Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5930
Views
20
Helpful
10
Replies

Can't access ASA 5506 (https or ASDM) after changing LAN IP addresses

mike_t
Level 1
Level 1

‎10-17-2018 03:15 PM - edited ‎02-21-2020 08:22 AM

Hi All

I'm new to the ASA5506 and am setting one up as a firewall for our office.  I originally set it up via ASDM and one of the things I did was to change the LAN IP addresses, since then I cannot access the firewall at http://'new address'/admin or https://'new address'/admin or via ASDM from the laptop I originally used with ASDM at the original address.  However, if I use a different PC on the same LAN, I can get to https://'new address'/admin and via ASDM. 

 

I've been setting up the rest of the firewall config via the console port and everything else seems to be working fine.

 

I've read another discussion and perhaps this may be a certificate problem, but if so I don't know how to fix it.  Does anyone know if that might be the problem or could it be something else?

 

Thanks in advance

 

Mike

0 Helpful
10 Replies 10

Alex Pfeil
Level 7
Level 7

‎10-17-2018 04:00 PM

Show run | i http
You usually have commands:
Http inside x.x.x.x subnetMask
Or
Http management

It can also be SSL issue.

Please mark helpful posts.

mike_t
Level 1
Level 1
In response to Alex Pfeil

‎10-17-2018 05:37 PM

sho run | i http gives

http server enable
http 192.168.0.0 255.255.0.0 inside_1
http 192.168.0.0 255.255.0.0 inside_2
http 192.168.0.0 255.255.0.0 inside_3
http 192.168.0.0 255.255.0.0 inside_4
http 192.168.0.0 255.255.0.0 inside_5
http 192.168.0.0 255.255.0.0 inside_6
http 192.168.0.0 255.255.0.0 inside_7

the original laptop is at 192.168.2.64, the new one is 192.168.2.69, both can ping  the ASA at 192.168.2.1

 

Mike

0 Helpful

johnd2310
Level 8
Level 8

‎10-17-2018 04:02 PM

Hi,

 Are the 2 PCs on  the same network i.e. same ip address range? Can you ping the "new ip address" from the PC that is not working? What ip addresses are configured to access the firewall e.g. http x.x.x.x x.x.x.x inside?

 

thanks

John

**Please rate posts you find helpful**

mike_t
Level 1
Level 1
In response to johnd2310

‎10-17-2018 05:40 PM

Hi

yes, both PCs are in the same address range and can ping all hosts that are on that network including the ASA

Result of sho run http is

http server enable
http 192.168.0.0 255.255.0.0 inside_1
http 192.168.0.0 255.255.0.0 inside_2
http 192.168.0.0 255.255.0.0 inside_3
http 192.168.0.0 255.255.0.0 inside_4
http 192.168.0.0 255.255.0.0 inside_5
http 192.168.0.0 255.255.0.0 inside_6
http 192.168.0.0 255.255.0.0 inside_7

MIke

0 Helpful

mike_t
Level 1
Level 1
In response to Alex Pfeil

‎10-17-2018 06:35 PM

Thanks for that link, but I've not found anything there that helps.  It says "open the ASDM from another machine. If you succeed, the issue is is probably at the application level".   But then I'm not sure where to go.  There is an 'Application Software' section in that document, and one of the steps is "Open the ASDM launch page from another machine. If it launches, it means that the issue is with the client machine in question".  So (as suspected) there is an issue on the original client machine, but I can't work out what and how to fix it

 

Mike

0 Helpful

Alex Pfeil
Level 7
Level 7
In response to mike_t

‎10-18-2018 03:36 AM

1. Make sure you are allowing your computer IP address to the correct interface with the http command on the asa.

2. Make sure you have the SSL command on the asa.

Here is an example:

ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default custom "DES-CBC3-SHA:AES128-SHA:AES256-SHA"
ssl cipher tlsv1 custom "DES-CBC3-SHA:AES128-SHA:AES256-SHA"
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 custom "DES-CBC3-SHA:AES128-SHA:AES256-SHA"
ssl dh-group group2
ssl ecdh-group group19
ssl certificate-authentication fca-timeout 2
 no ssl-server-check

3. Make sure you have the asdm image command.

Here is an example:

asdm image disk0:/asdm.bin

4. Check the version of the asa you are running.

5. Check the version of the asdm you are running.

6. Check the version of java that you are running.

Here is an example:

If you are running the latest version of asa and asdm code, you should have the latest java installed.

7. You can also go into the advanced options in internet explorer, scroll down near the bottom and verify what your SSL/TLS values are set to.

 

Please mark helpful posts.

mike_t
Level 1
Level 1
In response to Alex Pfeil

‎10-18-2018 02:22 PM

Thanks Alex

Just for further info - I tried SSH via PuTTY and had the same result (connection refused on the original laptop, and no problem on the new PCs), so it doesn't look like an ASDM / Java issue.  But just to confirm, here are the responses to your points

 

@Alex Pfeil wrote:

1. Make sure you are allowing your computer IP address to the correct interface with the http command on the asa.

Yes - reported in previous posts

 

2. Make sure you have the SSL command on the asa.

Here is the result of sho run all ssl

ssl server-version tlsv1

ssl client-version tlsv1

ssl cipher default medium

ssl cipher tlsv1 medium

ssl cipher tlsv1.1 medium

ssl cipher tlsv1.2 medium

ssl cipher dtlsv1 medium

ssl dh-group group2

ssl ecdh-group group19

ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside

ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip

ssl certificate-authentication fca-timeout 2

 

3. Make sure you have the asdm image command.

I have asdm image disk0:/asdm-782.bin

 

 

4. Check the version of the asa you are running.

9.8(2)

 

5. Check the version of the asdm you are running.

7.8(2)

 

6. Check the version of java that you are running.

Version 8 Update 181 (build 1.9.0_181-b13)

 

7. You can also go into the advanced options in internet explorer, scroll down near the bottom and verify what your SSL/TLS values are set to.

I tend to use Chrome rather than IE, but IE has "Use TLS 1.0", "Use TLS 1.1" and "Use TLS 1.2" checked

 

Thanks for you help

 

Mike

0 Helpful

Alex Pfeil
Level 7
Level 7
In response to mike_t

‎10-19-2018 05:11 AM

Show run | include http

show run | include ssh

 

0 Helpful

mike_t
Level 1
Level 1
In response to Alex Pfeil

‎10-21-2018 01:24 PM

sho run | i http

http server enable
http 192.168.0.0 255.255.0.0 inside_1
http 192.168.0.0 255.255.0.0 inside_2
http 192.168.0.0 255.255.0.0 inside_3
http 192.168.0.0 255.255.0.0 inside_4
http 192.168.0.0 255.255.0.0 inside_5
http 192.168.0.0 255.255.0.0 inside_6
http 192.168.0.0 255.255.0.0 inside_7
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination transport-method http

sho run | i ssh

aaa authentication ssh console LOCAL
ssh stricthostkeycheck
ssh 192.168.0.0 255.255.0.0 outside
ssh 192.168.0.0 255.255.0.0 inside_1
ssh 192.168.0.0 255.255.0.0 inside_2
ssh 192.168.0.0 255.255.0.0 inside_3
ssh 192.168.0.0 255.255.0.0 inside_4
ssh 192.168.0.0 255.255.0.0 inside_5
ssh 192.168.0.0 255.255.0.0 inside_6
ssh 192.168.0.0 255.255.0.0 inside_7
ssh timeout 5
ssh key-exchange group dh-group1-sha1

Thanks

 

Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card