cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1407
Views
0
Helpful
9
Replies

Firewall Asa 5505 e Asdm (nat)

hello all I ask an aid to solve a problem that I have a customer that I recentlyacquired.

From this account is already configured a ASA 5505.

I state that I have 0 knowledge of cisco firewalls and these days I havedocumented on the internet and reading its manual.

The firewall is working fine and there is also configured on a VPN to connectfrom the outside owners.

I tried to connect to ASA via https from a PC LAN but nothing. By reading anddocumenting I downloaded putty and I'm connected to the firewall via console.

Later I see the configuration that has been made​​.

Comparing the more info I found on the internet I see that the http server is down and you have not configured access. Provvedo and I enable him to exacta PC LAN.

Try again to connect, this time it shows the page's security certificate is invalidor I clicc not recommended, so I go out well but soon after the error can not find the page, with the explorer. I try with safari and it turns out the error http 404 or440? (if I remember correctly). I go to see if there is a bin with putty dell'asdm in flash memory and it turns out there but I can not find the file. (sorry I'm writingcarelessly, but as you know better than me, this is seen by typing certain commands)

A point I stopped because I do not want to create trouble. I would open certainports to an internal ip and then being allowed outside access from any PC on that port through public ip.

Can you help me by giving me the commands to be written in putty or I can lend a hand to pick up on the ASDM (so that the GUI definitely am I doing?)

Thanks to all who respond

hello

David

9 Replies 9

ajay chauhan
Level 7
Level 7

Hi David,

what type of vpn is configured on ASA box ?

what version of OS is running on ASA ?

Better you post full configuration here along with requirment someone for sure can tell/modify configuration which you can use.

Thanks

Ajay

here the configuration:

I darkened the references of the customer name and password. In this configuration lacks the activation of a single ip http server to the internal LAN.

I can not connect to http. but I'm fine even if you give me the string to be writtenusing putty. thanks guys

ASA Version 8.0(4)

!

hostname pix2fond

domain-name onsitesrl.local

enable password ----- encrypted

passwd ----- encrypted

names

!

interface Vlan1

description Interfaccia INSIDE

nameif inside

security-level 100

ip address 10.51.63.161 255.255.255.192

!

interface Vlan2

description Interfaccia OUTSIDE

nameif outside

security-level 0

ip address 172.16.13.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name onsitesrl.local

access-list outside extended permit icmp any any echo

access-list outside extended permit icmp any any echo-reply

access-list 101 extended permit ip 10.51.63.128 255.255.255.192 192.168.2.0 255.255.255.248

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool ip-** 192.168.2.1-192.168.2.5

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.13.2 1

route inside 10.0.0.0 255.0.0.0 10.51.63.130 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

crypto ipsec transform-set TRANSFVPNmd5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map MAPDYN 10 set transform-set TRANSFVPNmd5

crypto dynamic-map MAPDYN 10 set security-association lifetime seconds 28800

crypto dynamic-map MAPDYN 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set TRANSFVPNmd5

crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800

crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000

crypto map CRYPTOSITE 10 ipsec-isakmp dynamic MAPDYN

crypto map CRYPTOSITE 65535 ipsec-isakmp dynamic dyn1

crypto map CRYPTOSITE interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy ** internal

group-policy ** attributes

dns-server value 213.92.5.54

vpn-idle-timeout 30

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 101

username onsite password ------- encrypted

username ** password ------- encrypted

tunnel-group ** type remote-access

tunnel-group ** general-attributes

address-pool ip-**

default-group-policy **

tunnel-group ** ipsec-attributes

pre-shared-key *

tunnel-group ----- type remote-access

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect pptp

  inspect http

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:5677ed1769676398cbb25a79027cda22

: end

Hello Davide,

From what I can understand you want to be able to access the ASA from the internal network using the GUI (ASDM)

For that you will need:

1- Have the HTTP server running on the ASA

2- Have an ASDM image on the flash of your ASA ( You can get one from cisco.com)

3- Set the ASDM image so the users can connect to the ASA

3-Decide on the HTTP server configuration who can access the ASA using HTTPS

So:

1- http server enable

2- on the sh flash  you should see an asdm image ( Show flash)

3- Set the ASDM image into your ASA ( asdm image flash:xxxxxx.img

4-http 0 0 inside ( anyone can access the HTTP service on the Inside LAN, you can be as restrictive as you want)

If this does not fixs it provide me the following:

sh run http

sh run asdm

sh flash

sh version

sh run aaa

Regards,

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Julio,
I copy you on Monday the results of the commands you told me because all the steps you mentioned I have done. The asdm image is set but in my opinion can not find the file in flash and so must be recharged. But since they do not know, I stopped and asked for info to you before creating damage.
thanks.
hello
David

Hello,

Sure just let me know!

Please rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

The ASDM image in general would be a .bin file as Julio has directed.

Sent from Cisco Technical Support iPad App

asdm image is there, but not charged, in my opinion. However, an alternative would be enough for me to help me to write commands with putty ...

The asdm version set in the config is 5.2.3

asdm image disk0:/asdm-523.bin

The software version you are running is 8.0.4, which only supports version 6.0.x or higher. ASDM 5.2.3 will not work.

So upgrade your asdm image to the latest which is 6.4.7 via TFTP

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml#maintask2

change that in the config by the command:

asdm image flash:/asdm-647.bin

enable the http server

http server enable

Also allow the network subnet which is allowed to access the asdm by the command:

http x.x.x.x y.y.y.y  (x.x.x.x is the network and y.y.y.y is the subnet mask)

None of this is done is your config. Once you do this you should be all set without any issues.

I hope you should not have any questions after this.

I can not download the update file dell'asdm because I am not a dealer and I have no cisco certification. I did not sell me the firewall to the customer, I've found there. No one can pass the updated version of asdm?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: