12-03-2018 11:33 PM - edited 02-21-2020 08:32 AM
Hi everyone
this the first time for me to configure ASA5506-X in cli and
i want to configure EZVPN client mode in this device
i have 2 questions:
1- when i did (sh running configuration & sh crypto ca certificates )why i couldn't find any certification ????
2- asdm is not working although the image is already exist ????
and i did configure interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.100 255.255.255.0
12-03-2018 11:53 PM
Hi,
1. For the certificates, either you need to install a certificates or you need to generate a self signed certificate. Then only it will list.
2. For asdm access did you enable the below commands.
asdm image disk0:/asdm-XXXX.bin
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
HTH
Abheesh
12-03-2018 11:59 PM
Hi
Thanks for your reply
how do i generate a self signed certificate ???
for asdm i did all that configuration,right now i'm connecting the firewall directly to pc but nothing work
12-04-2018 12:08 AM
Hi,
To generate the self signed certificate
hostname XXX
domain-name mydomain.com
crypto key generate rsa label ezvpnkeypair modulus 1024
crypto ca trustpoint self
enroll self
fqdn vpn.mydomain.com
subject-name CN=vpn.mydomain.com
keypair ezvpnkeypair
crypto ca enroll self noconfirm
Apply the new certificate:
ssl trust-point self outside
For ASDM are you accessing it from inside interface or from any other...???
HTH
Abheesh
12-04-2018 12:08 AM
the configuration as below :
hostname FW1
domain-name net.local
enable password xxx
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.100 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name dki-group.local
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-782.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside
http 25.45.255.18 255.255.255.255 outside
http 187.14.09.12 255.255.255.255 outside
http 185.11.16.30 255.255.255.255 outside
http 18.27.26.40 255.255.255.255 outside
http 80.16.15.12 255.255.255.255 outside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 10.10.0.4 255.255.255.255 outside
telnet 10.10.0.4 255.255.255.255 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 60
ssh stricthostkeycheck
ssh 187.14.09.12 255.255.255.255 outside
ssh 185.11.16.30 255.255.255.255 outside
ssh 18.27.26.40 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username KOLFW0001 password $sha512$5000$W0ZeAv2Ibchd6ui4NeeCjw==$clmqco8pghXIY2LMIM7wfA== pbkdf2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b07eabf72b3ed6eee5c0aaecb6741bef
12-04-2018 12:13 AM - edited 12-04-2018 12:17 AM
Hi,
If your PC also in same rage of inside subnet then from the browser try to open https://192.168.1.100
or
create a route for the PC subnet
route inside <<your PC Subnet > next hop.
eg: route inside 192.168.20.0 255.255.255.0 192.168.100.1
HTH
Abheesh
12-04-2018 12:16 AM
I have tried that but nothing appear and says
12-04-2018 12:18 AM
12-04-2018 12:22 AM
my pc is configured as dhcp automatically
12-04-2018 12:24 AM
12-04-2018 12:25 AM
No in different range 172.16.20.7
12-04-2018 12:27 AM - edited 12-04-2018 12:36 AM
add a route in ASA like below
route inside 172.16.20.7 255.255.255.255 <next hop IP>
and add the http access
http 172.16.20.7 255.255.255.255 inside
or
http 0.0.0.0 0.0.0.0 inside
HTH
Abheesh
12-04-2018 12:38 AM
didn't except the route said error and inconsistent
12-04-2018 12:39 AM
12-04-2018 12:43 AM - edited 12-04-2018 12:45 AM
route inside 172.16.20.7 255.255.255.255 172.16.20.1
http 172.16.20.7 255.255.255.255 inside
now excepts the commands but still not working
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide