0_inbound outside
nat (PublicAccess) 10 0.0.0.0 0.0.0.0
nat (PublicAccess) 192 0.0.0.0 0.0.0.0 outside
static (ServerDMZ,outside) 216.xxx.xxx.xxx scswww netmask 255.255.255.255
static (inside,outside) 216.xxx.xxx.xxx scswhq netmask 255.255.255.255
static (ServerDMZ,outside) 216.xxx.xxx.xxx TrainSrv netmask 255.255.255.255
static (ServerDMZ,outside) 216.xxx.xxx.xxx external2 netmask 255.255.255.255
static (ServerDMZ,outside) 216.xxx.xxx.xxx edgesrv1-ext netmask 255.255.255.255
static (ServerDMZ,outside) 216.xxx.xxx.xxx 10.2.2.67 netmask 255.255.255.255
static (inside,outside) 216.xxx.xxx.xxx 10.1.2.16 netmask 255.255.255.255
static (PublicAccess,inside) interface scsguestwap netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group ServerDMZ_access_in in interface ServerDMZ
access-group PublicAccess_access_in in interface PublicAccess
route outside 0.0.0.0 0.0.0.0 216.xxx.xxx.xxx 1
route inside 10.1.64.0 255.255.252.0 10.1.6.100 1
route inside 10.1.252.0 255.255.254.0 10.1.6.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server SCS protocol kerberos
aaa-server SCS host scswhq
kerberos-realm HEADQUARTERS.SILVERCREEKSYSTEMS.COM
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
intercept-dhcp 255.255.0.0 enable
group-policy DfltGrpPolicy attributes
banner none
wins-server value 10.1.2.2
dns-server value 10.1.2.2
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value HEADQUARTERS
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value VPNpoolNEW
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
wins-server value 10.1.2.2
dns-server value 10.1.2.2
vpn-tunnel-protocol IPSec
password-storage enable
ip-comp enable
group-lock value CiscoVPN
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CiscoVPN_splitTunnelAcl
default-domain value HEADQUARTERS
username admin password .Gl7xFj7Ubu8igbf encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http 10.1.6.115 255.255.255.255 inside
http 10.1.6.1** 255.255.255.255 inside
http 192.168.10.0 255.255.255.0 management
http scswhq 255.255.255.255 inside
http 10.1.6.192 255.255.255.255 inside
http 10.1.64.32 255.255.255.255 inside
snmp-server host inside 10.1.2.5 poll community scsread version 2c
snmp-server location SCSASA
snmp-server contact Silver Creek
snmp-server community scsread
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA ESP-DES-SHA ESP-3DES-MD5 ESP-AES-128-MD5 ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint TP_scsasa
enrollment self
fqdn scsasa.silvercreeksystems.com
crl configure
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
crypto isakmp ipsec-over-tcp port 10000
tunnel-group DefaultRAGroup general-attributes
address-pool VPNpoolNEW
authentication-server-group SCS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key d4t4l3nsVPN
isakmp keepalive threshold infinite
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group CiscoVPN type ipsec-ra
tunnel-group CiscoVPN general-attributes
address-pool VPNpoolNEW
authentication-server-group SCS
default-group-policy CiscoVPN
tunnel-group CiscoVPN ipsec-attributes
pre-shared-key d4t4l3nsVPN
tunnel-group CiscoVPN ppp-attributes
no authentication chap
authentication ms-chap-v2
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 10.1.6.1** 255.255.255.255 inside
ssh scswhq 255.255.255.255 inside
ssh 10.1.6.115 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd dns 4.2.2.2 4.2.2.3
!
dhcpd address 192.168.10.5-192.168.10.10 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect icmp
inspect pptp
!
service-policy global_policy global
ntp server scswhq source inside prefer
ntp server 216.27.160.99 source outside
ntp server 209.223.236.234 source outside
ntp server 67.19.103.173 source outside
ntp server 66.109.132.242 source outside
ntp server 64.242.84.204 source outside
ntp server 216.52.237.151 source outside
smtp-server 10.1.2.2
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command vpn-sessiondb
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:eb7cd17f671a38e4063f231365a54f7a
: end

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
Thread display: Collapse - | Expand +

All Answers

Collapse -

asdm access

by jdyess In reply to Unable to use ASDM with C ...

Check the lines in your config below :
http 10.1.6.115 255.255.255.255 inside
http 10.1.6.1** 255.255.255.255 inside
http 192.168.10.0 255.255.255.0 management
http scswhq 255.255.255.255 inside
http 10.1.6.192 255.255.255.255 inside
http 10.1.64.32 255.255.255.255 inside

they allow access to the asdm tool. make sure your ip address is listed an specify inside as the interface to allow you access on.
you can specify an entire netowork if needed but it is best to specify single ip addresses.

Collapse -

re: asdm access

by ckdunn In reply to asdm access

My IP address is listed:

http 10.1.6.115 255.255.255.255 inside

When I attempt to open the ASDM, it immediately errors telling me the connection timed out. I am also unable to browse tot he website that allows a user to download the ASDM tool from the ASA (10.1.2.1).

Collapse -

Two Things

by career In reply to re: asdm access

Add these two lines to the config and you should be golden:

# management-access Inside

# http inside 0 0

Collapse -

I'll be honest...if your not a Cisco tech, then you probably

by CG IT In reply to Unable to use ASDM with C ...

shouldn't be trying to configure it. Hire a consultant or better yet, just ask Cisco. They have their own forums and help.

Back to Networks Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums