topic Re: Can not access my ASA 5505 through http, nor ASDM, but I can through Putty in Network Security

Can not access my ASA 5505 through http, nor ASDM, but I can through Putty

Kondilasm — Tue, 05 May 2020 15:47:00 GMT

Hi Everyone,

I've been going through all the topics on this issue and have not been able to find a single answer that works for me. The firewall was factory reset, and maintained part of it's settings. I made sure it has the IP of 192.168.1.1 for VLAN 1 and enabled http(http server enable), set the IP range for HTTP to 192.168.1.0/24 and verified that the encryption types(3DES, SHA1) are enabled. I have set the connected PC to DHCP and verified it has a IP in the appropriate range(192.168.1.5/24 from the ASA). I also tried different ports(0/0, 0/1, and 0/2), just in case there was something quirky going on.

The ASA did work previously and was part of a working configuration, but needs to be reloaded with a backup configuration now, after some changes were made that did not work. If anyone has any suggestions, I'd greatly appreciate it! Thank you for taking the time to read!

Re: Can not access my ASA 5505 through http, nor ASDM, but I can through Putty

balaji.bandi — Tue, 05 May 2020 16:56:06 GMT

here is the document for reference :

https://community.cisco.com/t5/security-documents/how-to-access-the-cisco-asa-using-asdm/ta-p/3122862

I know you have mentioned factory reset and configured http, can you please post the configuration to have look and confirm what is wrong.

Re: Can not access my ASA 5505 through http, nor ASDM, but I can through Putty

Kondilasm — Tue, 05 May 2020 17:55:13 GMT

Thank you for taking a look. I have included the current configuration below:

: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password lMvbRrIz1vOHae1y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asa2backup
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
http server idle-timeout 3
http server session-timeout 5
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
username admin password OQpzJKHiUrJEe5iY encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f0c3cada444fa8481f4a23d93149d909
: end

Re: Can not access my ASA 5505 through http, nor ASDM, but I can through Putty

balaji.bandi — Tue, 05 May 2020 18:59:03 GMT

Not sure you have ASDM Image here - asdm image disk0:/asa2backup (this should be .bin point to flash file)

you can check with dir or show flash command.

here cisco document :

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/116403-configure-asdm-00.html

here is good complete video for reference :

https://www.youtube.com/watch?v=CRzVkzIR8oQ

Re: Can not access my ASA 5505 through http, nor ASDM, but I can through Putty

Kondilasm — Wed, 06 May 2020 11:08:24 GMT

Thank you! I checked it again and had to add a port to the end of the http address, which then let me access the ASDM.

Re: Can not access my ASA 5505 through http, nor ASDM, but I can through Putty

brianjoekelley — Sat, 27 Jun 2020 20:46:37 GMT

Hi,

Great that you got it figured out.

I happen to be reading threads here and see what issues arise.

For others that experience "lockout" of ADSM gui but have terminal access via putty or some other emulator, and if this solution didn't work for you, you may also think about checking the asa's certificates, certificate authority config, and trustpoints. I had a certificate being maintained by ca godaddy (ripoff enterprise) expire on me and I no longer could run the gui. The communication exchanges certificates over ssl, and when something is not valid it breaks.

I had to dig in and learn about recreating certificates, trustpoints and my own local certificate authority on the asa (since I was getting reamed and defrauded by godaddy and decided to ditch them).

There is an ASA administration and configuration manual with extensive chapters on certificate management.

-Brian