Re: Cant ping asa 5505, asdm https not responding, but internet

tozzi0883 · ‎12-05-2010

Hi, I have a asa5505, I went to update the unit via asdm yesterday and the java app froze so I closed the window. When I went to relaunch the asdm it wouldnt connect. I consoled into the device via CLI and performed a reload.

I cant ping the device or load asdm from any host on the network. I can ping from outside. I cant upgrade asdm or asa ver. The unit is in another location so wiping config and starting over isnt an option.

One thing I tried to change in ASDM but it wouldn't let me is the subnet. I have bolded what asdm put in as 255.255.255.255 ---- the isp gave me a subnet of 255.255.255.248 on the cut sheet.

Below is my config, if someone can please help, it would be appreciated.

ASA Version 7.2(4)
!
hostname ultra-asa
domain-name ultra
enable password encrypted
passwd U encrypted
names
name 192.168.0.200 ultraserver description ultraserver
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group dsl
ip address 68.153.xxx.xx 255.255.255.255 pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ultrapharma.com
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) interface 68.153.xxx.xx netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group dsl request dialout pppoe
vpdn group dsl localname xxxxxxx@att.net
vpdn group dsl ppp authentication chap
vpdn username ultrapharma@att.net password xxxxxx
dhcpd auto_config inside
!
dhcpd address 192.168.0.101-192.168.0.199 inside
dhcpd dns ultraserver interface inside
dhcpd enable inside
!

webvpn
csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
!
!
prompt hostname context
Cryptochecksum:1b5c26ec90e5217a78092a52a3881d48
ultra-asa(config)#
ultra-asa(config)#
ultra-asa(config)#

connect2world · ‎12-05-2010

Hi

I believed tha asdm version has been upgraded as well when you update the firmware of the firewall. This statement: asdm image disk0:/asdm-524.bin in your config is still pointing to the old asdm image. Perform a dir in the firewall console, do you see another version like asdm-613.bin?

Directory of disk0:/

177    -rwx 14137344    08:06:50 Jan 01 2003 asa804-k8.bin
75     drwx 4096        08:48:22 May 06 2010 log
79     drwx 4096        08:48:34 May 06 2010 crypto_archive
178    -rwx 7562988     08:50:06 May 06 2010 asdm-613.bin
180    -rwx 12105313    08:52:28 May 06 2010 csd_3.5.841-k9.pkg
181    drwx 4096        08:52:32 May 06 2010 sdesktop
182    -rwx 2857568     08:52:34 May 06 2010 anyconnect-wince-ARMv4I-2.4.1012-
k9.pkg
183    -rwx 3203909     08:52:34 May 06 2010 anyconnect-win-2.4.1012-k9.pkg
184    -rwx 4832344     08:52:38 May 06 2010 anyconnect-macosx-i386-2.4.1012-k
9.pkg
185    -rwx 5209423     08:52:40 May 06 2010 anyconnect-linux-2.4.1012-k9.pkg

If you do see another version, simply point to the new image ( do a no asdm image disk0:/asdm-524.bin and then asdm image disk0:/asdm-613.bin), your new asdm console should work again.

cadet alain · ‎12-06-2010

Hi,

static (outside,inside) interface 68.153.xxx.xx netmask 255.255.255.255

I don't see why doing static nat from outside to inside.If you get rid of this command what's happening?

For the other 255.255.255.255 as it is PPP there is always a host route installed.

Regards.

Don't forget to rate helpful posts.

tozzi0883 · ‎12-06-2010

Can you please advise what the command would be to remove the static route?

cadet alain · ‎12-06-2010

Hi,

This is not a static route but static NAT and to remove it just prefix the command with the word no.

Regards

Don't forget to rate helpful posts.

tozzi0883 · ‎12-06-2010

This worked and I was able to get into the ASA today!!!

I noticed on the CLI today when I reloaded it said

ERROR: There is cli conflict with the global 'dhcpd auto_config' command. The auto_config interface and the server interface cannot be the same interface
dhcpd enable command failed
*** Output from config line 80, "dhcpd enable inside"

Anyone have any ideas for this one?

cadet alain · ‎12-07-2010

Hi,

dhcpd auto_config inside

this line is like the dhcp import on router platform, that is it must be set on interface where ASA is dhcp client so on outside if you are given an ip address by dhcp which is not your case.Then it will pass infos like dns server to the clients reuesting your DHCP server(ASA) unless you override which is your case for dns.

So get rid of this command or put change it to dhcpd auto_config outside if your ISP is giving the ASA an IP with DHCP.

Don't forget to rate helpful posts.

Cant ping asa 5505, asdm https not responding, but internet works.