Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12768
Views
25
Helpful
7
Replies

problem to access ASDM gui 401 Unauthorized

Go to solution
maior.biz
Level 1
Level 1

‎11-28-2013 05:59 AM - edited ‎03-11-2019 08:10 PM

hi

i have a problem to login to my ASDM console on my ASA 5510.

when i reach the http server via http 192.168.1.1 i receive this message

401 Unauthorized

can you help me?

ASA version 913-k8

ASDM version 714

see my config please

: Saved
:
ASA Version 9.1(3)
!
hostname FIREWALLP01
domain-name ZZZZ.local
enable password *** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd *** encrypted
names
name 192.YYY.YYY.2 SERVERP02
name 192.YYY.YYY.3 SERVERP03
name 192.168.92.4 SERVERP04
name XX.XXX.183.91 Pubblica_HTTP
name XX.XXX.183.88 Pubblica_SIADSL-network
name XX.XXX.183.92 Pubblica_VOIP
name XX.XXX.183.89 ROUTERP01
name XX.XXX.183.90 Pubblica_FTP
name 95.KK.KKK.KKK SRVPIN1
ip local pool VPN_pool 192.YYY.YYY.120-192.YYY.YYY.129 mask 255.255.255.0
!
interface Ethernet0/0
nameif Pubblica_SIADSL
security-level 0
ip address XX.XXX.183.94 255.255.255.248
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.YYY.YYY.254 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 98
ip address 192.168.92.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa913-k8.bin
ftp mode passive
dns domain-lookup Pubblica_SIADSL
dns domain-lookup LAN
dns domain-lookup DMZ
dns domain-lookup management
dns server-group DefaultDNS
name-server SERVERP02
domain-name ZZZZ.local
object network obj-192.YYY.YYY.0
subnet 192.YYY.YYY.0 255.255.255.0
object network SERVERP02
host 192.YYY.YYY.2
object network Pubblica_FTP
host XX.XXX.183.90
object network SERVERP03
host 192.YYY.YYY.3
object network Pubblica_VOIP
host XX.XXX.183.92
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network SERVERP04
host 192.168.92.4
object network Pubblica_HTTP
host XX.XXX.183.91
object network SRVPIN1
host 95.KK.KKK.KKK
description Created during name migration
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service rtp udp
port-object range 9000 9049
port-object eq 10000
access-list LAN_nat0_outbound extended permit ip any4 192.YYY.YYY.0 255.255.255.0
access-list Pubblica_SIADSL_access_in extended permit tcp any4 object SERVERP04 eq ssh
access-list Pubblica_SIADSL_access_in extended permit udp any4 object SERVERP03 object-group rtp
access-list Pubblica_SIADSL_access_in extended permit object-group TCPUDP any4 object SERVERP03 eq sip
access-list Pubblica_SIADSL_access_in extended permit tcp any4 object SERVERP04 eq www
access-list Pubblica_SIADSL_access_in extended permit tcp object SRVPIN1 object SERVERP02 eq ftp inactive
pager lines 24
logging asdm informational
mtu Pubblica_SIADSL 1500
mtu LAN 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (LAN,any) source static any any destination static obj-192.YYY.YYY.0 obj-192.YYY.YYY.0 no-proxy-arp route-lookup
!
object network SERVERP02
nat (LAN,Pubblica_SIADSL) static Pubblica_FTP service tcp ftp ftp
object network SERVERP03
nat (LAN,Pubblica_SIADSL) static Pubblica_VOIP
object network obj_any
nat (LAN,Pubblica_SIADSL) dynamic interface
object network obj_any-01
nat (LAN,DMZ) dynamic interface
object network SERVERP04
nat (DMZ,Pubblica_SIADSL) static Pubblica_HTTP
access-group Pubblica_SIADSL_access_in in interface Pubblica_SIADSL
route Pubblica_SIADSL 0.0.0.0 0.0.0.0 ROUTERP01 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
  url-list value Link
aaa-server SERVERP02 protocol ldap
aaa-server SERVERP02 (LAN) host SERVERP02
ldap-base-dn DC=PPPP,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=Users,DC=PPPP,DC=local
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http authentication-certificate management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA
crypto map Pubblica_SIADSL_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Pubblica_SIADSL_map interface Pubblica_SIADSL
crypto ca trustpool policy
crypto ikev1 enable Pubblica_SIADSL
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Pubblica_SIADSL
enable LAN
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.YYY.YYY.2
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value ZZZZ.local
username test password P4ttSyrm33SV8TYp encrypted
username test attributes
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_pool
authentication-server-group SERVERP02
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group SERVERP02
default-group-policy DefaultRAGroup
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:****
: end
3 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jumora
Level 7
Level 7
In response to jumora

‎11-28-2013 06:07 AM

enable

config t

no http authentication-certificate management

Also get me a show version and a show run all ssl

Value our effort and rate the assistance!

Value our effort and rate the assistance!

View solution in original post

Go to solution
jumora
Level 7
Level 7
In response to maior.biz

‎11-28-2013 07:38 AM


Ok, log in through CLI and configure the next:

enable

config t

username admin password admin123 pri 15

aaa authentication http console LOCAL

You can create that username I mention or what ever username you want just set the privilege to 15

Value our effort and rate the assistance!

Value our effort and rate the assistance!

View solution in original post

7 Replies 7

Go to solution
jumora
Level 7
Level 7

‎11-28-2013 06:05 AM

What is the source IP address from where you are trying to access the ASA over ASDM

Value our effort and rate the assistance!

Value our effort and rate the assistance!
0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to jumora

‎11-28-2013 06:07 AM

enable

config t

no http authentication-certificate management

Also get me a show version and a show run all ssl

Value our effort and rate the assistance!

Value our effort and rate the assistance!

Go to solution
Todd.Thiel
Level 1
Level 1
In response to jumora

‎06-28-2015 02:16 PM

updated my ASA from 9.1.2 to 9.4.1 - and I ran into this same issue. That no http auth-cert mgmt helped. Thank you.

0 Helpful

Go to solution
jksyed
Level 1
Level 1
In response to jumora

‎04-03-2018 10:24 PM

Thanks for the quick tip, I ran into a similar issue and was able to fix following your guide. 

 

Appreciated!

0 Helpful

Go to solution
Isaac1
Level 1
Level 1
In response to jumora

‎06-28-2018 09:44 AM

Thanks for your help!!!

0 Helpful

Go to solution
maior.biz
Level 1
Level 1
In response to jumora

‎11-28-2013 06:31 AM

ok


now it works, but i have a login failed when i try to login with

enable_15

and my enable password

0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to maior.biz

‎11-28-2013 07:38 AM


Ok, log in through CLI and configure the next:

enable

config t

username admin password admin123 pri 15

aaa authentication http console LOCAL

You can create that username I mention or what ever username you want just set the privilege to 15

Value our effort and rate the assistance!

Value our effort and rate the assistance!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card