cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
559
Views
0
Helpful
1
Replies

ASA 5505 unable to access ASDM ( just needs some ports ope and FWDing setup)

jgreene427
Level 1
Level 1

I was able to access the ASDM launcher in the browser yesterday   via    https://192.168.111.1/admin and I was stuck there as the browser version says that my ASA image does not work with my ASDM version...      So i tried some trouble shooting and think that i may have changed the image to an image that does not exist.     (I'm not sure where it is that I would actually place that image either)    Now i am unable to access through the browser at all.

 

Anyways, I am ok with SSH/CLI and have been using my firewall in this manner.   I am walking into this companies current configuration and simply need to do the following:

 

I need to OPEN ports 9000, 85, 40085, 49005 so that my mobile device can pull my security cameras in the office 

I need to set port forwarding so that any connections that hit outside-in ip address 205.214.36.53:1610 >>> http://192.168.111.30:1610/AndroidWS/    ; for our new mobile CRM.

I have been through some of your related discussions and am falling short somewhere.   Please help

 

here is my "show run"  and my "dir"

ciscoasa(config)# show run
: Saved
:
ASA Version 9.0(2)
!
hostname ciscoasa
domain-name scec.local
enable password ol40hHpZTtZQFXMJ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ol40hHpZTtZQFXMJ encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif INSIDE
 security-level 100
 ip address 192.168.111.1 255.255.255.0
!
interface Vlan2
 nameif OUTSIDE
 security-level 0
 ip address 205.214.236.50 255.255.255.240
!
boot system disk0:/asa902-k8.bin
boot system disk0:/asa825-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
dns domain-lookup INSIDE
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
 name-server 192.168.111.50
 name-server 8.8.8.8
 domain-name scec.local
object network LAN
 subnet 192.168.111.0 255.255.255.0
object network SERVER1
 host 192.168.111.50
object network SERVER1_PUBLIC
 host 205.214.236.51
object network SERVER2
 host 192.168.111.20
object network SERVER2_PUBLIC
 host 205.214.236.52
object network SERVER3
 host 192.168.111.30
object network SERVER3_PUBLIC
 host 205.214.236.53
object network SERVER4
 host 192.168.111.40
object network SERVER4_PUBLIC
 host 205.214.236.54
object network SERVER5
 host 192.168.111.10
object network SERVER5_PUBLIC
 host 205.214.236.55
object-group service SERVER1_PORTS tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq pop3
 port-object eq imap4
 port-object eq 3389
object-group service SERVER2_PORTS tcp
 port-object eq 3389
object-group service SERVER3_PORTS tcp
 port-object eq 3389
object-group service SERVER4_PORTS tcp
 port-object eq 3389
object-group service SERVER5_PORTS tcp
 port-object eq 3389
 port-object eq www
 port-object eq https
access-list OUTSIDE_IN extended deny ip 10.0.0.0 255.0.0.0 any log
access-list OUTSIDE_IN extended deny ip 172.16.0.0 255.240.0.0 any log
access-list OUTSIDE_IN extended deny ip 192.168.0.0 255.255.0.0 any log
access-list OUTSIDE_IN extended deny ip 127.0.0.0 255.0.0.0 any log
access-list OUTSIDE_IN extended deny ip 0.0.0.0 255.255.255.0 any log
access-list OUTSIDE_IN extended deny ip 244.0.0.0 255.255.255.240 any log
access-list OUTSIDE_IN extended deny ip host 255.255.255.255 any log
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit tcp any object SERVER1 object-group SERVER1_PORTS
access-list OUTSIDE_IN extended permit tcp any object SERVER2 object-group SERVER2_PORTS
access-list OUTSIDE_IN extended permit tcp any object SERVER3 object-group SERVER3_PORTS
access-list OUTSIDE_IN extended permit tcp any object SERVER4 object-group SERVER4_PORTS
access-list OUTSIDE_IN extended permit tcp any object SERVER5 object-group SERVER5_PORTS
access-list inside-out extended permit ip any any
pager lines 24
logging asdm informational
mtu INSIDE 1500
mtu OUTSIDE 1500
ip audit name OUTSIDE_ATTACK attack action alarm drop
ip audit name OUTSIDE_INFO info action alarm
ip audit name INSIDE_ATTACK attack action alarm drop reset
ip audit name INSIDE_INFO info action alarm
ip audit interface INSIDE INSIDE_INFO
ip audit interface OUTSIDE OUTSIDE_INFO
ip audit interface OUTSIDE OUTSIDE_ATTACK
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 6051 disable
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-509.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (INSIDE,OUTSIDE) source static SERVER1 SERVER1_PUBLIC
nat (INSIDE,OUTSIDE) source static SERVER2 SERVER2_PUBLIC
nat (INSIDE,OUTSIDE) source static SERVER3 SERVER3_PUBLIC
nat (INSIDE,OUTSIDE) source static SERVER4 SERVER4_PUBLIC
nat (INSIDE,OUTSIDE) source static SERVER5 SERVER5_PUBLIC
!
object network LAN
 nat (INSIDE,OUTSIDE) dynamic interface
access-group inside-out in interface INSIDE
access-group OUTSIDE_IN in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 205.214.236.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization exec LOCAL
http server enable
http 0.0.0.0 0.0.0.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 5
ssh version 2
console timeout 0

dhcpd option 3 ip 192.168.111.1
!
dhcpd address 192.168.111.100-192.168.111.200 INSIDE
dhcpd dns 192.168.111.50 8.8.8.8 interface INSIDE
dhcpd enable INSIDE
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username wti password OIEBfkGT1DRShCnN encrypted privilege 15
username admin password g/t7o/eHDKMomDrS encrypted privilege 15
username vpnuser password 8DcFkqJ9hi39UQw. encrypted privilege 15
username sysadmin password mi1AUI982JWkJuWt encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6dd04d2527e7929343ebd090969e18a1
: end

________________________________

ciscoasa(config)# dir

Directory of disk0:/

148    -rwx  15390720     09:08:54 Jul 31 2013  asa825-k8.bin      
149    -rwx  27611136     09:43:48 Oct 31 2013  asa902-k8.bin
150    -rwx  2048         00:00:00 Jan 01 1980  FSCK0000.REC
20     drwx  2048         09:12:16 Jul 31 2013  coredumpinfo
151    -rwx  16280544     09:14:46 Jul 31 2013  asdm-645.bin
10     drwx  2048         09:19:42 Jul 31 2013  log
19     drwx  2048         09:20:08 Jul 31 2013  crypto_archive
153    -rwx  14240396     14:14:18 Jun 11 2014  asdm-631.bin
154    -rwx  4096         00:00:00 Jan 01 1980  FSCK0001.REC
155    -rwx  12998641     09:20:28 Jul 31 2013  csd_3.5.2008-k9.pkg
156    drwx  2048         09:20:30 Jul 31 2013  sdesktop
157    -rwx  6487517      09:20:32 Jul 31 2013  anyconnect-macosx-i386-2.5.2014-k9.pkg
158    -rwx  6689498      09:20:36 Jul 31 2013  anyconnect-linux-2.5.2014-k9.pkg
159    -rwx  4678691      09:20:38 Jul 31 2013  anyconnect-win-2.5.2014-k9.pkg
160    -rwx  4096         00:00:00 Jan 01 1980  FSCK0002.REC
161    -rwx  4096         00:00:00 Jan 01 1980  FSCK0003.REC
162    -rwx  4096         00:00:00 Jan 01 1980  FSCK0004.REC
163    -rwx  6144         00:00:00 Jan 01 1980  FSCK0005.REC
164    -rwx  6144         00:00:00 Jan 01 1980  FSCK0006.REC
165    -rwx  6144         00:00:00 Jan 01 1980  FSCK0007.REC
166    -rwx  22528        00:00:00 Jan 01 1980  FSCK0008.REC
167    -rwx  38912        00:00:00 Jan 01 1980  FSCK0009.REC
168    -rwx  34816        00:00:00 Jan 01 1980  FSCK0010.REC
169    -rwx  43008        00:00:00 Jan 01 1980  FSCK0011.REC
170    -rwx  2048         00:00:00 Jan 01 1980  FSCK0012.REC
171    -rwx  26624        00:00:00 Jan 01 1980  FSCK0013.REC
172    -rwx  2048         00:00:00 Jan 01 1980  FSCK0014.REC
173    -rwx  26624        00:00:00 Jan 01 1980  FSCK0015.REC
174    -rwx  2048         00:00:00 Jan 01 1980  FSCK0016.REC
175    -rwx  2505         09:46:08 Oct 31 2013  8_2_5_0_startup_cfg.sav
176    -rwx  1189         09:46:12 Oct 31 2013  upgrade_startup_errors_201310310946.log
177    -rwx  100          16:42:40 Jun 10 2014  upgrade_startup_errors_201406101642.log
178    -rwx  100          14:52:26 Jun 11 2014  upgrade_startup_errors_201406111452.log

127004672 bytes total (21886976 bytes free)

----------------------------

 

Please let me know if you need any other information from me so that i can get our mobile devices to connect to the new CRM from outside the network and allow the owner access on his mobile device to the company cameras.

************** (NOTE: I can do both of these things currently from within the network without any issues)*************

 

THANKS

 

1 Reply 1

jedavis
Level 4
Level 4

Jgreene -

This doesn't specifically answer your question, but if you want to get ASDM functionality back you need to load a newer version onto flash memory and then point the ASA to that with the configuration command:

asdm image disk0:/asdm-version.bin

You are running  ASA Version 9.0(2) so you need at least version 7 of ASDM to support that.  Interestingly enough your "asdm image" statement in your config points to asdm-509.bin and you have asdm-631.bin and asdm-645.bin on flash.  None of those will work.  I suggest loading up asdm-721.bin and changing the asdm image statement accordingly.  I am pretty sure a reboot is required after that is done.

Good Luck!

-Jeff



 

Review Cisco Networking for a $25 gift card