Solved: Unable to launch ASDM over WAN - Cisco ASA 5505

Hridin C · ‎01-10-2013

Remote LAN pool is configured as inside. Route is proper. I am able to open 443 port from the remote LAN pool on the ASA. That means, the port is open from the remote pool. No response if I try https on the browser.

Thank you,

varrao · ‎01-10-2013

No, you would not be able to access or ping the remote interface on the ASA, you would only be able to access the interface to which the remote pool is connected to. If you would like to do this, then you would need to create a VPN tunnel between the remote pool and the ASA. By design this would not be possible.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

View solution in original post

Kureli Sankar · ‎01-10-2013

Pls. run through the check list that I have listed in this document.

https://supportforums.cisco.com/docs/DOC-13012#Unable_to_asdm

-Kureli

View solution in original post

varrao · ‎01-10-2013

If you are trying to access it over the VPN, can you add the command "management-access inside' and then try doing.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hridin C · ‎01-10-2013

Varun,

Thanks for reply.

Not from VPN. Connected via Point to Point link. I have entered this command already. But no luck. ASDM can be launched from Local LAN Pool without any issues. Same config is done for the remote lan pool + the routing.

Anything else needs to be done?

Thank you,

varrao · ‎01-10-2013

Which interface are you trying to access on the ASA from the remote lan pool.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hridin C · ‎01-10-2013

Inside LAN Interface. Secuity Level 100. Even the remote pool is configured as inside for http access.

Thank you,

varrao · ‎01-10-2013

No, you would not be able to access or ping the remote interface on the ASA, you would only be able to access the interface to which the remote pool is connected to. If you would like to do this, then you would need to create a VPN tunnel between the remote pool and the ASA. By design this would not be possible.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hridin C · ‎01-10-2013

OK, If so how am able to login via SSH? or is it only for ASDM?

Thanks,

Kureli Sankar · ‎01-10-2013

Pls. run through the check list that I have listed in this document.

https://supportforums.cisco.com/docs/DOC-13012#Unable_to_asdm

-Kureli

Hridin C · ‎01-10-2013

Hi

Great Document! Thank you!

I ran the packet caputure. Did a telnet on port 443 from remote lan ip to ASA. I could see the remote lan ip communicating on port 443 of ASA. Then why the ASDM is not opening. I think, ASDM works over https, right?

Or as Varun said above, its not possible because of the design? SSH is working fine from remote lan pool.

Appreciate your responses.

Thank you

Johan.Broer · ‎01-10-2013

Do you have the following line in the config:

http outside

or

ssh outside

for ssh sessions.

assuming the rsa keys are generated

Hridin C · ‎01-10-2013

Thank you all for your inputs. Kureli's document is very informative.

For some reason, IE was unable lauch the ASDM. Just to try my luck, when I tried Chrome, it suddenly downloaded the DM launcher and opened the ASA in ASDM. Still, when I try https in IE, it fails to launch the ASDM, but in chrome it works!

Now its working.

Thank you all.

Kureli Sankar · ‎01-11-2013

Thank you. I am glad another browser worked for you. Some times, companies enforce group policies that may make changes to IE settings that might cause problems loading ASDM. Based on your input I have added to try a diff. browser as a check list item in my document. Thanks again for your feed back.

https://supportforums.cisco.com/docs/DOC-13012#try_another_browser

-Kureli