02-12-2013 02:30 PM - edited 03-11-2019 05:59 PM
Hi,
I have a new ASA 5512-x.
Have a PC connected to the management port. I have network access to it, can tftp up files and ping the firewall.
When I try to access it by https://192.168.1.1 or https://192.168.1.1 I get "webpage could not be found". Have tested with two different PC's, win7 ie9 and Win8 ie10. Port 443 is listening if I do a telnet 192.168.1.1 443
It's a standard basic configuration with the following:
asdm image disk0:/asdm-711-52.bin
http server enable
http 192.168.1.0 255.255.255.0 management
The asdm-file is located on the flash.
Does anyone have any ideá or suggestion what to do, how to troubleshoot it would be much appreciated.
Solved! Go to Solution.
02-12-2013 09:22 PM
try to add this in global config mode:
ssl encryption aes128-sha1 3des-sha1
02-12-2013 07:09 PM
Can you pls share your configuration (show run)?
Also, have you tried just http instead of https to the ASA?
02-12-2013 09:22 PM
try to add this in global config mode:
ssl encryption aes128-sha1 3des-sha1
02-12-2013 10:55 PM
Hi Jennifer,
Here is the config. It's a new standard config with nothing added.
The only thing I have done is that I tested to upgrade the OS and ASDM to see if that made it work. But the same problem.
Same thing with http as with https.
Andrew, thanks will test that.
ciscoasa# sh run
: Saved
:
ASA Version 9.1(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
nameif inside
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
console timeout 0
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:0a7fa8788882f95a91de16b20ccc4e58
: end
ciscoasa#
ciscoasa# sh run
: Saved
:
ASA Version 9.1(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
nameif inside
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
console timeout 0
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:0a7fa8788882f95a91de16b20ccc4e58
: end
ciscoasa#
02-13-2013 04:12 AM
Can you also please check the output of "show version" and see if 3DES license is enabled?
02-13-2013 04:12 AM
Also, try to reload the ASA and see if you can access it after.
02-13-2013 10:34 AM
Thank you all for the help
Andrew, you tip solved it "ssl encryption aes128-sha1 3des-sha1"
04-12-2013 07:24 AM
Exact same problem here. Brand new 5512-x out of the box. I could not access https://192.168.1.1/admin https://192.168.1.1 or http://192.168.1.1. However, I could ping 192.168.1.1 and console into the ASA. I added the line mentioned above via console > ssl encryption aes128-sha1 3des-sha1 and voilà!, it worked. Is this a bug or missing parameter in the config? I can only imagine the frustration of others simply trying to perform a first time configuration. :|
04-12-2013 10:32 AM
Hello Dkraut,
It's just that the ssl encryption mechanism supported by default does not work with your browser( that is why we need to change it to a more secure encryption algorithm) but that's it
It's just a command
If this help, please rate it
Regards
05-17-2013 11:38 PM
Q: what is the browser configuration when you do not have a licence for 3DES...and you are stick with a K8 ;-(
ASA version 9.1.2 - 5515X
when you type the command "ssl encryption aes128-sha1 3des-sha1" on my K8 you just get an error message saying that you require a 3 DES licence
Cheers
LB
05-17-2013 11:55 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide