topic Re: Can't access ASA 5506 (https or ASDM) after changing LAN IP addresses in Network Security

Can't access ASA 5506 (https or ASDM) after changing LAN IP addresses

mike_t — Fri, 21 Feb 2020 16:22:20 GMT

Hi All

I'm new to the ASA5506 and am setting one up as a firewall for our office. I originally set it up via ASDM and one of the things I did was to change the LAN IP addresses, since then I cannot access the firewall at http://'new address'/admin or https://'new address'/admin or via ASDM from the laptop I originally used with ASDM at the original address. However, if I use a different PC on the same LAN, I can get to https://'new address'/admin and via ASDM.

I've been setting up the rest of the firewall config via the console port and everything else seems to be working fine.

I've read another discussion and perhaps this may be a certificate problem, but if so I don't know how to fix it. Does anyone know if that might be the problem or could it be something else?

Thanks in advance

Mike

Re: Can't access ASA 5506 (https or ASDM) after changing LAN IP addresses

Alex Pfeil — Wed, 17 Oct 2018 23:00:46 GMT

Show run | i http
You usually have commands:
Http inside x.x.x.x subnetMask
Or
Http management

It can also be SSL issue.

Please mark helpful posts.

Re: Can't access ASA 5506 (https or ASDM) after changing LAN IP addresses

johnd2310 — Wed, 17 Oct 2018 23:02:05 GMT

Hi,

Are the 2 PCs on the same network i.e. same ip address range? Can you ping the "new ip address" from the PC that is not working? What ip addresses are configured to access the firewall e.g. http x.x.x.x x.x.x.x inside?

thanks

John

Re: Can't access ASA 5506 (https or ASDM) after changing LAN IP addresses

Alex Pfeil — Wed, 17 Oct 2018 23:02:55 GMT

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/116403-configure-asdm-00.html#anc9

Look at the SSL portion of this document.

Please mark helpful posts.

Re: Can't access ASA 5506 (https or ASDM) after changing LAN IP addresses

mike_t — Thu, 18 Oct 2018 00:37:30 GMT

sho run | i http gives

http server enable
http 192.168.0.0 255.255.0.0 inside_1
http 192.168.0.0 255.255.0.0 inside_2
http 192.168.0.0 255.255.0.0 inside_3
http 192.168.0.0 255.255.0.0 inside_4
http 192.168.0.0 255.255.0.0 inside_5
http 192.168.0.0 255.255.0.0 inside_6
http 192.168.0.0 255.255.0.0 inside_7

the original laptop is at 192.168.2.64, the new one is 192.168.2.69, both can ping the ASA at 192.168.2.1

Mike

Re: Can't access ASA 5506 (https or ASDM) after changing LAN IP addresses

mike_t — Thu, 18 Oct 2018 00:40:44 GMT

yes, both PCs are in the same address range and can ping all hosts that are on that network including the ASA

Result of sho run http is

http server enable
http 192.168.0.0 255.255.0.0 inside_1
http 192.168.0.0 255.255.0.0 inside_2
http 192.168.0.0 255.255.0.0 inside_3
http 192.168.0.0 255.255.0.0 inside_4
http 192.168.0.0 255.255.0.0 inside_5
http 192.168.0.0 255.255.0.0 inside_6
http 192.168.0.0 255.255.0.0 inside_7

MIke

Re: Can't access ASA 5506 (https or ASDM) after changing LAN IP addresses

mike_t — Thu, 18 Oct 2018 01:35:19 GMT

Thanks for that link, but I've not found anything there that helps. It says "open the ASDM from another machine. If you succeed, the issue is is probably at the application level". But then I'm not sure where to go. There is an 'Application Software' section in that document, and one of the steps is "Open the ASDM launch page from another machine. If it launches, it means that the issue is with the client machine in question". So (as suspected) there is an issue on the original client machine, but I can't work out what and how to fix it

Mike

Re: Can't access ASA 5506 (https or ASDM) after changing LAN IP addresses

Alex Pfeil — Thu, 18 Oct 2018 10:36:31 GMT

1. Make sure you are allowing your computer IP address to the correct interface with the http command on the asa.

2. Make sure you have the SSL command on the asa.

Here is an example:

ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default custom "DES-CBC3-SHA:AES128-SHA:AES256-SHA"
ssl cipher tlsv1 custom "DES-CBC3-SHA:AES128-SHA:AES256-SHA"
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 custom "DES-CBC3-SHA:AES128-SHA:AES256-SHA"
ssl dh-group group2
ssl ecdh-group group19
ssl certificate-authentication fca-timeout 2
no ssl-server-check

3. Make sure you have the asdm image command.

Here is an example:

asdm image disk0:/asdm.bin

4. Check the version of the asa you are running.

5. Check the version of the asdm you are running.

6. Check the version of java that you are running.

Here is an example:

If you are running the latest version of asa and asdm code, you should have the latest java installed.

7. You can also go into the advanced options in internet explorer, scroll down near the bottom and verify what your SSL/TLS values are set to.

Please mark helpful posts.

Re: Can't access ASA 5506 (https or ASDM) after changing LAN IP addresses

mike_t — Thu, 18 Oct 2018 21:22:56 GMT

Thanks Alex

Just for further info - I tried SSH via PuTTY and had the same result (connection refused on the original laptop, and no problem on the new PCs), so it doesn't look like an ASDM / Java issue. But just to confirm, here are the responses to your points

@Alex Pfeil wrote:

1. Make sure you are allowing your computer IP address to the correct interface with the http command on the asa.

Yes - reported in previous posts

2. Make sure you have the SSL command on the asa.

Here is the result of sho run all ssl

ssl server-version tlsv1

ssl client-version tlsv1

ssl cipher default medium

ssl cipher tlsv1 medium

ssl cipher tlsv1.1 medium

ssl cipher tlsv1.2 medium

ssl cipher dtlsv1 medium

ssl dh-group group2

ssl ecdh-group group19

ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside

ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip

ssl certificate-authentication fca-timeout 2

3. Make sure you have the asdm image command.

I have asdm image disk0:/asdm-782.bin

4. Check the version of the asa you are running.

9.8(2)

5. Check the version of the asdm you are running.

7.8(2)

6. Check the version of java that you are running.

Version 8 Update 181 (build 1.9.0_181-b13)

7. You can also go into the advanced options in internet explorer, scroll down near the bottom and verify what your SSL/TLS values are set to.

I tend to use Chrome rather than IE, but IE has "Use TLS 1.0", "Use TLS 1.1" and "Use TLS 1.2" checked

Thanks for you help

Mike

Re: Can't access ASA 5506 (https or ASDM) after changing LAN IP addresses

Alex Pfeil — Fri, 19 Oct 2018 12:11:37 GMT

Show run | include http

show run | include ssh

Re: Can't access ASA 5506 (https or ASDM) after changing LAN IP addresses

mike_t — Sun, 21 Oct 2018 20:24:38 GMT

sho run | i http

http server enable
http 192.168.0.0 255.255.0.0 inside_1
http 192.168.0.0 255.255.0.0 inside_2
http 192.168.0.0 255.255.0.0 inside_3
http 192.168.0.0 255.255.0.0 inside_4
http 192.168.0.0 255.255.0.0 inside_5
http 192.168.0.0 255.255.0.0 inside_6
http 192.168.0.0 255.255.0.0 inside_7
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination transport-method http

sho run | i ssh

aaa authentication ssh console LOCAL
ssh stricthostkeycheck
ssh 192.168.0.0 255.255.0.0 outside
ssh 192.168.0.0 255.255.0.0 inside_1
ssh 192.168.0.0 255.255.0.0 inside_2
ssh 192.168.0.0 255.255.0.0 inside_3
ssh 192.168.0.0 255.255.0.0 inside_4
ssh 192.168.0.0 255.255.0.0 inside_5
ssh 192.168.0.0 255.255.0.0 inside_6
ssh 192.168.0.0 255.255.0.0 inside_7
ssh timeout 5
ssh key-exchange group dh-group1-sha1

Thanks

Mike