Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1731
Views
0
Helpful
7
Replies

Can't access ADSM after upgrade to ASA Version 9.1(4)5

Go to solution
shazam277
Level 1
Level 1

‎08-29-2015 05:57 PM - edited ‎03-11-2019 11:31 PM

So I upgrade to ASA Version 9.1(4)5 (I realize I'm a few version behind), and can no longer access ADSM.  I can still get in via CLI

here is the show run:

ciscoasa# show run                                                           

: Saved

:

ASA Version 9.1(4)5 

!

hostname ciscoasa

domain-name sblah.net

enable password ****** encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

ip local pool VPN W.X.Y.80-W.X.Y.82 mask 255.255.255.0

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

 shutdown

!

interface Ethernet0/3

 shutdown

!

interface Ethernet0/4

 shutdown

!

interface Ethernet0/5

 shutdown

!

interface Ethernet0/6

 shutdown

!

interface Ethernet0/7

 shutdown

!

interface Vlan1

 nameif inside

 security-level 100

 ip address W.X.Y.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute 

!

boot system disk0:/asa914-5-k8.bin

no ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

 name-server W.X.Y.72

 domain-name shazam27.net

same-security-traffic permit intra-interface

object network Note4

 host W.X.Y.45

object network SmartLinc

 host W.X.Y.71

object network MediaPC

 host W.X.Y.65

object network TorrentPC

 host W.X.Y.68

object service uTorrent

 service udp destination eq 13555 

object service tTorrent

 service tcp destination eq 13555 

object network Rackstation1

 host W.X.Y.72

object service 56137

 service udp destination eq 56137 

object network NETWORK_OBJ_W.X.Y.80_30

 subnet W.X.Y.80 255.255.255.252

object network PS3

 host W.X.Y.62

object network YamahaAV

 host W.X.Y.60

object network Workstation

 host W.X.Y.61

object network MacBookPro2

 host W.X.Y.70

object network ParallelVM

 host W.X.Y.51

object network Sadia_iPhone

 host W.X.Y.42

object network iPad3

 host W.X.Y.69

object network Nest_Thermo

 host W.X.Y.53

object network NETWORK_OBJ_W.X.Y.0_24

 subnet W.X.Y.0 255.255.255.0

object network SonyLaptop

 host W.X.Y.64

object network TV

 host W.X.Y.10

object service 16384

 service udp destination range 16384 16387 

object service 16393

 service udp destination range 16393 16402 

object service 3478

 service udp destination range 3478 3497 

object service 5223

 service tcp destination eq 5223 

object service 81

 service tcp destination eq 81 

object service 9003

 service tcp destination eq 9003 

object network Blog

 host W.X.Y.72

object network Nexus7

 host W.X.Y.52

object network OpenDNS1

 host 208.67.222.222

object network OpenDNS2

 host 208.67.220.220

object network GoogleDNS1

 host 8.8.8.8

object network GoogleDNS2

 host 8.8.4.4

object network FireTVStick

 host W.X.Y.59

object network Galaxy10

 host W.X.Y.66

object network UniFI

 host W.X.Y.55

object network UniFi2

 host W.X.Y.67

object network Chromecast

 host W.X.Y.56

object network FireTV

 host W.X.Y.49

object network Shehzad-EY

 host W.X.Y.46

object network SadiaWork

 host W.X.Y.48

object network PS4

 host W.X.Y.63

object-group service DM_INLINE_SERVICE_1

 service-object tcp-udp destination eq www 

 service-object tcp destination eq https 

 service-object udp destination eq ntp 

object-group network Sadia_work

 network-object object Shehzad-EY

 network-object object SadiaWork

object-group service Facebook tcp

 port-object eq 8883

object-group network Apple

 network-object object iPad3

 network-object object MacBookPro2

 network-object object Sadia_iPhone

object-group network DM_INLINE_NETWORK_1

 network-object object Galaxy10

 group-object Sadia_work

 network-object object Nexus7

object-group network Internal

 network-object object SmartLinc

 network-object object MediaPC

 network-object object PS3

 group-object Apple

 network-object object Workstation

 network-object object YamahaAV

 network-object object Nest_Thermo

 network-object object MacBookPro2

 network-object object Rackstation1

 network-object object ParallelVM

 network-object object TorrentPC

 network-object object Galaxy10

 network-object object TV

 network-object object Nexus7

 network-object object SonyLaptop

 network-object object Chromecast

 network-object object FireTV

 network-object object Note4

 network-object object Sadia_iPhone

 network-object object FireTVStick

 network-object object PS4

object-group service Torrent

 service-object object tTorrent 

 service-object object uTorrent 

 service-object object 56137 

 service-object icmp 

object-group service DM_INLINE_SERVICE_3

 service-object object tTorrent 

 service-object object uTorrent 

object-group service PS3-5223 tcp

 port-object eq 5223

object-group service PS3-UDP udp

 port-object eq 3478

 port-object eq 3479

 port-object eq 3658

object-group service DM_INLINE_SERVICE_2

 service-object tcp destination eq 5223 

 service-object udp 

object-group network UniFiAPs

 network-object object UniFI

 network-object object UniFi2

object-group service Tango

 service-object tcp destination eq 5223 

 service-object tcp destination eq 6222 

 service-object tcp destination eq 8080 

 service-object tcp destination eq 8443 

 service-object udp destination eq 1818 

 service-object udp destination range 3478 3578 

 service-object udp destination range 49000 65535 

object-group service Nest tcp-udp

 port-object eq 9443

 port-object eq 9543

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group network DM_INLINE_NETWORK_3

 network-object object Nest_Thermo

 group-object Apple

object-group service Google tcp

 port-object eq 5228

object-group service MinionRush

 service-object tcp destination range 20000 20001 

 service-object tcp destination eq 5228 

 service-object tcp destination range 34000 65000 

object-group service Hangouts

 service-object tcp-udp destination range 19302 19309 

 service-object tcp destination eq 5222 

object-group service DM_INLINE_SERVICE_7

 group-object Tango

 service-object tcp destination eq 993 

 group-object MinionRush

 group-object Hangouts

object-group network DM_INLINE_NETWORK_2

 network-object object Galaxy10

 network-object object iPad3

 network-object object Note4

 network-object object Sadia_iPhone

object-group network DNS_Servers

 network-object object OpenDNS1

 network-object object OpenDNS2

 network-object object GoogleDNS1

 network-object object GoogleDNS2

object-group service DM_INLINE_TCP_3 tcp

 port-object eq 30000

 port-object eq 30011

object-group service Factime

 service-object object 16384 

 service-object object 16393 

 service-object object 3478 

 service-object object 5223 

object-group service DM_INLINE_SERVICE_6

 group-object Factime

 service-object tcp destination eq 587 

 service-object tcp destination eq 993 

 service-object tcp destination eq smtp 

object-group service DM_INLINE_TCP_1 tcp

 port-object eq www

 port-object eq https

access-list inside_access_in extended permit udp object Rackstation1 object-group DNS_Servers eq domain 

access-list inside_access_in extended permit tcp object-group UniFiAPs host 67.215.65.132 eq 8080 

access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any4 

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group Internal any4 

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_6 object-group Apple any4 

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 object-group DM_INLINE_NETWORK_2 any4 

access-list inside_access_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_3 any4 object-group Nest 

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object PS3 any4 

access-list inside_access_in extended permit tcp object TV any4 object-group DM_INLINE_TCP_3 

access-list inside_access_in extended permit ip object TorrentPC any4 

access-list inside_access_in extended permit udp object Note4 any4 eq 12000 

access-list inside_access_in extended deny ip any4 any4 

access-list outside_access_in extended permit udp any4 host W.X.Y.68 eq 55790 inactive 

access-list outside_access_in extended permit tcp any4 object Rackstation1 object-group DM_INLINE_TCP_1 

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object TorrentPC 

access-list outside_access_in extended deny ip any4 any4 

pager lines 24

logging timestamp

logging console informational

logging trap informational

logging history informational

logging asdm informational

logging facility 21

logging host inside W.X.Y.72

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-715-100.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static any any destination static NETWORK_OBJ_W.X.Y.80_30 NETWORK_OBJ_W.X.Y.80_30 no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_W.X.Y.0_24 NETWORK_OBJ_W.X.Y.0_24 destination static NETWORK_OBJ_W.X.Y.80_30 NETWORK_OBJ_W.X.Y.80_30 no-proxy-arp route-lookup

!

object network TorrentPC

 nat (inside,outside) static interface service tcp 13555 13555 

object network Rackstation1

 nat (inside,outside) static interface service tcp https https 

object network Blog

 nat (any,outside) static interface net-to-net service tcp www www 

!

nat (inside,outside) after-auto source dynamic any interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL 

aaa authentication ssh console LOCAL 

http server enable

http W.X.Y.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetinbound interface outside

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev1 policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh W.X.Y.0 255.255.255.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

 

priority-queue inside

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address W.X.Y.0 255.255.255.0

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1

ssl certificate-authentication interface inside port 443

ssl certificate-authentication interface outside port 443

group-policy DfltGrpPolicy attributes

 dns-server value W.X.Y.101

 vpn-tunnel-protocol ssl-clientless

group-policy RemoteAccess internal

group-policy RemoteAccess attributes

 dns-server value W.X.Y.101

 vpn-tunnel-protocol ikev1 

 default-domain value sblah.net

username admin password bty5DjTpS.wRD2l4 encrypted privilege 15

 vpn-group-policy RemoteAccess

 service-type admin

tunnel-group RemoteAccess type remote-access

tunnel-group RemoteAccess general-attributes

 address-pool VPN

 default-group-policy RemoteAccess

tunnel-group RemoteAccess ipsec-attributes

 ikev1 pre-shared-key *****

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect ip-options 

  inspect dns preset_dns_map dynamic-filter-snoop 

 class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context 

no call-home reporting anonymous

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:66dcd6e56a99fd6aea0fc82f30a127d0

: end

 

Any guidance would be greatly appreciate as I have tried quite a few things and can't get ADSM back.  I try connecting via HTTPS and just get 401 Unauthorized.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to shazam277

‎09-07-2015 08:49 PM

Hi,

What happens if you remove this command:-

ssl certificate-authentication interface inside port 443

Also , try the latest ASDM version

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎08-30-2015 06:00 AM

Hi,

What is the Java Version ? Also , have you tried to upgrade the ASDM to the latest version and see if it works ?

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
shazam277
Level 1
Level 1
In response to Vibhor Amrodia

‎08-30-2015 06:22 AM

Thanks for the reply.

Currently version 8 of Java.  I tired several versions

Firewall has ASDM version 7.5.1 on it.  However, I can't even download ASDM from the firewall anymore or even use ADSM launcher.  I had deleted it thinking that the older version was still in use.  Every time I connect over HTTPS I get 401 Unauthorized.  It won't even ask for a login.

Thanks,

Shehzad

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to shazam277

‎08-30-2015 12:39 PM

Hi,

Share these outputs with me:-

show run http

show run asdm

show run all ssl

show asp table socket

Also , try to check the ASDM from a different PC with the latest JAVA version installed.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
shazam277
Level 1
Level 1
In response to Vibhor Amrodia

‎08-30-2015 05:21 PM

ciscoasa# show run http

http server enable

http w.x.y.0 255.255.255.0 inside

ciscoasa# show run asdm

asdm image disk0:/asdm-715-100.bin

asdm history enable

ciscoasa# show run all ssl

ssl server-version any

ssl client-version any

ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1

ssl certificate-authentication fca-timeout 2

ssl certificate-authentication interface inside port 443

ssl certificate-authentication interface outside port 443

ciscoasa# show asp table socket

 

Protocol  Socket    State      Local Address                                Foreign Address

SSL       00035478  LISTEN     w.x.y.1:443                            0.0.0.0:*                                    

TCP       000508e8  LISTEN     w.x.y.1:22                             0.0.0.0:*                                    

TCP       007d9588  ESTAB      w.x.y.1:22                             1w.x.y.70:64543                         

ciscoasa# 

 

I tried connecting from different systems and no same results with HTTP connection.

I appreciate the help Vibhor

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to shazam277

‎09-07-2015 08:49 PM

Hi,

What happens if you remove this command:-

ssl certificate-authentication interface inside port 443

Also , try the latest ASDM version

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
shazam277
Level 1
Level 1
In response to Vibhor Amrodia

‎09-11-2015 06:39 PM

Well apparently that worked.  I was able to connect and download ASDM.

Thanks!!

0 Helpful

Go to solution
shazam277
Level 1
Level 1

‎09-07-2015 06:39 PM

Just adding a post to see if anyone can assist.

Thanks!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card