cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
516
Views
0
Helpful
3
Replies

ASA 5505 Inside users http authentication issues .

kushal
Level 1
Level 1

Hi Tech!

 

On ASA 5505 Firewall inside users are facing internet issues whenever they are try to accessing internet web page its appeared pops such as you under attack please  authenticate using http asa credential ., every-time  inside user need to authenticate using asa credential to access single web page then pages will open , its very terrible to type password every time to access internet web page .

 

Please find the attachment for error .

 

Configuration on ASA 5505 :-

 


ciscoasa> en
Password:
ciscoasa# sh run
: Saved
:
: Serial Number: JMX2043Y0GU
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.1(7)23
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN-POOL 192.168.175.190-192.168.175.199
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.175.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa917-23-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object network WAN_TCP_22
host 192.168.175.11
object network WAN_TCP_443
host 192.168.175.80
description outside access IPMI
object network Internal-Subnet
subnet 192.168.175.0 255.255.255.0
object network L2TP-Subnet
subnet 192.168.175.0 255.255.255.0
object network WAN_any
subnet 0.0.0.0 0.0.0.0
object network IPMI1
host 192.168.175.80
object network IPMI2
host 192.168.175.80
object network IPMI3
host 192.168.175.80
object-group service VPN_PORTS
service-object udp destination eq 4500
service-object udp destination eq isakmp
object-group network LAN_DEVICES
network-object host 192.168.175.11
network-object host 192.168.175.80
object-group network AMAGI_BLR
network-object 182.156.94.232 255.255.255.248
network-object 182.72.211.136 255.255.255.252
access-list Split-Tunnel-ACL standard permit 192.168.1.0 255.255.255.0
access-list Split-Tunnel-ACL standard permit 192.168.175.0 2
55.255.255.0
access-list Wan_Access_In extended permit ip object-group AMAGI_BLR object-group LAN_DEVICES
access-list inside_authentication extended permit tcp any any
access-list netflow extended permit ip any any
pager lines 24
logging enable
logging asdm informational
flow-export destination outside 10.0.4.240 2055
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Internal-Subnet Internal-Subnet destination static L2TP-Subnet L2TP-Subnet no-proxy-arp route-lookup
!
object network WAN_TCP_22
nat (inside,outside) static interface service tcp ssh 2022
object network WAN_TCP_443
nat (inside,outside) static interface service tcp https 2023
object network WAN_any
nat (any,outside) dynamic interface
object network IPMI1
nat (inside,outside) static interface service tcp 5900 5900
object network IPMI2
nat (inside,outside) static interface service tcp 623 623
object network IPMI3
nat (inside,outside) static interface service tcp www www
access-group Wan_Access_In in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server asa protocol http-form
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication match inside_authentication inside LOCAL
aaa authorization exec authentication-server
http server enable 8443
http 192.168.175.0 255.255.255.0 inside
http 182.156.94.232 255.255.255.248 outside
http 182.72.211.136 255.255.255.252 outside
http 0.0.0.0 0.0.0.0 outside
snmp-server host outside 10.0.4.240 poll community ***** version 2c
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set L2TP-IKE1-Transform-Set
crypto map L2TP-VPN-MAP 20 ipsec-isakmp dynamic L2TP-MAP
crypto map L2TP-VPN-MAP interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=ciscoasa
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
c23a9 fd1406e86c2527b9 deb78458 c61f381e a4c4cb66
quit
crypto ikev1 enable outside
crypto ikev1 policy 1000
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2000
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 3000
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.175.0 255.255.255.0 inside
ssh 182.156.94.232 255.255.255.248 outside
ssh 182.72.211.136 255.255.255.252 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 192.168.175.200-192.168.175.231 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port number-of-rate 2
threat-detection statistics protocol number-of-rate 2
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption aes128-sha1 aes256-sha1
group-policy AMAGI_L2TP_IPSEC internal
group-policy AMAGI_L2TP_IPSEC attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel-ACL
intercept-dhcp enable
username admin password GXE/.aLV2YplhjCP encrypted privilege 15
username user1 nopassword privilege 15
username amagi password mW0RS4KClC1XJo1VSA0FDA== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-POOL
default-group-policy AMAGI_L2TP_IPSEC
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map netflow_class
match access-list netflow
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class netflow_class
flow-export event-type all destination 10.0.4.240
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:9ce7301da22e9e9e8f36d751c32c668c
: end
ciscoasa# $

 

1 Accepted Solution

Accepted Solutions

An issue has been fixed after changing no 

no aaa authentication match inside_authentication inside LOCAL  
no aaa authorization exec authentication-server    

 

 

 

View solution in original post

3 Replies 3

This isnt coming from ASA. Findout the source of the pop using wireshark. I
don't see ALG config in ASA.

You might be really under attack and something trying to compromise
passwords

Could you  help me with wireshark report , i am not seeing any traffic in wireshark , it seems that something issues with ASA  because if i connect uplink to directly laptop its working fine without any authentication , its only appeared on asa even i am not able to search google page frequently pop , might be i am wrong but let me confirm both end .

 

refer attachments .... 

An issue has been fixed after changing no 

no aaa authentication match inside_authentication inside LOCAL  
no aaa authorization exec authentication-server    

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: