Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2631
Views
0
Helpful
2
Replies

ASA 5515 cannot open http to ASDM from inside due to ACL

Go to solution
Charlie Nguyen
Level 1
Level 1

‎08-01-2013 08:25 AM - edited ‎03-11-2019 07:20 PM

Hi All,

I have problem accessing to ASDM via http from inside due to ACL. Please help to check what i was missing here. Below is the debug

%ASA-3-710003: TCP access denied by ACL from 10.10.11.68/49282 to inside:10.10.11.1/80

%ASA-7-710005: TCP request discarded from 10.10.11.68/49282 to inside:10.10.11.1/80

%ASA-3-710003: TCP access denied by ACL from 10.10.11.68/49283 to inside:10.10.11.1/80

%ASA-7-710005: TCP request discarded from 10.10.11.68/49283 to inside:10.10.11.1/80

%ASA-3-710003: TCP access denied by ACL from 10.10.1.68/49284 to inside:10.10.11.1/80

%ASA-7-710005: TCP request discarded from 10.10.11.68/49284 to inside:10.10.11.1/80

%ASA-3-710003: TCP access denied by ACL from 10.10.11.68/49282 to inside:10.10.11.1/80

%ASA-7-710005: TCP request discarded from 10.10.11.68/49282 to inside:10.10.11.1/80

%ASA-3-710003: TCP access denied by ACL from 10.10.11.68/49283 to inside:10.10.11.1/80

%ASA-7-710005: TCP request discarded from 10.10.11.68/49283 to inside:10.10.11.1/80

%ASA-3-710003: TCP access denied by ACL from 10.10.11.68/49284 to inside:10.10.11.1/80

%ASA-7-710005: TCP request discarded from 10.10.11.68/49284 to inside:10.10.11.1/80

%ASA-3-710003: TCP access denied by ACL from 10.10.11.68/49282 to inside:10.10.11.1/80

%ASA-7-710005: TCP request discarded from 10.10.11.68/49282 to inside:10.10.11.1/80

%ASA-3-710003: TCP access denied by ACL from 10.10.11.68/49283 to inside:10.10.11.1/80

%ASA-7-710005: TCP request discarded from 10.10.11.68/49283 to inside:10.10.11.1/80

%ASA-3-710003: TCP access denied by ACL from 10.10.11.68/49284 to inside:10.10.11.1/80

%ASA-7-710005: TCP request discarded from 10.10.11.68/49284 to inside:10.10.11.1/80

%ASA-7-609001: Built local-host inside:10.10.1.68

%ASA-6-302013: Built inbound TCP connection 37 for inside:10.10.11.68/49287 (10.10.11.68/49287) to identity:10.10.11.1/22 (10.10.11.1/22)

%ASA-6-315011: SSH session from 10.10.1.68 on interface inside for user "" disconnected by SSH server, reason: "Internal error" (0x00)

%ASA-6-302014: Teardown TCP connection 37 for inside:10.10.11.68/49287 to identity:10.10.11.1/22 duration 0:00:00 bytes 0 TCP FINs

%ASA-7-609002: Teardown local-host inside:10.10.11.68 duration 0:00:00

packet-tracer in inside tcp 10.10.11.68 12345 10.10.11.1 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.10.11.1     255.255.255.255 identity

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

I also have problem with ssh from inside too as you can see above "disconnected by SSH server, reason: "Internal error" (0x00)" .What would that be?

Below are our settings

ASA01# sh ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Disabled ciphers: des-sha1 null-sha1

No SSL trust-points configured

Certificate authentication is not enabled

ASA01# sh run ssl

ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

ASA01#

ASA01# sh ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Disabled ciphers: des-sha1 null-sha1

No SSL trust-points configured

Certificate authentication is not enabled

ASA01# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

ASA01# sh run access-list

ASA01# sh run http

http server enable

http server session-timeout 30

http 10.10.11.0 255.255.255.0 INDT-inside

ASA01# sh run ssh

ssh 10.10.11.0 255.255.255.0 INDT-inside

ssh timeout 30

ssh version 2

ASA01# sh int gi0/0.11

Interface GigabitEthernet0/0.11 "inside", is up, line protocol is up

  Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec

        VLAN identifier 111

        Description: Management

        MAC address 6c41.6aa1.1ee9, MTU 1500

        IP address 10.10.11.1, subnet mask 255.255.255.0

  Traffic Statistics for "INDT-inside":

        9752 packets input, 1056046 bytes

        9616 packets output, 1036144 bytes

        145 packets dropped

ASA01# sh run int gi0/0.11

!

interface GigabitEthernet0/0.11

description INDTmanagement

vlan 11

nameif inside

security-level 100

ip address 10.10.11.1 255.255.255.0 standby 10.10.11.2

ASA01# sh ver

Cisco Adaptive Security Appliance Software Version 9.1(1)

Device Manager Version 6.6(1)

Compiled on Wed 28-Nov-12 11:15 PST by builders

System image file is "disk0:/asa911-smp-k8.bin"

Config file at boot was "startup-config"

ASA01 up 13 hours 19 mins

failover cluster up 3 days 13 hours

Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)

            ASA: 4096 MB RAM, 1 CPU (1 core)

Internal ATA Compact Flash, 8192MB

BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)

                             Boot microcode        : CNPx-MC-BOOT-2.00

                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-T020

                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0022

                             Number of accelerators: 1

Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

0: Int: Internal-Data0/0    : address is 6c41.6aa1.1ee5, irq 11

1: Ext: GigabitEthernet0/0  : address is 6c41.6aa1.1ee9, irq 10

2: Ext: GigabitEthernet0/1  : address is 6c41.6aa1.1ee6, irq 10

3: Ext: GigabitEthernet0/2  : address is 6c41.6aa1.1eea, irq 5

4: Ext: GigabitEthernet0/3  : address is 6c41.6aa1.1ee7, irq 5

5: Ext: GigabitEthernet0/4  : address is 6c41.6aa1.1eeb, irq 10

6: Ext: GigabitEthernet0/5  : address is 6c41.6aa1.1ee8, irq 10

7: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0

8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0

9: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0

10: Ext: Management0/0       : address is 6c41.6aa1.1ee5, irq 0

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 100            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

Security Contexts                 : 2              perpetual

GTP/GPRS                          : Disabled       perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 250            perpetual

Total VPN Peers                   : 250            perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

IPS Module                        : Disabled       perpetual

Cluster                           : Disabled       perpetual

This platform has an ASA 5515 Security Plus license.

Failover cluster licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 100            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

Security Contexts                 : 4              perpetual

GTP/GPRS                          : Disabled       perpetual

AnyConnect Premium Peers          : 4              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 250            perpetual

Total VPN Peers                   : 250            perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 4              perpetual

Total UC Proxy Sessions           : 4              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

IPS Module                        : Disabled       perpetual

Cluster                           : Disabled       perpetual

This platform has an ASA 5515 Security Plus license.

Serial Number:

Running Permanent Activation Key:

Configuration register is 0x1

Configuration last modified by enable_15 at 19:35:02.589 UTC Wed Jul 31 2013

Your help is greatly appreciated.

Charlie

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-01-2013 08:29 AM

Hi,

Have you connected with HTTPS not HTTP?

With regards to the SSH, have you generated the keys?

crypto key generate rsa modulus 2048

You can check the ports on which ASA is listening on with the following command

show asp table socket

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-01-2013 08:29 AM

Hi,

Have you connected with HTTPS not HTTP?

With regards to the SSH, have you generated the keys?

crypto key generate rsa modulus 2048

You can check the ports on which ASA is listening on with the following command

show asp table socket

- Jouni

0 Helpful

Go to solution
Charlie Nguyen
Level 1
Level 1
In response to Jouni Forss

‎08-01-2013 08:40 AM

Jouni,

You nailed it. Https works, duh!

SSH also works with the key generated.

Thank you very much for you extrem fast respond.

Charlie

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card