Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2226
Views
5
Helpful
7
Replies

ASDM Issues

Go to solution
Kemal Zuko
Level 1
Level 1

‎12-24-2013 09:03 AM - edited ‎03-11-2019 08:21 PM

After I managed to install ASDM sucesfully thanks to (JouniForss ) I am running into another problem

I am not able to load the asdm on my computer

I did the follwoing

http 10.250.100.140 255.255.255.255 DMZ

http server enable

the DMZ interface is my uplink to a router. The DMZ looks like this

interface gi0/2

ip address 10.250.0.5 255.255.255.252

nameif DMZ

security-level 75

exit

on my other router I have setup a LAN of 10.250.100.128/25

.129 being my gateway for my PC

.140 being my PC

All routes are being learned via EIGRP

-------- ASA -------

ASA(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 75.132.0.1 to network 0.0.0.0

D    192.168.250.0 255.255.255.248 [90/28416] via 10.250.0.2, 3:44:37, inside
D    10.250.100.128 255.255.255.128 [90/28416] via 10.250.0.6, 1:12:09, DMZ
D    10.250.100.0 255.255.255.128 [90/28416] via 10.250.0.2, 3:44:37, inside
D    10.250.1.1 255.255.255.255 [90/130816] via 10.250.0.6, 1:11:33, DMZ
C    10.250.0.0 255.255.255.252 is directly connected, inside
C    10.250.0.4 255.255.255.252 is directly connected, DMZ
C    1.1.1.2 255.255.192.0 is directly connected, outside
d*   0.0.0.0 0.0.0.0 [1/0] via 1.1.1.1, outside
ASA(config)#

router eigrp 99
no auto-summary
eigrp router-id 10.250.0.5
eigrp stub connected
network 10.250.0.0 255.255.255.252
network 10.250.0.4 255.255.255.252
network 10.250.1.0 255.255.255.252
network 10.250.100.0 255.255.255.128
network 10.250.100.128 255.255.255.128
network 10.250.150.0 255.255.255.0
network 10.250.160.0 255.255.255.248
passive-interface default
no passive-interface inside
no passive-interface DMZ

asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (DMZ,outside) source dynamic any interface
nat (inside,outside) source dynamic any interface

  ------------------------------------

Basicly this is all the confoguration I have. As you can see from the output of "show route" that 10.250.100.128/25 is being learned via the DMZ interface

However when I go to my browser and type in http://10.250.0.5 I get nothing

Thanks

And Happy Holidays

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Kemal Zuko

‎12-24-2013 10:25 AM

Hi,

Seems to me that you are doing Dynamic PAT on the router perhaps?

Since the traffic is seen coming from the same IP address that is advertising the PC network to your ASA.

You could add

http 10.250.0.6 255.255.255.255 DMZ

To your ASA and try again.

If it works then you have to consider checking the NAT configuration on the router if you want the users to show up with their original IP address rather than the PAT IP address of the router.

- Jouni

View solution in original post

7 Replies 7

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-24-2013 09:08 AM

Hi,

Try to connect with HTTPS

https://10.250.0.5/

If that doesnt work then confirm that the ASA is listening on the port TCP/443 on the DMZ interface

show asp table socket

If it seems normal then check the following output

show run all ssl

You could copy/paste that output here or try the following configuration

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1

- Jouni

0 Helpful

Go to solution
Kemal Zuko
Level 1
Level 1
In response to Jouni Forss

‎12-24-2013 09:17 AM

I tried https:// but that didint work eather

here is what I got from the table socket output

Protocol  Socket    State      Local Address                                Foreign Address

SSL       000098c8  LISTEN     10.250.0.5:443                               0.0.0.0:*     

with the added commands you sent me didnt work eather

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Kemal Zuko

‎12-24-2013 09:32 AM

Hi,

Do you see anything in the log buffer (through the CLI) when you attempt to connect to the ASA with the browser? Have you tried some other browsers? Have you saved the configurations to the ASA and reloaded it?

- Jouni

0 Helpful

Go to solution
zalkurdi
Cisco Employee
Cisco Employee
In response to Kemal Zuko

‎12-24-2013 09:46 AM

Hello,

Make sure that this command is present on the ASA:

"Crypto key generate rsa modulus 1024"

Also, make sure that the traffic is reaching the ASA. You mentioned that you have the DMZ interface connected to a router. Maybe the router is routing the trafffic somewhere else.

To make sure, you can run some packet captures on the DMZ interface by using the following commands:

  1. "cap capin interface DMZ match ip host 10.250.100.140 host 10.250.0.5"
  2. Then try to access the ASA from the PC using the browser and then use the command "show cap capin".

This will show if the packets are infact reaching the ASA.


0 Helpful

Go to solution
Kemal Zuko
Level 1
Level 1
In response to zalkurdi

‎12-24-2013 09:49 AM

here is what I see in the Loggs

%ASA-3-710003: TCP access denied by ACL from 10.250.0.6/59245 to DMZ:10.250.0.5/80

%ASA-3-710003: TCP access denied by ACL from 10.250.0.6/59245 to DMZ:10.250.0.5/80

%ASA-3-710003: TCP access denied by ACL from 10.250.0.6/59247 to DMZ:10.250.0.5/443

%ASA-3-710003: TCP access denied by ACL from 10.250.0.6/59247 to DMZ:10.250.0.5/443

%ASA-3-710003: TCP access denied by ACL from 10.250.0.6/59247 to DMZ:10.250.0.5/443 %ASA-3-710003: TCP access denied by ACL from 10.250.0.6/59245 to DMZ:10.250.0.5/80
%ASA-3-710003: TCP access denied by ACL from 10.250.0.6/59245 to DMZ:10.250.0.5/80
%ASA-3-710003: TCP access denied by ACL from 10.250.0.6/59247 to DMZ:10.250.0.5/443
%ASA-3-710003: TCP access denied by ACL from 10.250.0.6/59247 to DMZ:10.250.0.5/443
%ASA-3-710003: TCP access denied by ACL from 10.250.0.6/59247 to DMZ:10.250.0.5/443

I am not very good at creating access lists on the cli any advice?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Kemal Zuko

‎12-24-2013 10:25 AM

Hi,

Seems to me that you are doing Dynamic PAT on the router perhaps?

Since the traffic is seen coming from the same IP address that is advertising the PC network to your ASA.

You could add

http 10.250.0.6 255.255.255.255 DMZ

To your ASA and try again.

If it works then you have to consider checking the NAT configuration on the router if you want the users to show up with their original IP address rather than the PAT IP address of the router.

- Jouni

Go to solution
Kemal Zuko
Level 1
Level 1
In response to Jouni Forss

‎12-24-2013 11:12 AM

That did it thank you again.

Yes, I am douing dynamic PAT since I only have a single IP address from our provider. I know this is not the best way of douing this but for practice work its not too bad.

Thanks again and happy holidays

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card