Cannot connect to ASDM on ASA 5505 over https

mrbillishere · ‎03-05-2009

Problem: Cannot connect to ASDM on ASA 5505 when vlan1 network is changed from the factory default.

Hi all. I am just getting started on a new ASA 5505, working it in a test lab environment. I ran thru the initial setup wizard. During that time I specified a name for Vlan1 (changed from 'inside' to 'INTR-NET'), modified the Vlan1 IP address to use DHCP, and then populated the Device Config Access table with entries corresponding to the entire Class B network here on the local intranet. I don't recall if the factory-default network was already populated, but if it wasn't I added it as 192.168.1.0/255.255.255.0

I then saved the config, and verified that the ASA got a dhcp address using the RS-232 console. I then reconfigured the laptop I have plugged into port 0/1 with it's normal address on the intranet and discovered that I couldn't reconnect to ASDM. The ASDM client times out, and a web browser opened to https://(ASA5505's dhcp addr) fails as well.

I then used the console to add another http IP address matching the specific IP address (xxx.240.113.129/255.255.255.255) which the laptop is set for, to the list of permissible admin connections, but saw no difference.

This issue is much the same as was reported in this prior forum posting:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&topicID=.ee6e1f8&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc16cb8/4

EXCEPT that I was already aware the admin IP address(es) needed to be registered to enable access via SSH/Telnet/HTTPS.

And, I did that step, but it is not working. I have tried adding various combinations of network ranges in the device config access list, including the specific subnet that the lab's dhcp server assigned to the ASA 5505 (xxx.240.112.0/255.255.254.0), but there is no difference. I can traceroute to the laptop and ping the Vlan1 interface from the laptop, but the https ASDM (and ssh connections too) are not successful. This is very frustrating.

The device is brand new, I see that upon boot it loads asa724-k8.bin, and the software banner says Cisco Adaptive Security Appliance Software Version 7.2(4)

Note also that, from the RS-232 console, if I reset the IP address to the static, factory default (192.168.1.1) and manually config my laptop on the same subnet, then ASDM makes the connection. Just like out of the box. But when I put it back onto our intranet and verify the DHCP lease, then ASDM is a no go.

Can you think of what I've missed?

eddie.mitchell · ‎03-05-2009

What are the results from 'sh run http' and 'sh run ssh'?

mrbillishere · ‎03-05-2009

Good question. Let me add that info plus related Vlan config details:

ASA5505A# show ip

System IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 INTR-NET XXX.240.112.92 255.255.254.0 DHCP

Vlan2 VoIP 172.26.99.1 255.255.255.0 manual

Vlan3 dmz-unused 192.168.99.1 255.255.255.0 manual

Current IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 INTR-NET XXX.240.112.92 255.255.254.0 DHCP

Vlan2 VoIP 172.26.99.1 255.255.255.0 manual

Vlan3 dmz-unused 192.168.99.1 255.255.255.0 manual

ASA5505A# show switch vlan

VLAN Name Status Ports

---- -------------------------------- --------- -----------------------------

1 INTR-NET up Et0/1, Et0/2, Et0/3, Et0/4

2 VoIP down Et0/5, Et0/6, Et0/7

3 dmz-unused down Et0/0

ASA5505A#

ASA5505A# config t

ASA5505A(config)# show running-config http

http server enable

http XXX.240.0.0 255.255.0.0 INTR-NET

http 192.168.1.0 255.255.255.0 INTR-NET

http XXX.240.113.129 255.255.255.255 INTR-NET

ASA5505A(config)#

ASA5505A(config)# show running-config ssh

ssh 192.168.1.0 255.255.255.0 INTR-NET

ssh XXX.240.0.0 255.255.0.0 INTR-NET

ssh timeout 5

SECURITY LEVEL IS 100 ON Vlan1 and Vlan2, 50 on Vlan3, and traffic is restricted from Vlan3 to Vlan1 because this is the basic license.

mrbillishere · ‎03-06-2009

UPDATE:

Decided to test overriding security. I added the following:

---------------------------------

http 0.0.0.0 0.0.0.0 INTR-NET

---------------------------------

updated configuration then reads:

ASA5505A(config)# show running-config http

http server enable

http 0.0.0.0 0.0.0.0 INTR-NET

http xxx.240.0.0 255.255.0.0 INTR-NET

http 192.168.1.0 255.255.255.0 INTR-NET

ASA5505A(config)#

I tested using IE. I was surprised to see that this worked. The ASA generated a new self-signed certificate with CN=(the new address)

Thinking that this may have cured the issue I restored config to the prior setting (removing 0.0.0.0) and then it was broken again.

So for now I have this override enabled, but obviously it is not acceptable, were this not in a test lab.

One final note, I took a second brand-new unit out and used the command console to assign the Vlan1 interface a static address on the INTR-NET, after removing the default dhcp-pool. I added an http entry for the INTR-NET's class B network. I also had to added a static route for Vlan1 to reach the subnet my laptop was on, but that was it. So essentially, this was a very clean repeat of the test as I did not modify anything else at all and never went into ASDM to run the setup wizard.

With just those changes the same behavior was seen. Can't make a connection to ASDM. What is with this software? Did they never test it?