Unable to Launch ASDM 6.3

nfazal · ‎06-27-2012

Hi Guys

I was trying to add an Access Rule then Nat rule, they applied ok then i lost connection to my ASA 5510.

I cant ping device ip, i cant connect via console , only can acess via Management port, i have pasted Running config below, be greatful for any suggestions.

many thanks

Max

: Saved

:

ASA Version 8.0(3)

!

hostname TGHQASA1

domain-name technogym.co.uk

enable password 6oq4gHgZ.eEI.Gqo encrypted

names

name 10.104.0.0 insideTGDR description Technogym DR inside net

name 10.103.0.0 insideTGHQ description TG internal net HQ

name 192.168.2.0 VPNClient description VPN Client Network

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 82.244.233.116 255.255.255.240

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif insideTGHQ

security-level 100

ip address 10.103.30.254 255.255.0.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup insideTGHQ

dns server-group DefaultDNS

name-server 10.103.30.1

domain-name technogym.co.uk

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service VMware tcp-udp

description VMware Client

port-object eq 443

port-object eq 58876

object-group network net-insidetghq

object-group network site-insidetghq

object-group network net-local

access-list Admin_splitTunnelAcl standard permit insideTGHQ 255.255.0.0

access-list Admin_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list insideTGHQ_nat0_outbound extended permit ip insideTGHQ 255.255.0.0 insideTGDR 255.255.0.0

access-list insideTGHQ_nat0_outbound extended permit ip any 192.168.2.96 255.255.255.240

access-list outside_1_cryptomap extended permit ip insideTGHQ 255.255.0.0 insideTGDR 255.255.0.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu insideTGHQ 1500

mtu management 1500

ip local pool VPNClient 192.168.2.100-192.168.2.110 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit host 66.245.75.34 outside

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (insideTGHQ) 0 access-list insideTGHQ_nat0_outbound

nat (insideTGHQ) 1 insideTGHQ 255.255.0.0

static (insideTGHQ,insideTGHQ) interface 10.103.30.1 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 83.244.233.113 1

route outside insideTGDR 255.255.0.0 10.103.30.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http insideTGHQ 255.255.0.0 insideTGHQ

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 66.245.75.34

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet insideTGHQ 255.255.0.0 insideTGHQ

telnet timeout 30

ssh insideTGHQ 255.255.0.0 insideTGHQ

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

console timeout 0

management-access management

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics

webvpn

enable outside

svc enable

group-policy TGHQVPN internal

group-policy TGHQVPN attributes

vpn-tunnel-protocol webvpn

webvpn

url-list none

group-policy TGHQVPN_1 internal

group-policy TGHQVPN_1 attributes

dns-server value 10.10.30.1 10.103.30.2

vpn-tunnel-protocol IPSec svc webvpn

webvpn

url-list none

svc ask enable

group-policy Admin internal

group-policy Admin attributes

dns-server value 10.103.30.1 10.103.30.2

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Admin_splitTunnelAcl

default-domain value technogym.co.uk

group-policy CiscoVPN internal

group-policy CiscoVPN attributes

dns-server value 10.103.30.1 10.103.30.2

vpn-tunnel-protocol IPSec webvpn

group-policy VPN internal

group-policy VPN attributes

vpn-tunnel-protocol svc webvpn

webvpn

url-list none

svc ask enable

username brandon password BPOdN1VKq0yxKcFE encrypted privilege 15

username brandon attributes

vpn-group-policy Admin

memberof Administrators

username trevos password netCwlrh3QiZK/KspknpuQ== nt-encrypted

username fazaln password bwbgtVfQVWWC5KVQ encrypted privilege 0

username fazaln attributes

vpn-group-policy TGHQVPN

username thnmf01 password MBe0MnrJ5N//6xhR encrypted privilege 15

username thnmf01 attributes

vpn-group-policy Admin

memberof Administrators

tunnel-group Admin type remote-access

tunnel-group Admin general-attributes

address-pool VPNClient

default-group-policy Admin

tunnel-group Admin ipsec-attributes

pre-shared-key *

tunnel-group 66.245.75.34 type ipsec-l2l

tunnel-group 66.245.75.34 ipsec-attributes

pre-shared-key *

tunnel-group CiscoVPN type remote-access

tunnel-group CiscoVPN general-attributes

address-pool VPNClient

default-group-policy CiscoVPN

tunnel-group CiscoVPN ipsec-attributes

pre-shared-key *

!

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

Cryptochecksum:e076e5a6690c8e2c4381fb5fb350ecb7

: end

asdm image disk0:/asdm-603.bin

asdm location insideTGDR 255.255.0.0 insideTGHQ

no asdm history enable

pstebner10 · ‎06-27-2012

Naheem-

When you say that you lost your connection, what network were you on, and which interface were you trying to connect and ping to? Is this through your split-tunneled VPN or the insideTGHQ interface? (I'm assuming VPN)

One thing that looks wrong off of the bat is your second route statement. I may be wrong, but I believe that should be a route on your insideTGHQ interface instead of the outside interface.

With a little more info this should be pretty easy to solve.

HTH,

Paul

nfazal · ‎06-28-2012

Hi Paul

thank you for your reply.

I lost connection moments after applying a new NAT rule, this was during the write mem stage, the ASDM hung for at least 3-4 mins timed out then shut down. The network interface i was connected to was Ethernet 0/3 Inside TGHQ ( office network) ip: 10.103.30.254. After losing connection i tried to ping this interface also tried to Telnet to this ip, all with no success. The site to site IPSec Tunnel is running fine and was not affected.

The 2nd route statement ive checked and looks ok, can you explain?

thanks

Naheem

pstebner10 · ‎06-28-2012

Naheem-

What is bothering me about that second route statement is this: The insideTGDR network is 10.104.0.0/16, and the existing route statement tells the ASA that any traffic destined for that network should go to the outside interface, but the next hop specified in that statement is the ASA insideTGHQ interface address. I am assuming that 10.104.0.0/16 neds to be routed through the inside interface instead, so instead of the following statement:

route outside insideTGDR 255.255.0.0 10.103.30.254 1

it should really be

route insideTGHQ insideTGDR 255.255.0.0 10.103.30.254 1

If I am wrong and this network actually exists on the outside interface, then the next hop needs to be changed to that of the outside interface.

Now, that being said, you lost your connectivity under very odd circumstances. If the NAT statement that you aded was to blame, you would have lost your connection the instant that you hit 'enter' on that command, not when you did a write mem.

I would check the route statement again, and also check the status of Eth0/3 to make sure that it is up. Version 8 software on the 5510 allows you to run the first two interfaces (Eth0/0 and Eth0/1) at Gigabit speed while the last two will only run at 100Mbps. It is generally a best practice to force your ASA ports to whatever speed and duplex you want, and not allow them to negotiate.

You may also want to upgrade to the latest version of software for the 5510. I would suggest 8.2(5) as any version after this and the command set changes as does the way that the ASA's perform certain functions, such as NAT. I would suggest you play around with any later version on a lab box for a while to get used to it before putting it in production.

HTH,

Paul

nfazal · ‎06-29-2012

morning Paul

many thanks for all your support on this issue.

I will re-visit this 2nd route statement today and also the v8 release. sadly I don’t have a lab box, but I’ll certainly look at upgrading to the latest software v 8.2(5)

thank you for your assistance and ill post any changes that occur.

Regards

Naheem