Solved: hi,you may want to edit/scrub

Ben McGuire · ‎09-30-2015

HI there,

We have a ASA 5505 firewall installed and is connected to our ESXi server. The people who set it up only gave access via our server.

What we want is to be able to access the ASDM via the internet so we can configure our firewall as we do not know cisco commands for opening ports. We have tried but cannot get access.

Can someone please provide the commands as we just want access via any IP over the internet temporary till we can configure it via the GUI.

ciscoasa(config)# show running-config
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
enable password 8asdasdasdencrypted
passwdasdasdasd encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address 216.245.198.78 255.255.255.248
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit udp any any eq 443
access-list inside_access_out extended permit tcp any any eq https
pager lines 24
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 216.245.198.73 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 74.63.208.0 255.255.255.0 outside
http 74.63.205.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 74.63.208.0 255.255.255.0 outside
ssh 74.63.205.0 255.255.255.0 outside
ssh 216.245.198.72 255.255.255.248 outside
ssh timeout 5
console timeout 0

Thanks

Marvin Rhoads · ‎10-01-2015

http 0.0.0.0 0.0.0.0 outside

That is the command to allow ASDM access from any outside address. Enter it from configuration mode and save afterwards. The ASA configuration parser will take care of putting it in the right place in the running and startup configuration files.

The command says "http" even though the transport is really https. There is no need for any port specification, access-list entry, etc.

View solution in original post

johnlloyd_13 · ‎10-01-2015

hi,

you may want to edit/scrub any public IP for security reasons.

you're missing some few lines. add below and try again:

access-group outside_access_in in

username <USER> password <PW> privilege 15

aaa authentication http console LOCAL

Ben McGuire · ‎10-01-2015

can i just add your lines to the bottom of the config?

i remember i used to just copy and paste complete configs to the command line.

As i asked Marvin, what is the complete command to open port for ASDM access via the internet and the image file he is talking about?

Marvin Rhoads · ‎10-01-2015

You don't enable ASDM access using an access-list.

You enable it for the outside interface using the "http <source address> <source netmask> outside" command. You have a couple of subnets already in there.

You also need to specify the ASDM image: "asdm image disk0:/asdm-751.bin" (or whatever version number you have already on disk0).

Ben McGuire · ‎10-01-2015

Thank you for the response Marvin.

So I just type your command http <source address> <source netmask> outside

and that is all i need to access from any ip over the internet?

Also how would I specify the asdm image?

Marvin Rhoads · ‎10-01-2015

The command in quotes in my last paragraph earlier is the command to specify the asdm image.

I used the latest version as an example. If you type 'dir' on the command line you can see what asdm<Version number>.bin file you have available.

Ben McGuire · ‎10-01-2015

So if i wanted to access the ASDM interface over the internet from any addresss to port 443 I would enter

http any any outside as I need to open port 443 to access the ASDM?

Marvin Rhoads · ‎10-01-2015

http 0.0.0.0 0.0.0.0 outside

That is the command to allow ASDM access from any outside address. Enter it from configuration mode and save afterwards. The ASA configuration parser will take care of putting it in the right place in the running and startup configuration files.

The command says "http" even though the transport is really https. There is no need for any port specification, access-list entry, etc.

Ben McGuire · ‎10-01-2015

And the ADSM image?

http 0.0.0.0 0.0.0.0 outside

That is the entry for opening the firewall but how about specifying the ADSM image?

Marvin Rhoads · ‎10-01-2015

As I mentioned earlier and reiterated earlier, the command is:

asdm image disk0:/asdm-751.bin

(or whatever version number you have already on disk0).

The filename is the ASDM bin file that is on your ASA's internal compact flash card (= disk0).

It will vary from ASA to ASA depending on what ASDM version is installed. So without seeing your ASA's disk0 directory, I can only tell you so much.

Ben McGuire · ‎10-01-2015

Thank you Marvin. I will give it a go now to see if it works. Ill let you know.

Ben McGuire · ‎10-01-2015

Marvin you a a legend!!

I ran the command that you specified then ran the adsm command. My version was 524.

Thanks so much for your assistance!!

Open Port for ASDM access via internet