Verified Java Version

metuckness · ‎01-16-2014

Hello Everyone,

Can anyone help me figure out what I changed that will no longer allow me to run the ASDM from my remote location? It was working fine yesterday. I created a DMZ interface and was working on getting that up and running, but I didn't change anything relating to the HTTP SERVER commands, I did change the IP ADDRESS I had used for the DMZ, but i don't see how that would impact the ASDM connection.

The error I am getting when I run my ASDM-IDM launcher that installed fine when it was working is Unable to launch device manager from (My Static IP)

Here is my config on the ASA:

ASA5510# sh run

: Saved

:

ASA Version 9.1(4)

!

hostname ASA5510

domain-name domain.int

enable password liChAnGedfzvir2g encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd liqhNWChAngEd2g encrypted

names

dns-guard

!

interface Ethernet0/0

description LAN Interface

nameif Inside

security-level 100

ip address 10.10.1.1 255.255.255.252

!

interface Ethernet0/1

description WAN Interface

nameif Outside

security-level 0

ip address 199.195.xxx.xxx 255.255.255.240

!

interface Ethernet0/2

description DMZ

nameif DMZ

security-level 100

ip address 10.10.0.1 255.255.255.252

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

nameif management

security-level 0

no ip address

!

boot system disk0:/asa914-k8.bin

ftp mode passive

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 199.195.xxx.xxx

name-server 205.171.2.65

name-server 205.171.3.65

domain-name domain.int

object network ROUTER-2811

host 10.10.1.2

object network ROUTER-2821

host 10.10.0.2

object-group network PAT-SOURCE

network-object 10.10.1.0 255.255.255.252

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 192.168.1.0 255.255.255.0

network-object 10.10.0.0 255.255.255.252

object-group network DM_INLINE_NETWORK_2

network-object host 98.22.xxx.xxx

object-group network Outside_access_in

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu management 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any Outside

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

!

nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

access-group Outside_access_in in interface Outside

!

router rip

network 10.0.0.0

network 128.0.0.0

network 199.195.168.0

version 2

no auto-summary

!

route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Inside

http 98.22.xxx.xxx 255.255.255.255 Outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Inside

ssh 98.22.xxx.xxx 255.255.255.255 Outside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username redacted password vj4ChaNgeDB.Ksz encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:adafb271d4754ff427469de77be7fbe5

: end

Julio Carvajal · ‎01-16-2014

Please add

aaa authentication http console LOCAL and test (if it does not make a difference which I do not think it will do).

Downgrade to Java 6. and give it a try.

Here is the link for the compatability stuff

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/release/notes/asdmrn64.html#wp261095

Table 1 Operating System and Browser Requirements
Operating System	Browser			Sun Java SE Plug-in¹
Operating System	Internet Explorer	Firefox²	Safari	Sun Java SE Plug-in¹
Microsoft Windows (English and Japanese): •7 •Vista •2008 Server •XP	6.0 or later²	1.5 or later	No support	6.0

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

prateeve · ‎01-16-2014

Hi,

From behind which interface are you trying to launch ASDM and what is you source ip?

- Prateek Verma

metuckness · ‎01-16-2014

I am trying to launch it from the Outside interface (Ethernet 0/1) and my source ip is 98.22.xxx.xxx.

So my current IP is 98.22.xxx.xxx:

I am trying to come in on:

interface Ethernet0/1

description WAN Interface

nameif Outside

security-level 0

ip address 199.195.xxx.xxx 255.255.255.240

I have X'd out a few numbers, but they are consistent in the config (there are no typo's).

I am able to ssh to the ASA and login to the CLI. I am also able to SSH into the CLI for both routers on the respective nat'd ports of 222 and 2222.

prateeve · ‎01-16-2014

Hi,

Just make sure you must have java version 7 installed on your desktop and is you run the command "show run all ssl", the ssl encryption should be 3des if it is not 3des , then remove that ssl encryption and enable ssl encryption 3des.

- Prateek Verma

metuckness · ‎01-16-2014

I have Java on my system:

Verified Java Version

You have the recommended Java installed (Version 7 Update 51).

On the ssl, I didn't change any of that (that I can recall):

ASA5510# sh run all ssl

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1

ssl certificate-authentication fca-timeout 2

metuckness · ‎01-16-2014

That doesn't seem to have an impact. I am still getting the error when I try and launch the ASDM:

Unable to launch device manager from (199.195.xxx.xxx)

I am trying to launch it from work 98.22.xxx.xxx. It worked yesterday, but I m ust of done something that imapcted it, a access-list of object when I created the DMZ, but I just can't tell what.

Julio Carvajal · ‎01-16-2014

Please add

aaa authentication http console LOCAL and test (if it does not make a difference which I do not think it will do).

Downgrade to Java 6. and give it a try.

Here is the link for the compatability stuff

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/release/notes/asdmrn64.html#wp261095

Table 1 Operating System and Browser Requirements
Operating System	Browser			Sun Java SE Plug-in¹
Operating System	Internet Explorer	Firefox²	Safari	Sun Java SE Plug-in¹
Microsoft Windows (English and Japanese): •7 •Vista •2008 Server •XP	6.0 or later²	1.5 or later	No support	6.0

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Mitchell Tuckness · ‎01-16-2014

It still works at home from my internal network, with the current Java version and the fact that it worked yesterday I am leaning more towards something I changed by mistake.

I will try the aaa setting tomorrow from work to see if it makes a difference.

Julio Carvajal · ‎01-16-2014

Hello,

Remember that when running things that are not "supported or recommended" weird things can happen

things to check

show run asdm

show flash

show run ssl

show run webvpn

sh run http

show run aaa

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Mitchell Tuckness · ‎01-16-2014

Yup.

ASA5510# sh run asdm

asdm image disk0:/asdm-715.bin

no asdm history enable

ASA5510# sh flash:

--#-- --length-- -----date/time------ path

112 6283 Aug 26 2013 17:21:00 backup-config

113 27076608 Dec 27 2013 22:06:36 asa914-k8.bin

114 2272 Dec 27 2013 22:36:40 7_0_8_0_startup_cfg.sav

115 22834188 Dec 27 2013 22:25:38 asdm-715.bin

122 5364 Jan 16 2014 10:37:28 startup-config

255426560 bytes total (160120832 bytes free)

ASA5510# sh run ssl

ASA5510# sh run webvpn

ASA5510# sh run http

http server enable

http 0.0.0.0 0.0.0.0 Inside

http 98.22.xxx.xxx 255.255.255.255 Outside

ASA5510# sh run aaa

aaa authentication ssh console LOCAL

Julio Carvajal · ‎01-16-2014

Hello Mitchell,

The command was show run all ssl and it's properly configured.

With that in mind everything looks good so time to use a different PC and check. (Downgrade java and let us know how it goes)

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Mitchell Tuckness · ‎01-16-2014

Ah ok, here is that command.

ASA5510# sh run all ssl

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1

ssl certificate-authentication fca-timeout 2

I did notice that when I tried the packet tracer here at home, and I plugged in my work Ip and the outside interface and did http I got a deny. When I did https I got an allow.

So I am going to try it tomorrow again and see if anything changed. I added a rule to allow https from my work IP, maybe it will help?

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https

Julio Carvajal · ‎01-16-2014

Hello,

It should not be needed

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ASA 5510 with 2811 & 2821

Verified Java Version