- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2013 08:25 AM - edited 03-11-2019 07:20 PM
Hi All,
I have problem accessing to ASDM via http from inside due to ACL. Please help to check what i was missing here. Below is the debug
%ASA-3-710003: TCP access denied by ACL from 10.10.11.68/49282 to inside:10.10.11.1/80
%ASA-7-710005: TCP request discarded from 10.10.11.68/49282 to inside:10.10.11.1/80
%ASA-3-710003: TCP access denied by ACL from 10.10.11.68/49283 to inside:10.10.11.1/80
%ASA-7-710005: TCP request discarded from 10.10.11.68/49283 to inside:10.10.11.1/80
%ASA-3-710003: TCP access denied by ACL from 10.10.1.68/49284 to inside:10.10.11.1/80
%ASA-7-710005: TCP request discarded from 10.10.11.68/49284 to inside:10.10.11.1/80
%ASA-3-710003: TCP access denied by ACL from 10.10.11.68/49282 to inside:10.10.11.1/80
%ASA-7-710005: TCP request discarded from 10.10.11.68/49282 to inside:10.10.11.1/80
%ASA-3-710003: TCP access denied by ACL from 10.10.11.68/49283 to inside:10.10.11.1/80
%ASA-7-710005: TCP request discarded from 10.10.11.68/49283 to inside:10.10.11.1/80
%ASA-3-710003: TCP access denied by ACL from 10.10.11.68/49284 to inside:10.10.11.1/80
%ASA-7-710005: TCP request discarded from 10.10.11.68/49284 to inside:10.10.11.1/80
%ASA-3-710003: TCP access denied by ACL from 10.10.11.68/49282 to inside:10.10.11.1/80
%ASA-7-710005: TCP request discarded from 10.10.11.68/49282 to inside:10.10.11.1/80
%ASA-3-710003: TCP access denied by ACL from 10.10.11.68/49283 to inside:10.10.11.1/80
%ASA-7-710005: TCP request discarded from 10.10.11.68/49283 to inside:10.10.11.1/80
%ASA-3-710003: TCP access denied by ACL from 10.10.11.68/49284 to inside:10.10.11.1/80
%ASA-7-710005: TCP request discarded from 10.10.11.68/49284 to inside:10.10.11.1/80
%ASA-7-609001: Built local-host inside:10.10.1.68
%ASA-6-302013: Built inbound TCP connection 37 for inside:10.10.11.68/49287 (10.10.11.68/49287) to identity:10.10.11.1/22 (10.10.11.1/22)
%ASA-6-315011: SSH session from 10.10.1.68 on interface inside for user "" disconnected by SSH server, reason: "Internal error" (0x00)
%ASA-6-302014: Teardown TCP connection 37 for inside:10.10.11.68/49287 to identity:10.10.11.1/22 duration 0:00:00 bytes 0 TCP FINs
%ASA-7-609002: Teardown local-host inside:10.10.11.68 duration 0:00:00
packet-tracer in inside tcp 10.10.11.68 12345 10.10.11.1 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.11.1 255.255.255.255 identity
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I also have problem with ssh from inside too as you can see above "disconnected by SSH server, reason: "Internal error" (0x00)" .What would that be?
Below are our settings
ASA01# sh ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled
ASA01# sh run ssl
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ASA01#
ASA01# sh ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled
ASA01# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
ASA01# sh run access-list
ASA01# sh run http
http server enable
http server session-timeout 30
http 10.10.11.0 255.255.255.0 INDT-inside
ASA01# sh run ssh
ssh 10.10.11.0 255.255.255.0 INDT-inside
ssh timeout 30
ssh version 2
ASA01# sh int gi0/0.11
Interface GigabitEthernet0/0.11 "inside", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
VLAN identifier 111
Description: Management
MAC address 6c41.6aa1.1ee9, MTU 1500
IP address 10.10.11.1, subnet mask 255.255.255.0
Traffic Statistics for "INDT-inside":
9752 packets input, 1056046 bytes
9616 packets output, 1036144 bytes
145 packets dropped
ASA01# sh run int gi0/0.11
!
interface GigabitEthernet0/0.11
description INDTmanagement
vlan 11
nameif inside
security-level 100
ip address 10.10.11.1 255.255.255.0 standby 10.10.11.2
ASA01# sh ver
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 6.6(1)
Compiled on Wed 28-Nov-12 11:15 PST by builders
System image file is "disk0:/asa911-smp-k8.bin"
Config file at boot was "startup-config"
ASA01 up 13 hours 19 mins
failover cluster up 3 days 13 hours
Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020
IPSec microcode : CNPx-MC-IPSEC-MAIN-0022
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is 6c41.6aa1.1ee5, irq 11
1: Ext: GigabitEthernet0/0 : address is 6c41.6aa1.1ee9, irq 10
2: Ext: GigabitEthernet0/1 : address is 6c41.6aa1.1ee6, irq 10
3: Ext: GigabitEthernet0/2 : address is 6c41.6aa1.1eea, irq 5
4: Ext: GigabitEthernet0/3 : address is 6c41.6aa1.1ee7, irq 5
5: Ext: GigabitEthernet0/4 : address is 6c41.6aa1.1eeb, irq 10
6: Ext: GigabitEthernet0/5 : address is 6c41.6aa1.1ee8, irq 10
7: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
9: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
10: Ext: Management0/0 : address is 6c41.6aa1.1ee5, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5515 Security Plus license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5515 Security Plus license.
Serial Number:
Running Permanent Activation Key:
Configuration register is 0x1
Configuration last modified by enable_15 at 19:35:02.589 UTC Wed Jul 31 2013
Your help is greatly appreciated.
Charlie
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2013 08:29 AM
Hi,
Have you connected with HTTPS not HTTP?
With regards to the SSH, have you generated the keys?
crypto key generate rsa modulus 2048
You can check the ports on which ASA is listening on with the following command
show asp table socket
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2013 08:29 AM
Hi,
Have you connected with HTTPS not HTTP?
With regards to the SSH, have you generated the keys?
crypto key generate rsa modulus 2048
You can check the ports on which ASA is listening on with the following command
show asp table socket
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2013 08:40 AM
Jouni,
You nailed it. Https works, duh!
SSH also works with the key generated.
Thank you very much for you extrem fast respond.
Charlie
