11-15-2013 09:39 AM - edited 03-11-2019 08:05 PM
Hello!
I previously had some assistance configuring a router for inbound HTTPS traffic in this thread: https://supportforums.cisco.com/message/4026878#4026878. It has been working great.
I got a call from the customer that the web access no longer works for this product. I believe it is because the web interface for remote management is now using port 443. I can confirm this by going here: https://75.150.96.33//webviewlink/wvconnect.aspx
. That should take me to a page that says the test is successful, but I get to the login page for remote management of the Cisco appliance.
How do I change the port for remote management, or better yet, disable that service?
-Mike
11-15-2013 10:15 AM
Hi,
So just to make it clear, are we talking about a situation where you have a site with an ASA firewall which has only one public IP address available that is naturally used in its external interface and originally you had forwarded port TCP/443 to an internal host/server to access a web portal and the ASA has now been enabled for ASDM access (using TCP/443) that is causing connectivity problems to the actual internal server?
If the above is the situation then if you have the CLI access to the ASA you would have to check atleast these settings
show run http
This should list the networks and interfaces from which the ASDM is reachable. It should also tell if the ASDM is enabled with the default port or if its running on nondefault port.
You should see something like
http server enable
http
This would mean that the ASA is configured for ASDM access
You could also use the following command to view on what ports the ASA is listening on
show asp table socket
You should probably see the TCP/443 port being listened on.
Naturally if my presumptions above are correct then someone at some point enabled the ASDM access since it shouldnt start causing problems suddenly.
You can either use the CLI connection to disable the ASDM access by clearing the "http" related configurations.
You could also change the port used with the command
http server enable
Hope this helps
- Jouni
11-15-2013 10:17 AM
Ah,
Must be too tired. You clearly answered some of my doubts and stated the needed information in the original post, doh Must have not registered with my brain for some reason
Though still the above "show" commands and configuration commands should help you with this situation I imagine.
- Jouni
11-15-2013 10:24 AM
Here are some resutls of the commands....
Result of the command: "show run http"
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 management
http 192.168.175.0 255.255.255.248 inside
Result of the command: "show asp table socket"
Proto Socket Local Address Foreign Address State
TCP 00013f0c 192.168.2.1:23 0.0.0.0:* LISTEN
TCP 0001c104 192.168.100.1:23 0.0.0.0:* LISTEN
SSL 00026de4 192.168.2.1:443 0.0.0.0:* LISTEN
SSL 000282fc 192.168.100.1:443 0.0.0.0:* LISTEN
SSL 0003147c RDP-Outside:443 0.0.0.0:* LISTEN
DTLS 0003c1b4 RDP-Outside:443 0.0.0.0:* LISTEN
SSL 0ca72f5c 192.168.2.1:443 WebViewServer:58524 ESTAB
SSL 0ca81eb4 192.168.2.1:443 WebViewServer:58526 ESTAB
SSL 0cf24a64 192.168.2.1:443 WebViewServer:58740 ESTAB
RDP-Outside is configured as 75.150.96.33
WebViewServer is conifgued as 192.168.2.220
Does that help? I seem to remember it being a fairly simple process from the ASDM to change the port number it listens on, I just can't remember now what it was. I had to do it before.
-Mike
11-15-2013 10:30 AM
Hi,
In the CLI format the command is for example
http server enable 444
I am not sure if changing the port while connected with ASDM cuts the current connection off or will it only affect the following connections.
On the ASDM you can go to
Configuration (Top Menu Bar) -> Device Management (Bottom Left) -> Managenent Access (Drop Down Menu) -> ASDM/HTTPS/Telnet/SSH (Drop Down Menu) -> Port Number (On the actual page)
Hope this helps
- Jouni
11-15-2013 10:52 AM
I changed it to port 444 through ASDM. I can log in and access the Cisco appliance on the internal server successfully now, but now I get a new message when I go to: https://75.150.96.33//webviewlink/wvconnect.aspx
, it is for the SSL VPN service.
I found my way to a config screen for SSL VPN, tried to edit the port number for that, but it told me no changes can be made on an active interface. Do I need to shut down the entire appliance to make this change? Am I trying to make the change in the wrong spot?
-Mike
11-15-2013 10:55 AM
Hi,
Try to uncheck the interface specific settings you see above and then change the port for the service.
- Jouni
11-15-2013 11:02 AM
I unchecked the Allow Access and Enable DTLS boxes, changed the ports to 445, and that stopped the SSL VPN login page, but now I have a page can't be displayed error. https://75.150.96.33/webviewlink/wvconnect.aspx
-Mike
11-15-2013 11:22 AM
Hi,
I guess you could check the current configurations with the "packet-tracer" command
packet-racer input outside tcp 1.1.1.1 12345
Insert the public IP address of the ASA and replace the IP address 1.1.1.1 with something else if its not allowed according to your ACLs.
- Jouni
11-15-2013 01:06 PM
Something else happened along the way, and I had to re-create the ACL and routing rule. Once I entered those two commands, web access to the server was restored. Thank you for helping me edit the port number for remote management and the SSL VPN.
-Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide