cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

7840
Views
0
Helpful
7
Replies
VincentLong
Beginner

Unable to access ASA 5520 using HTTP/HTTPS

I was unable to access my ASA 5520 using HTTP/HTTPS even on the management interface. I had upgrade the ASA IOS to asa832-k8.bin and ASDM to asdm-634-53.bin. But, the issue still the same.

My browser show the error message as attach image.

PGA-Firewall-02# sh run
: Saved
:
ASA Version 8.3(2)
!
hostname PGA-Firewall-02
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif public
security-level 0
ip address 192.168.50.6 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.0.6 255.255.0.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN Failover Interface
shutdown
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.80.1 255.255.255.0
management-only
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns domain-lookup public
dns server-group DefaultDNS
name-server 202.188.0.133
name-server 202.188.1.5
name-server 165.21.83.88
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network my-inside-net
subnet 172.16.0.0 255.255.0.0
access-list LAN_access_in extended permit ip any any
pager lines 24
mtu public 1500
mtu inside 1500
mtu management 1500
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2

icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
!
object network my-inside-net
nat (inside,public) dynamic interface
access-group LAN_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 7070
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.80.10-192.168.80.254 management
dhcpd dns 8.8.8.8 202.188.0.133 interface management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password 4PtuJu0EMPs1UXfw encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1eb096b24a9262fd9997b574eb0bc58a
: end
PGA-Firewall-02#

7 REPLIES 7
Herbert Baerten
Cisco Employee

Hi Vincent,

Most commonly this is because the ASA does not have a 3DES/AES license , please check "show version | incl 3DES".

If this says "disabled" then go to http://www.cisco.com/go/license to request a license (should be free of charge, but can only be requested if you are not in any country to which the US has export restrictions).

hth

Herbert

Hi,

After i apply the license i get from Cisco and it still don't work. i had attached the sh run and sh tech for both units. Please kindly advice.

VincentLong
Beginner

Anyone facing the same issue as mine? Anyone know about the root cause of this issue?

Vincent

Perhaps there is something more complicated involved here that I have not yet recognized. But I see some fairly simple things that may explain your difficulty.

First let us look at what is allowed to use the HTTP access:

http 0.0.0.0 0.0.0.0 management

This says that any source address is permitted to access the management address. And the management address is

192.168.80.1. But in the examples of the error messages that were in your post they were not attempting to access 192.168.80.1.

So my first suggestion is to ask what happens if you attempt HTTP/STTPS to 192.168.80.1 rather than to some other address in that subnet.

My second suggestion is to ask where you are attempting HTTP/HTTPS access from? Does your source have network connectivity to 192.168.80.1 connecting on the management interface (not on the inside interface)?

My third suggestion would be to suggest that you enable HTTP/HTTPS access to the Inside interface address from source addresses of the inside network.

http 172.16.0.0 255.255.0.0 inside

Give these a try and let us know what happens.

HTH

Rick

HTH

Rick

Hi,

The print screen i attached was when i access to the management interface of Firewall-02 which it management interface IP address is 192.168.80.2. I had tried to access to both firewall 1 and firewall-2 management interface after applied the ASA 3DES license key which i get from Cisco. The result was the same. I don't know whether is my configuration issue or other unknown issue.

I had attached the diagram of the network  which shown how the connection of firewall. Meanwhile i also hope that someone can teach me on how to configure HA using command line as at the moment i can't the ASDM. I had search on Cisco website and they mention about context. I got few question for that as below:

1. What is it about?

2. Why we need to create 2 context in 1 firewall?

Many thanks in advance.

Hi Vincent,

The issue is not that complex, and is frequently encountered.

Please refer to this document I wrote on troubleshooting ASDM access, as you are facing the exact same issue.

https://supportforums.cisco.com/docs/DOC-15016#Weak_Encryption

Hope this helps.

-Shrikant

P.S.: Please mark the question resolved, if it has been answered. Do rate helpful posts. Thanks

Hi Shrikant Sundaresh,

I will try the recommendation solution in your post and will update you whether it work or not as the firewall is install at project side far from my current location. I will only go there again in 2 week time. Anyway, many thanks in advance.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad