Re: Unable to access ADSM TCP access denied by ACL - Page 2

woodjl1650 · ‎09-06-2010

I am trying to access ASDM for the first time and when I type in the address, 192.168.1.1/admin, the ASA reads back:

%ASA-3-710003: TCP access denied by ACL from 192.168.1.3/54975 to inside 192.168.1.1/80.

Any idea on how to solve this? Thanks.

woodjl1650 · ‎09-09-2010

Protocol Socket Local Address Foreign Address State

SSL 00029c5f 192.168.1.1:443 0.0.0.0:* LISTEN

TCP 0007c40f 192.168.1.1:22 0.0.0.0:* LISTEN

SSL 0008693f 174.56.139.62:443 0.0.0.0:* LISTEN

DTLS 000aeb3f 174.56.139.62:443 0.0.0.0:* LISTEN

TCP 000cb8af 174.56.139.62:22 0.0.0.0:* LISTEN

woodjl1650 · ‎09-09-2010

Also I noticed this while booting:

WARNING: BOOT variable added, but not a valid image disk0:/asdm-633.bin
*** Output from config line 39, "boot system disk0:/asdm-..."
WARNING: BOOT variable added, but unable to find disk0:/asa832-k8.bin
*** Output from config line 40, "boot system disk0:/asa83..."
.WARNING: This command will not take effect until interface '

Kureli Sankar · ‎09-09-2010

That is the problem. You don't seem to have a valid asdm image in the flash.

dir flash:

make sure the file is in the flash and then remove the line you have and add the correct file name.

conf t

no asdm image disk0:/asdm-633.bin

asdm image flash:/

Once done issue a "sh ver" and make sure the asdm image version shows up and then try to access asdm https://192.168.1.1

If you do not have asdm image in the flash then, you have to tftp it to the firewall. The command is "copy tftp flash:"

ASDM image can be downloaded here: http://tools.cisco.com/squish/a5338C

You can download asdm-625-53.bin what will match the ASA code 8.2.3 that you are running on this ASA.

You can remove both these lines from the config:

conf t

no boot system disk0:/asdm-633.bin
no boot system disk0:/asa832-k8.bin

-KS

woodjl1650 · ‎09-10-2010

Still have this warming coming up:

.WARNING: This command will not take effect until interface 'outside' has been a
ssigned an IPv4 address
*** Output from config line 83, "ssh 0.0.0.0 0.0.0.0 outs...

Updated the asdm image, but still no luck with being able to load it via the web browser.

Current config is as follows:

ASA Version 8.2(3)
!
hostname ciscoasa
domain-name 68.87.68.166
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa823-k8.bin
boot config disk0:/asa823.bin
ftp mode passive
dns server-group DefaultDNS
domain-name 68.87.68.166
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
access-list INBOUND extended permit tcp any any eq www
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:00:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 68.87.68.166 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
enable outside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect dns prsent_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7429abb7acb541d726574752e84f753d
: end

Kureli Sankar · ‎09-10-2010

That warning is ok. It is because you do not have an IP address assigned to the outside interface.

Remove this line pls.

conf t

boot config disk0:/asa823.bin

Also, I still do not see a "asdm image" line in the config.

Does "sh ver" show asdm loaded at all?

Is there a valid asdm file in the flash for the 8.2.3 code you are running?

Did you download asdm from the link that I mentioned?

Once you are done with everything that I mentioned post the outpout of the following:

sh run boot

sh run asdm

sh ver

sh run http

sh asp table socket

sh ip

sh nameif

Let me know.

-KS

woodjl1650 · ‎09-10-2010

What is the correct way load the asdm?

I believe I used:

asdm image disk0:/asdm-625.bin

Kureli Sankar · ‎09-10-2010

That syntax is correct provided when you do a "dir flash:" you do really see that file asdm-625.bin in flash.

-KS

sachinga.hcl · ‎09-10-2010

HI Jonathan,

Please check the documentaion in this regard:

http://www.cisco.com/en/US/products/ps6121/products_installation_and_configuration_guides_list.html

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/start.html

As reading it would help you a lot , and also further you can discuss any issues you are facing in this regard.

I am worried ablut as your ASDM is not working after a lot of efforts but I believe it would definitely be a good experience for you if this is your first time with ASA/ASDM.

Keep up your hard work and you will be very good in all this soon.

Also get in touch with us.

HTH

Sachin Garg

Message was edited by: sachinga.hcl

abinjola · ‎09-10-2010

Jonathan, to help my investigation please test the following and let me know

a)Remove the command "http server enable" and then retype it, do you get the error message"Could not start Admin error"

b)if you configure "http server enable port 8080" are you able to access ASDM on 8080 like https://x.x.x.x:8080

Send me the above results and I may be able to help

--regards

woodjl1650 · ‎09-10-2010

Stupid question, how do I do this?

Remove this line pls.

conf t

boot config disk0:/asa823.bin

dir flash gives me = Error opening disk0:/flash (No such file or directory)

sh run boot
boot system disk0:/asa823-k8.bin
boot config disk0:/asa823.bin

ciscoasa(config)# sh run asdm
asdm image disk0:/asdm-625.bin
no asdm history enable

ciscoasa(config)# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(3)
Device Manager Version 6.2(5)

Compiled on Fri 06-Aug-10 07:51 by builders
System image file is "disk0:/asa823-k8.bin"
Config file at boot was "disk0:/asa823.bin"

ciscoasa up 11 hours 54 mins

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Int: Internal-Data0/0    : address is 0023.5ec2.63a8, irq 11
1: Ext: Ethernet0/0         : address is 0023.5ec2.63a0, irq 255
2: Ext: Ethernet0/1         : address is 0023.5ec2.63a1, irq 255
3: Ext: Ethernet0/2         : address is 0023.5ec2.63a2, irq 255
4: Ext: Ethernet0/3         : address is 0023.5ec2.63a3, irq 255
5: Ext: Ethernet0/4         : address is 0023.5ec2.63a4, irq 255
6: Ext: Ethernet0/5         : address is 0023.5ec2.63a5, irq 255
7: Ext: Ethernet0/6         : address is 0023.5ec2.63a6, irq 255
8: Ext: Ethernet0/7         : address is 0023.5ec2.63a7, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 10
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

Serial Number: JMX1248Z1DW
Running Activation Key: 0xc701ee79 0x64f122fd 0x54a0f944 0xa900cca0 0x840e1d80
Configuration register is 0x1
Configuration last modified by enable_15 at 17:53:57.929 UTC Sun Jan 6 2008

ciscoasa(config)# sh asp table socket

Protocol Socket    Local Address               Foreign Address         State
TCP       00078f6f 192.168.1.1:22              0.0.0.0:*               LISTEN
SSL       0009411f 174.56.139.62:443           0.0.0.0:*               LISTEN
DTLS      000b159f 174.56.139.62:443           0.0.0.0:*               LISTEN
TCP       000c038f 174.56.139.62:22            0.0.0.0:*               LISTEN
SSL       041b995f 192.168.1.1:443             0.0.0.0:*               LISTEN

ciscoasa(config)# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask
Method
Vlan1                    inside                 192.168.1.1     255.255.255.0
CONFIG
Vlan2                    outside                174.56.139.62   255.255.248.0
DHCP
Current IP Addresses:
Interface                Name                   IP address      Subnet mask
Method
Vlan1                    inside                 192.168.1.1     255.255.255.0
CONFIG
Vlan2                    outside                174.56.139.62   255.255.248.0
DHCP

iscoasa(config)# show nameif
Interface                Name                     Security
Vlan1                    inside                   100
Vlan2                    outside                    0

Kureli Sankar · ‎09-10-2010

Everything looks good.

Sorry I missed a "no" in front of the line.

conf t

no boot config disk0:/asa823.bin

This should work without any problem. Have them try another computer/laptop and/or another browser.

Watch the logs again. You can also collect captures.

cap capin int inside match tcp any ho 192.168.1.1 eq 443

Try to access asdm and issue "sh cap capin" and post the output.

Tell us exactly what happens when you issue https://192.168.1.1 on the browser.

-KS