06-12-2014 10:20 AM - edited 03-11-2019 09:19 PM
I was able to access the ASDM launcher in the browser yesterday via https://192.168.111.1/admin and I was stuck there as the browser version says that my ASA image does not work with my ASDM version... So i tried some trouble shooting and think that i may have changed the image to an image that does not exist. (I'm not sure where it is that I would actually place that image either) Now i am unable to access through the browser at all.
Anyways, I am ok with SSH/CLI and have been using my firewall in this manner. I am walking into this companies current configuration and simply need to do the following:
I need to OPEN ports 9000, 85, 40085, 49005 so that my mobile device can pull my security cameras in the office
I need to set port forwarding so that any connections that hit outside-in ip address 205.214.36.53:1610 >>> http://192.168.111.30:1610/AndroidWS/ ; for our new mobile CRM.
I have been through some of your related discussions and am falling short somewhere. Please help
here is my "show run" and my "dir"
ciscoasa(config)# show run
: Saved
:
ASA Version 9.0(2)
!
hostname ciscoasa
domain-name scec.local
enable password ol40hHpZTtZQFXMJ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ol40hHpZTtZQFXMJ encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif INSIDE
security-level 100
ip address 192.168.111.1 255.255.255.0
!
interface Vlan2
nameif OUTSIDE
security-level 0
ip address 205.214.236.50 255.255.255.240
!
boot system disk0:/asa902-k8.bin
boot system disk0:/asa825-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
dns domain-lookup INSIDE
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
name-server 192.168.111.50
name-server 8.8.8.8
domain-name scec.local
object network LAN
subnet 192.168.111.0 255.255.255.0
object network SERVER1
host 192.168.111.50
object network SERVER1_PUBLIC
host 205.214.236.51
object network SERVER2
host 192.168.111.20
object network SERVER2_PUBLIC
host 205.214.236.52
object network SERVER3
host 192.168.111.30
object network SERVER3_PUBLIC
host 205.214.236.53
object network SERVER4
host 192.168.111.40
object network SERVER4_PUBLIC
host 205.214.236.54
object network SERVER5
host 192.168.111.10
object network SERVER5_PUBLIC
host 205.214.236.55
object-group service SERVER1_PORTS tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq pop3
port-object eq imap4
port-object eq 3389
object-group service SERVER2_PORTS tcp
port-object eq 3389
object-group service SERVER3_PORTS tcp
port-object eq 3389
object-group service SERVER4_PORTS tcp
port-object eq 3389
object-group service SERVER5_PORTS tcp
port-object eq 3389
port-object eq www
port-object eq https
access-list OUTSIDE_IN extended deny ip 10.0.0.0 255.0.0.0 any log
access-list OUTSIDE_IN extended deny ip 172.16.0.0 255.240.0.0 any log
access-list OUTSIDE_IN extended deny ip 192.168.0.0 255.255.0.0 any log
access-list OUTSIDE_IN extended deny ip 127.0.0.0 255.0.0.0 any log
access-list OUTSIDE_IN extended deny ip 0.0.0.0 255.255.255.0 any log
access-list OUTSIDE_IN extended deny ip 244.0.0.0 255.255.255.240 any log
access-list OUTSIDE_IN extended deny ip host 255.255.255.255 any log
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit tcp any object SERVER1 object-group SERVER1_PORTS
access-list OUTSIDE_IN extended permit tcp any object SERVER2 object-group SERVER2_PORTS
access-list OUTSIDE_IN extended permit tcp any object SERVER3 object-group SERVER3_PORTS
access-list OUTSIDE_IN extended permit tcp any object SERVER4 object-group SERVER4_PORTS
access-list OUTSIDE_IN extended permit tcp any object SERVER5 object-group SERVER5_PORTS
access-list inside-out extended permit ip any any
pager lines 24
logging asdm informational
mtu INSIDE 1500
mtu OUTSIDE 1500
ip audit name OUTSIDE_ATTACK attack action alarm drop
ip audit name OUTSIDE_INFO info action alarm
ip audit name INSIDE_ATTACK attack action alarm drop reset
ip audit name INSIDE_INFO info action alarm
ip audit interface INSIDE INSIDE_INFO
ip audit interface OUTSIDE OUTSIDE_INFO
ip audit interface OUTSIDE OUTSIDE_ATTACK
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 6051 disable
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-509.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (INSIDE,OUTSIDE) source static SERVER1 SERVER1_PUBLIC
nat (INSIDE,OUTSIDE) source static SERVER2 SERVER2_PUBLIC
nat (INSIDE,OUTSIDE) source static SERVER3 SERVER3_PUBLIC
nat (INSIDE,OUTSIDE) source static SERVER4 SERVER4_PUBLIC
nat (INSIDE,OUTSIDE) source static SERVER5 SERVER5_PUBLIC
!
object network LAN
nat (INSIDE,OUTSIDE) dynamic interface
access-group inside-out in interface INSIDE
access-group OUTSIDE_IN in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 205.214.236.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization exec LOCAL
http server enable
http 0.0.0.0 0.0.0.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 5
ssh version 2
console timeout 0
dhcpd option 3 ip 192.168.111.1
!
dhcpd address 192.168.111.100-192.168.111.200 INSIDE
dhcpd dns 192.168.111.50 8.8.8.8 interface INSIDE
dhcpd enable INSIDE
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username wti password OIEBfkGT1DRShCnN encrypted privilege 15
username admin password g/t7o/eHDKMomDrS encrypted privilege 15
username vpnuser password 8DcFkqJ9hi39UQw. encrypted privilege 15
username sysadmin password mi1AUI982JWkJuWt encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6dd04d2527e7929343ebd090969e18a1
: end
________________________________
ciscoasa(config)# dir
Directory of disk0:/
148 -rwx 15390720 09:08:54 Jul 31 2013 asa825-k8.bin
149 -rwx 27611136 09:43:48 Oct 31 2013 asa902-k8.bin
150 -rwx 2048 00:00:00 Jan 01 1980 FSCK0000.REC
20 drwx 2048 09:12:16 Jul 31 2013 coredumpinfo
151 -rwx 16280544 09:14:46 Jul 31 2013 asdm-645.bin
10 drwx 2048 09:19:42 Jul 31 2013 log
19 drwx 2048 09:20:08 Jul 31 2013 crypto_archive
153 -rwx 14240396 14:14:18 Jun 11 2014 asdm-631.bin
154 -rwx 4096 00:00:00 Jan 01 1980 FSCK0001.REC
155 -rwx 12998641 09:20:28 Jul 31 2013 csd_3.5.2008-k9.pkg
156 drwx 2048 09:20:30 Jul 31 2013 sdesktop
157 -rwx 6487517 09:20:32 Jul 31 2013 anyconnect-macosx-i386-2.5.2014-k9.pkg
158 -rwx 6689498 09:20:36 Jul 31 2013 anyconnect-linux-2.5.2014-k9.pkg
159 -rwx 4678691 09:20:38 Jul 31 2013 anyconnect-win-2.5.2014-k9.pkg
160 -rwx 4096 00:00:00 Jan 01 1980 FSCK0002.REC
161 -rwx 4096 00:00:00 Jan 01 1980 FSCK0003.REC
162 -rwx 4096 00:00:00 Jan 01 1980 FSCK0004.REC
163 -rwx 6144 00:00:00 Jan 01 1980 FSCK0005.REC
164 -rwx 6144 00:00:00 Jan 01 1980 FSCK0006.REC
165 -rwx 6144 00:00:00 Jan 01 1980 FSCK0007.REC
166 -rwx 22528 00:00:00 Jan 01 1980 FSCK0008.REC
167 -rwx 38912 00:00:00 Jan 01 1980 FSCK0009.REC
168 -rwx 34816 00:00:00 Jan 01 1980 FSCK0010.REC
169 -rwx 43008 00:00:00 Jan 01 1980 FSCK0011.REC
170 -rwx 2048 00:00:00 Jan 01 1980 FSCK0012.REC
171 -rwx 26624 00:00:00 Jan 01 1980 FSCK0013.REC
172 -rwx 2048 00:00:00 Jan 01 1980 FSCK0014.REC
173 -rwx 26624 00:00:00 Jan 01 1980 FSCK0015.REC
174 -rwx 2048 00:00:00 Jan 01 1980 FSCK0016.REC
175 -rwx 2505 09:46:08 Oct 31 2013 8_2_5_0_startup_cfg.sav
176 -rwx 1189 09:46:12 Oct 31 2013 upgrade_startup_errors_201310310946.log
177 -rwx 100 16:42:40 Jun 10 2014 upgrade_startup_errors_201406101642.log
178 -rwx 100 14:52:26 Jun 11 2014 upgrade_startup_errors_201406111452.log
127004672 bytes total (21886976 bytes free)
----------------------------
Please let me know if you need any other information from me so that i can get our mobile devices to connect to the new CRM from outside the network and allow the owner access on his mobile device to the company cameras.
************** (NOTE: I can do both of these things currently from within the network without any issues)*************
THANKS
06-12-2014 11:13 AM
Jgreene -
This doesn't specifically answer your question, but if you want to get ASDM functionality back you need to load a newer version onto flash memory and then point the ASA to that with the configuration command:
asdm image disk0:/asdm-version.bin
You are running ASA Version 9.0(2) so you need at least version 7 of ASDM to support that. Interestingly enough your "asdm image" statement in your config points to asdm-509.bin and you have asdm-631.bin and asdm-645.bin on flash. None of those will work. I suggest loading up asdm-721.bin and changing the asdm image statement accordingly. I am pretty sure a reboot is required after that is done.
Good Luck!
-Jeff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide