09-06-2010 06:05 AM - edited 03-11-2019 11:35 AM
I am configuring a Cisco ASA 5505 I still have access to the firewall through my pre installed ASDM, but if I try and web broswe I get page cannot be displayed and the following entry in my firewall
6 | Sep 06 2010 | 13:57:52 | 10.0.1.77 | 53048 | 10.0.1.90 | 443 | Teardown TCP connection 498 for outsideDynamic:10.0.1.77/53048 to identity:10.0.1.90/443 duration 0:00:00 bytes 7 TCP Reset-I |
I have configured the firewall to allow management from this IP address.
HELP PLEASE
09-06-2010 06:12 AM
Is 10.0.1.77 the host where you are trying to connect from, and 10.0.1.90 the ASA interface?
Can you share the following configuration:
sh run interface
sh run http
09-06-2010 06:54 AM
Outside dynamic is the iterface that I am trying to connect through.
sh run int
!
interface Vlan1
nameif outside
security-level 0
ip address 172.16.61.230 255.255.255.0
ospf cost 10
ospf network point-to-point non-broadcast
ospf authentication null
!
interface Vlan2
description Inside currently configured for 192.168.3.129 was 129
nameif inside
security-level 100
ip address xxx.xx.xx.xx 255.255.255.0
!
interface Vlan3
description Interface for dynamic connections
no forward interface Vlan1
nameif outsideDynamic
security-level 0
dhcp client route distance 2
ip address dhcp setroute
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
shutdown
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
shutdown
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
Sh run http
http server enable
http 10.0.1.80 255.255.255.255 outside
http 10.0.1.0 255.255.255.0 outsideDynamic
http 0.0.0.0 0.0.0.0 outsideDynamic
http 172.16.30.0 255.255.255.0 outside
http SH_Data 255.255.255.0 inside
http 62.xxx.222.0 255.255.255.240 outsideDynamic
http 172.16.30.0 255.255.255.0 outsideDynamic
http SH_Svr_RODC 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
09-06-2010 07:02 AM
Hello,
Can you please post the output of following command:
packet-tracer input outsideDynamic tcp 10.0.1.77 1024 10.0.1.90 443 detailed
Make sure that 10.0.1.90 is the IP assigned to the interface.
Regards,
NT
09-06-2010 07:07 AM
packet-tracer input outsideDynamic tcp 10.0.1.77 1024 10.0.1.90 443$
Phase: 1
Type: CP-PUNT
Subtype: l2-selective
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7e38290, priority=12, domain=punt, deny=false
hits=16648, user_data=0xd86906f0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd820e518, priority=1, domain=permit, deny=false
hits=33255, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.1.90 255.255.255.255 identity
Phase: 5
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81dfa18, priority=121, domain=permit, deny=false
hits=990, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=10.0.1.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0
Phase: 6
Type: MGMT-TCP-INTERCEPT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8210750, priority=0, domain=mgmt-tcp-intercept, deny=false
hits=1355, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8210d28, priority=0, domain=permit-ip-option, deny=true
hits=735, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.1.77 using egress ifc outsideDynamic
adjacency Active
next-hop mac address 0021.70a9.3b22 hits 0
Result:
input-interface: outsideDynamic
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow
09-06-2010 07:11 AM
Hello,
It seems like the firewall is allowing port 443 traffic. Have you configured
anything else on that interface (like WebVPN)? How are you trying to access
ASDM? Through ASDM application or through IE/Firefox?
Regards,
NT
09-06-2010 07:25 AM
I can access the ASDM but not https://10.0.1.90
The only other thing configured on the interface is inbound site to site IPSEC.
09-06-2010 07:27 AM
I can even https and ASDM accross my site to site VPN to the "inside"
interface
09-06-2010 07:30 AM
Hello,
Can you please post your entire running configuration here?
Regards,
NT
09-06-2010 07:30 AM
Hello,
So, if I understand you correctly, you are able to access ASDM through
10.0.1.77 workstation. But you are not able to access https://10.0.1.90 via
the same device. Are you running ASDM on a different port (other than 443)?
Also, what browser you are using?
Regards,
NT
09-06-2010 07:58 AM
You are correct
IE 8
And it did work until I loaded my config on to it.
Not moved the port number that I am aware of.
09-06-2010 08:17 AM
Hello,
Can you please post your entire running configuration here? I suspect that
when you loaded your entire configuration, you might have accidentally
included all traffic from that interface to be encrypted.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide