Solved: Can't access ASDM, new ASA 5512-x

OSKAR SVEDMAN · ‎02-12-2013

Hi,
I have a new ASA 5512-x.

Have a PC connected to the management port. I have network access to it, can tftp up files and ping the firewall.

When I try to access it by https://192.168.1.1 or https://192.168.1.1 I get "webpage could not be found". Have tested with two different PC's, win7 ie9 and Win8 ie10. Port 443 is listening if I do a telnet 192.168.1.1 443

It's a standard basic configuration with the following:

asdm image disk0:/asdm-711-52.bin

http server enable

http 192.168.1.0 255.255.255.0 management

The asdm-file is located on the flash.

Does anyone have any ideá or suggestion what to do, how to troubleshoot it would be much appreciated.

Andrew Phirsov · ‎02-12-2013

try to add this in global config mode:

ssl encryption aes128-sha1 3des-sha1

View solution in original post

Jennifer Halim · ‎02-12-2013

Can you pls share your configuration (show run)?

Also, have you tried just http instead of https to the ASA?

Andrew Phirsov · ‎02-12-2013

try to add this in global config mode:

ssl encryption aes128-sha1 3des-sha1

OSKAR SVEDMAN · ‎02-12-2013

Hi Jennifer,
Here is the config. It's a new standard config with nothing added.

The only thing I have done is that I tested to upgrade the OS and ASDM to see if that made it work. But the same problem.

Same thing with http as with https.

Andrew, thanks will test that.

ciscoasa# sh run

: Saved

:

ASA Version 9.1(1)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

nameif inside

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

pager lines 24

logging asdm informational

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

console timeout 0

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:0a7fa8788882f95a91de16b20ccc4e58

: end

ciscoasa#

ciscoasa# sh run

: Saved

:

ASA Version 9.1(1)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

nameif inside

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

pager lines 24

logging asdm informational

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

console timeout 0

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:0a7fa8788882f95a91de16b20ccc4e58

: end

ciscoasa#

Jennifer Halim · ‎02-13-2013

Can you also please check the output of "show version" and see if 3DES license is enabled?

Jennifer Halim · ‎02-13-2013

Also, try to reload the ASA and see if you can access it after.

OSKAR SVEDMAN · ‎02-13-2013

Thank you all for the help

Andrew, you tip solved it "ssl encryption aes128-sha1 3des-sha1"

dkraut · ‎04-12-2013

Exact same problem here. Brand new 5512-x out of the box. I could not access https://192.168.1.1/admin https://192.168.1.1 or http://192.168.1.1. However, I could ping 192.168.1.1 and console into the ASA. I added the line mentioned above via console > ssl encryption aes128-sha1 3des-sha1 and voilà!, it worked. Is this a bug or missing parameter in the config? I can only imagine the frustration of others simply trying to perform a first time configuration. :|

Julio Carvajal · ‎04-12-2013

Hello Dkraut,

It's just that the ssl encryption mechanism supported by default does not work with your browser( that is why we need to change it to a more secure encryption algorithm) but that's it

It's just a command

If this help, please rate it

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Luc Billot · ‎05-17-2013

Q: what is the browser configuration when you do not have a licence for 3DES...and you are stick with a K8 ;-(

ASA version 9.1.2 - 5515X

when you type the command "ssl encryption aes128-sha1 3des-sha1" on my K8 you just get an error message saying that you require a 3 DES licence

Cheers

LB

Luc Billot · ‎05-17-2013

found : http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/general/intro_intro.html#wp1347364