Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
844
Views
5
Helpful
6
Replies

What is wrong with this config that would prevent a http connection

Go to solution
gilchichester
Level 1
Level 1

‎07-02-2014 02:36 AM - edited ‎03-11-2019 09:24 PM

For some reason that I can't see, I'm unable to connect to my ASA5505 using  https://192.168.0.1

What am I missing?

Thanks in advance for any and all suggestions

 

ASA Version 8.2(1)
!
hostname asa
domain-name pinecastle
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 207.191.22.234 255.255.255.248
!
interface Ethernet0/0
 description "Outside"
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name pinecastle
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 10.254.254.0 255.
255.255.0
access-list outside_in extended permit tcp any host 207.191.22.236 eq smtp
access-list outside_in extended permit tcp any host 207.191.22.236 eq www
access-list outside_in extended permit tcp any host 207.191.22.236 eq pop3
access-list outside_in extended permit icmp any host 207.191.22.236 echo-reply
access-list outside_in extended permit icmp any host 207.191.22.236 echo
access-list outside_in extended permit icmp any host 207.191.22.236 time-exceeded
access-list outside_in extended permit tcp any host 207.191.22.236 eq https
access-list inside_access_in remark ActiveSync Inside
access-list inside_access_in extended permit tcp host 192.168.0.92 host 207.191.
22.236 eq https inactive
access-list inside_access_in remark ActiveSync Inside
access-list inside_access_in extended permit tcp host 192.168.0.92 host 207.191.
22.234 eq https inactive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 207.191.22.236 192.168.0.92 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.191.22.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint help
 crl configure
crypto ca trustpoint autosync
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 crl configure
crypto ca trustpoint activesync
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 crl configure
crypto ca trustpoint ASAActiveSync
 enrollment terminal
 crl configure
crypto ca trustpoint ActiveSyncASA
 keypair Activesync
 no client-types
 crl configure
crypto ca server
 shutdown
crypto ca certificate chain ASAActiveSync
 certificate ca 069e1db77fcf1dfba97af5e5c9a24037
Edited for size
  quit
crypto ca certificate chain ActiveSyncASA
certificate 047b4b72820c42684686ff6438d03870
Edited for size 
 quit
certificate ca 069e1db77fcf1dfba97af5e5c9a24037
 3082048f 30820377 a0030201 02021006 9e1db77f cf1dfba9 7af5e5c9 a2403730
Edited for size 
  quit
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ActiveSyncASA
ssl trust-point ActiveSyncASA inside
webvpn
username admin password VMclem/9gNRcFZK8 encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dd648a34e2eb6e32e64998819060e23d
 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to gilchichester

‎07-02-2014 12:15 PM

The ASA uses HTTPS and from the output it is listening on the interface

SSL       0003785f  192.168.0.1:443             0.0.0.0:*               LISTEN

notice the port 443 after the IP.

I am assuming that the ASDM image is present in flash?

could you issue the show version command and post it here?

issue the command show run all ssl and post the output here.  If the following line of code is missing from the output please add it to the ASA:

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

You might also need to regenerate the crypto key.  Issue the following command to do so.

crypto key rsa generate modulus 1024

--

Please remember to select a correct answer and rate helpful posts

 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

6 Replies 6

Go to solution
Marius Gunnerud
VIP
VIP

‎07-02-2014 03:28 AM

Are you receiving an error message?

when you log into the ASA via CLI what do you see in the logs when you try to access HTTPS?

issue the command debug http from the CLI and then try to connect. What do you see in the debug?

issue the show version command and verify you have the 3DES/AES license installed.  If you do not have it installed it is a free download from Cisco.

You are also missing the command aaa authentication http console LOCAL

Have a look at this article which has some good troubleshooting steps

https://supportforums.cisco.com/document/57701/asdm-access-troubleshooting

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
gilchichester
Level 1
Level 1
In response to Marius Gunnerud

‎07-02-2014 12:15 PM

We have run through all the troubleshooting commands and didn't have any issues.

Still need some guidance on running the debug commands. we ran the following commands;

Logging on

Logging Buffered

debug http

attempted to connect to https://192.168.0.1 - browser doesn't return any specific error message

show logging 

But the log doesn't show any HTTP messages 

Please tell me what I'm doing wrong!

 

Thanks for your help.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to gilchichester

‎07-02-2014 12:15 PM

The ASA uses HTTPS and from the output it is listening on the interface

SSL       0003785f  192.168.0.1:443             0.0.0.0:*               LISTEN

notice the port 443 after the IP.

I am assuming that the ASDM image is present in flash?

could you issue the show version command and post it here?

issue the command show run all ssl and post the output here.  If the following line of code is missing from the output please add it to the ASA:

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

You might also need to regenerate the crypto key.  Issue the following command to do so.

crypto key rsa generate modulus 1024

--

Please remember to select a correct answer and rate helpful posts

 

--
Please remember to select a correct answer and rate helpful posts

Go to solution
gilchichester
Level 1
Level 1
In response to Marius Gunnerud

‎07-02-2014 12:45 PM

Sorry I was updating my last post, before I saw this.

Yes we verified the ASDM image is in the flash

I will capture and post your requests first thing in the morning

Thanks again for your help 

0 Helpful

Go to solution
gilchichester
Level 1
Level 1

‎07-03-2014 03:12 AM

Marius,

I'm able to run ASDM Launcher after adding the 

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 

to my configuration.

Thank you for all your insights 

Gil

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to gilchichester

‎07-03-2014 03:21 AM

Glad I could help and thank you for the rating smiley

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card