topic http 0.0.0.0 0.0.0.0 outside in Network Security

Open Port for ASDM access via internet

Ben McGuire — Tue, 12 Mar 2019 06:40:44 GMT

HI there,

We have a ASA 5505 firewall installed and is connected to our ESXi server. The people who set it up only gave access via our server.

What we want is to be able to access the ASDM via the internet so we can configure our firewall as we do not know cisco commands for opening ports. We have tried but cannot get access.

Can someone please provide the commands as we just want access via any IP over the internet temporary till we can configure it via the GUI.

ciscoasa(config)# show running-config
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
enable password 8asdasdasdencrypted
passwdasdasdasd encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address 216.245.198.78 255.255.255.248
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit udp any any eq 443
access-list inside_access_out extended permit tcp any any eq https
pager lines 24
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 216.245.198.73 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 74.63.208.0 255.255.255.0 outside
http 74.63.205.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 74.63.208.0 255.255.255.0 outside
ssh 74.63.205.0 255.255.255.0 outside
ssh 216.245.198.72 255.255.255.248 outside
ssh timeout 5
console timeout 0

Thanks

hi,you may want to edit/scrub

johnlloyd_13 — Thu, 01 Oct 2015 13:14:19 GMT

hi,

you may want to edit/scrub any public IP for security reasons.

you're missing some few lines. add below and try again:

access-group outside_access_in in

username <USER> password <PW> privilege 15

aaa authentication http console LOCAL

You don't enable ASDM access

Marvin Rhoads — Thu, 01 Oct 2015 14:44:14 GMT

You don't enable ASDM access using an access-list.

You enable it for the outside interface using the "http <source address> <source netmask> outside" command. You have a couple of subnets already in there.

You also need to specify the ASDM image: "asdm image disk0:/asdm-751.bin" (or whatever version number you have already on disk0).

Thank you for the response

Ben McGuire — Fri, 02 Oct 2015 03:26:36 GMT

Thank you for the response Marvin.

So I just type your command http <source address> <source netmask> outside

and that is all i need to access from any ip over the internet?

Also how would I specify the asdm image?

The command in quotes in my

Marvin Rhoads — Fri, 02 Oct 2015 03:37:53 GMT

The command in quotes in my last paragraph earlier is the command to specify the asdm image.

I used the latest version as an example. If you type 'dir' on the command line you can see what asdm<Version number>.bin file you have available.

So if i wanted to access the

Ben McGuire — Fri, 02 Oct 2015 03:42:44 GMT

So if i wanted to access the ASDM interface over the internet from any addresss to port 443 I would enter

http any any outside as I need to open port 443 to access the ASDM?

can i just add your lines to

Ben McGuire — Fri, 02 Oct 2015 03:57:41 GMT

can i just add your lines to the bottom of the config?

i remember i used to just copy and paste complete configs to the command line.

As i asked Marvin, what is the complete command to open port for ASDM access via the internet and the image file he is talking about?

http 0.0.0.0 0.0.0.0 outside

Marvin Rhoads — Fri, 02 Oct 2015 04:30:56 GMT

http 0.0.0.0 0.0.0.0 outside

That is the command to allow ASDM access from any outside address. Enter it from configuration mode and save afterwards. The ASA configuration parser will take care of putting it in the right place in the running and startup configuration files.

The command says "http" even though the transport is really https. There is no need for any port specification, access-list entry, etc.

And the ADSM image?

Ben McGuire — Fri, 02 Oct 2015 04:34:14 GMT

And the ADSM image?

http 0.0.0.0 0.0.0.0 outside

That is the entry for opening the firewall but how about specifying the ADSM image?

As I mentioned earlier and

Marvin Rhoads — Fri, 02 Oct 2015 04:45:27 GMT

As I mentioned earlier and reiterated earlier, the command is:

asdm image disk0:/asdm-751.bin

(or whatever version number you have already on disk0).

The filename is the ASDM bin file that is on your ASA's internal compact flash card (= disk0).

It will vary from ASA to ASA depending on what ASDM version is installed. So without seeing your ASA's disk0 directory, I can only tell you so much.

Thank you Marvin. I will give

Ben McGuire — Fri, 02 Oct 2015 04:51:37 GMT

Thank you Marvin. I will give it a go now to see if it works. Ill let you know.

Marvin you a a legend!! I ran

Ben McGuire — Fri, 02 Oct 2015 04:59:43 GMT

Marvin you a a legend!!

I ran the command that you specified then ran the adsm command. My version was 524.

Thanks so much for your assistance!!