topic What is wrong with this config that would prevent a http connection in Network Security

What is wrong with this config that would prevent a http connection

gilchichester — Tue, 12 Mar 2019 04:24:53 GMT

For some reason that I can't see, I'm unable to connect to my ASA5505 using https://192.168.0.1

What am I missing?

Thanks in advance for any and all suggestions

ASA Version 8.2(1)
!
hostname asa
domain-name pinecastle
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 207.191.22.234 255.255.255.248
!
interface Ethernet0/0
description "Outside"
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name pinecastle
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 10.254.254.0 255.
255.255.0
access-list outside_in extended permit tcp any host 207.191.22.236 eq smtp
access-list outside_in extended permit tcp any host 207.191.22.236 eq www
access-list outside_in extended permit tcp any host 207.191.22.236 eq pop3
access-list outside_in extended permit icmp any host 207.191.22.236 echo-reply
access-list outside_in extended permit icmp any host 207.191.22.236 echo
access-list outside_in extended permit icmp any host 207.191.22.236 time-exceeded
access-list outside_in extended permit tcp any host 207.191.22.236 eq https
access-list inside_access_in remark ActiveSync Inside
access-list inside_access_in extended permit tcp host 192.168.0.92 host 207.191.
22.236 eq https inactive
access-list inside_access_in remark ActiveSync Inside
access-list inside_access_in extended permit tcp host 192.168.0.92 host 207.191.
22.234 eq https inactive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 207.191.22.236 192.168.0.92 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.191.22.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint help
crl configure
crypto ca trustpoint autosync
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint activesync
crl configure
crypto ca trustpoint ASDM_TrustPoint2
crl configure
crypto ca trustpoint ASAActiveSync
enrollment terminal
crl configure
crypto ca trustpoint ActiveSyncASA
keypair Activesync
no client-types
crl configure
crypto ca server
shutdown
crypto ca certificate chain ASAActiveSync
certificate ca 069e1db77fcf1dfba97af5e5c9a24037
Edited for size
quit
crypto ca certificate chain ActiveSyncASA
certificate 047b4b72820c42684686ff6438d03870
Edited for size
quit
certificate ca 069e1db77fcf1dfba97af5e5c9a24037
3082048f 30820377 a0030201 02021006 9e1db77f cf1dfba9 7af5e5c9 a2403730
Edited for size
quit
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ActiveSyncASA
ssl trust-point ActiveSyncASA inside
webvpn
username admin password VMclem/9gNRcFZK8 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dd648a34e2eb6e32e64998819060e23d

Are you receiving an error

Marius Gunnerud — Wed, 02 Jul 2014 10:28:12 GMT

Are you receiving an error message?

when you log into the ASA via CLI what do you see in the logs when you try to access HTTPS?

issue the command debug http from the CLI and then try to connect. What do you see in the debug?

issue the show version command and verify you have the 3DES/AES license installed. If you do not have it installed it is a free download from Cisco.

You are also missing the command aaa authentication http console LOCAL

Have a look at this article which has some good troubleshooting steps

https://supportforums.cisco.com/document/57701/asdm-access-troubleshooting

Please remember to select a correct answer and rate helpful posts

We have run through the

gilchichester — Wed, 02 Jul 2014 19:15:32 GMT

We have run through all the troubleshooting commands and didn't have any issues.

Still need some guidance on running the debug commands. we ran the following commands;

Logging on

Logging Buffered

debug http

attempted to connect to https://192.168.0.1 - browser doesn't return any specific error message

show logging

But the log doesn't show any HTTP messages

Please tell me what I'm doing wrong!

Thanks for your help.

The ASA uses HTTPS and from

Marius Gunnerud — Wed, 02 Jul 2014 19:15:33 GMT

The ASA uses HTTPS and from the output it is listening on the interface

SSL 0003785f 192.168.0.1:443 0.0.0.0:* LISTEN

notice the port 443 after the IP.

I am assuming that the ASDM image is present in flash?

could you issue the show version command and post it here?

issue the command show run all ssl and post the output here. If the following line of code is missing from the output please add it to the ASA:

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

You might also need to regenerate the crypto key. Issue the following command to do so.

crypto key rsa generate modulus 1024

Please remember to select a correct answer and rate helpful posts

Sorry I was updating my last

gilchichester — Wed, 02 Jul 2014 19:45:06 GMT

Sorry I was updating my last post, before I saw this.

Yes we verified the ASDM image is in the flash

I will capture and post your requests first thing in the morning

Thanks again for your help

Marius,I'm able to run ASDM

gilchichester — Thu, 03 Jul 2014 10:12:34 GMT

Marius,

I'm able to run ASDM Launcher after adding the

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

to my configuration.

Thank you for all your insights

Gil

Glad I could help and thank

Marius Gunnerud — Thu, 03 Jul 2014 10:21:02 GMT

Glad I could help and thank you for the rating