cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1257
Views
0
Helpful
11
Replies

Unable to access ASDM

I have a Firepower2120 utilizing ASA 9.14.2 on a test bench currently connected to a single Management terminal via the Management port.

I am able to access the CLI of the device and ASDM when in the default routed mode. Upon configuring for Transparent mode the config is dropped as expected. After reconfiguring the Management Port and SSH username/password I am able to reach the device via Console and am able to ping it on the Management Port but am unable to authenticate via SSH or ASDM.

 

What would the next logical step be for this? I've verified the interface, and reconfigured the authentication / Keys already. 

1 ACCEPTED SOLUTION

Accepted Solutions

high level i do not see ASDM config here : the video is for reference.

 

# show disk0:

asdm image disk0:/asdm----version.bin (not just ASDM.BIN) 

 

then try

https://192.168.45.1

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

View solution in original post

11 REPLIES 11
balaji.bandi
VIP Master

If you connected to console post the configuration ? from what IP address you trying to connect ASDM ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

I'm connected to the Console Port and the Management port currently. I am attempting to connect via the default management IP of 192.168.45.1 (I reconfigured the Port back to the Default IP to help isolate the issue).

i prefer to see the configuration - have you have this config "http 192.168.45.0 255.255.255.0 management"

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

My bad misunderstood what you were asking for. I'll post it here, just need a min to reconfig it since I have Org info in there currently. Was trying to import the known good config.

 

but yes:

"http 192.168.45.0 255.255.255.0 management"

is in there. My Interface looks like this:

interface Management1/1
no management-only
nameif management
security-level 0
ip address 192.168.45.1 255.255.255.0

There is concern on 

no management-only

but I am unable to change it and researching it shows that it is correctly configured anyways.

If you have configured SSH and http/S config you should be able to get in (with that information it hard to say what is wrong) - if you get a chance post show run (full config)

 

or watch this video :

 

https://www.networkstraining.com/cisco-asa-firewalls-for-asdm-access/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Attached is the Config I am currently working on after wiping my previous one. Since taking this Snapshot I've turned on ASDM history and pointed the Firewall towards the ASDM.Bin file as per step 3 of your link. I'm still watching the video but this is where I am at currently.

:
ASA Version 9.14(2)13
!
firewall transparent
hostname Baseconfig
domain-name testing.test
enable password ***** pbkdf2
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto

!
interface Ethernet1/1
 shutdown
 no nameif
 no security-level
!
interface Ethernet1/2
 shutdown
 no nameif
 no security-level
!
interface Ethernet1/3
 shutdown
 no nameif
 no security-level
!
interface Ethernet1/4
 shutdown
 no nameif
 no security-level
!
interface Ethernet1/5
 shutdown
 no nameif
 no security-level
!
interface Ethernet1/6
 shutdown
 no nameif
 no security-level
!
interface Ethernet1/7
 shutdown
 no nameif
 no security-level
!
interface Ethernet1/8
 shutdown
 no nameif
 no security-level
!
interface Ethernet1/9
 shutdown
 no nameif
 no security-level
!
interface Ethernet1/10
 shutdown
 no nameif
 no security-level
!
interface Ethernet1/11
 shutdown
 no nameif
 no security-level
!
interface Ethernet1/12
 shutdown
 no nameif
 no security-level
!
interface Ethernet1/13
 shutdown
 no nameif
 no security-level
!
interface Ethernet1/14
 shutdown
 no nameif
 no security-level
!
interface Ethernet1/15
 shutdown
 no nameif
 no security-level
!
interface Ethernet1/16
 shutdown
 no nameif
 no security-level
!
interface Management1/1
 no management-only
 nameif Management
 security-level 100
 ip address 192.168.45.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name testing.test
pager lines 24
mtu Management 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication login-history
http server enable
http 192.168.45.0 255.255.255.0 Management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 0509
    ******
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 192.168.45.0 255.255.255.0 Management
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile License
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination transport-method http
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
app-agent heartbeat interval 6000 retry-count 10
Cryptochecksum:********
: end

high level i do not see ASDM config here : the video is for reference.

 

# show disk0:

asdm image disk0:/asdm----version.bin (not just ASDM.BIN) 

 

then try

https://192.168.45.1

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

View solution in original post

As I posted in the top comment. I directed the ASA to the ASDM.Bin file after pulling that config. It did not correct the issue. Since then I have pulled the .Bin file from the known good and replaced the ASDM.Bin in my test bench and repeated. It did not correct the issue. I've been able to hit the 192.168.45.1 webpage since the start of this. I think it is an authentication issue since I can ping the port, the webpage works, and the "Unable to launch device manger from 192.168.45.1" error is immediate.

 

"Unable to launch device manger from 192.168.45.1"

 

https://www.youtube.com/watch?v=sap09rC-dbQ

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Fixing the error message "Unable to launch device manager from {IP}, received when trying to launch the Cisco Adaptive Security Device Manager (ASDM).

Might sound super stupid on my part. But I hadn't actually saved and rebooted the box during my configuration time. I did a quick save / restart and that seems to have cleared it up with no additional configuration changes. Balaji you were super helpful! That guide was really well put together and helped me understand it a bit better too!

 Balaji you were super helpful! That guide was really well put together and helped me understand it a bit better too!

Sure and Glad all went well, you could able to move forward to set up the next goal - this is the best part of the community to help each other and share the knowledge widely what we learning.. Good stuff..!!!!

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Create
Recognize Your Peers
Content for Community-Ad