I have a Firepower2120 utilizing ASA 9.14.2 on a test bench currently connected to a single Management terminal via the Management port.
I am able to access the CLI of the device and ASDM when in the default routed mode. Upon configuring for Transparent mode the config is dropped as expected. After reconfiguring the Management Port and SSH username/password I am able to reach the device via Console and am able to ping it on the Management Port but am unable to authenticate via SSH or ASDM.
What would the next logical step be for this? I've verified the interface, and reconfigured the authentication / Keys already.
Solved! Go to Solution.
I'm connected to the Console Port and the Management port currently. I am attempting to connect via the default management IP of 192.168.45.1 (I reconfigured the Port back to the Default IP to help isolate the issue).
My bad misunderstood what you were asking for. I'll post it here, just need a min to reconfig it since I have Org info in there currently. Was trying to import the known good config.
"http 192.168.45.0 255.255.255.0 management"
is in there. My Interface looks like this:
ip address 192.168.45.1 255.255.255.0
There is concern on
but I am unable to change it and researching it shows that it is correctly configured anyways.
If you have configured SSH and http/S config you should be able to get in (with that information it hard to say what is wrong) - if you get a chance post show run (full config)
or watch this video :
Attached is the Config I am currently working on after wiping my previous one. Since taking this Snapshot I've turned on ASDM history and pointed the Firewall towards the ASDM.Bin file as per step 3 of your link. I'm still watching the video but this is where I am at currently.
: ASA Version 9.14(2)13 ! firewall transparent hostname Baseconfig domain-name testing.test enable password ***** pbkdf2 service-module 0 keepalive-timeout 4 service-module 0 keepalive-counter 6 names no mac-address auto ! interface Ethernet1/1 shutdown no nameif no security-level ! interface Ethernet1/2 shutdown no nameif no security-level ! interface Ethernet1/3 shutdown no nameif no security-level ! interface Ethernet1/4 shutdown no nameif no security-level ! interface Ethernet1/5 shutdown no nameif no security-level ! interface Ethernet1/6 shutdown no nameif no security-level ! interface Ethernet1/7 shutdown no nameif no security-level ! interface Ethernet1/8 shutdown no nameif no security-level ! interface Ethernet1/9 shutdown no nameif no security-level ! interface Ethernet1/10 shutdown no nameif no security-level ! interface Ethernet1/11 shutdown no nameif no security-level ! interface Ethernet1/12 shutdown no nameif no security-level ! interface Ethernet1/13 shutdown no nameif no security-level ! interface Ethernet1/14 shutdown no nameif no security-level ! interface Ethernet1/15 shutdown no nameif no security-level ! interface Ethernet1/16 shutdown no nameif no security-level ! interface Management1/1 no management-only nameif Management security-level 100 ip address 192.168.45.1 255.255.255.0 ! ftp mode passive dns server-group DefaultDNS domain-name testing.test pager lines 24 mtu Management 1500 no failover no failover wait-disable no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 32768 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication enable console LOCAL aaa authentication login-history http server enable http 192.168.45.0 255.255.255.0 Management no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpool policy crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 0509 ****** quit telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh version 2 ssh key-exchange group dh-group14-sha256 ssh 192.168.45.0 255.255.255.0 Management console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy username admin privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile License destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination transport-method http profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email firstname.lastname@example.org destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily app-agent heartbeat interval 6000 retry-count 10 Cryptochecksum:******** : end
As I posted in the top comment. I directed the ASA to the ASDM.Bin file after pulling that config. It did not correct the issue. Since then I have pulled the .Bin file from the known good and replaced the ASDM.Bin in my test bench and repeated. It did not correct the issue. I've been able to hit the 192.168.45.1 webpage since the start of this. I think it is an authentication issue since I can ping the port, the webpage works, and the "Unable to launch device manger from 192.168.45.1" error is immediate.
Might sound super stupid on my part. But I hadn't actually saved and rebooted the box during my configuration time. I did a quick save / restart and that seems to have cleared it up with no additional configuration changes. Balaji you were super helpful! That guide was really well put together and helped me understand it a bit better too!
Balaji you were super helpful! That guide was really well put together and helped me understand it a bit better too!
Sure and Glad all went well, you could able to move forward to set up the next goal - this is the best part of the community to help each other and share the knowledge widely what we learning.. Good stuff..!!!!