11-05-2013 01:05 PM
Hello all,
I'm completely new to Cisco networking and VPNs, I'm working on an ASA 5510 vers 8.2(5)46. Right now the unit is set up very minimally. Management access is accessible from my inside network at 192.168.2.1. I'm trying to allow remote management access by VPN. I created a clientless SSL VPN, which during the wizard process, indicated management access was by the adding /admin to the VPN's https url. Adding the /admin to the VPNs url does not get me to the VPN login, and using the /admin url from the portal returns an "Unavailable" message. Also, from the portal I can't access the ASDM using the inside network management IP, it also returns the message as "Unavailable". Again I'm new at this, any help would be greatly appreciated. Here's my config. and Thanks!
: Saved : ASA Version 8.2(5)46 ! hostname ALP5510 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 99.66.203.148 255.255.255.248 ! interface Ethernet0/1 shutdown no nameif no security-level no ip address ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! boot system disk0:/asa825-46-k8.bin ftp mode passive dns domain-lookup inside dns server-group DefaultDNS name-server 68.94.156.1 name-server 68.94.157.1 same-security-traffic permit inter-interface pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 ip local pool vpn 192.168.2.10 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-714.bin no asdm history enable arp timeout 14400 global (outside) 101 interface nat (inside) 101 0.0.0.0 0.0.0.0 nat (management) 101 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 99.66.203.150 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http server session-timeout 20 http 192.168.1.0 255.255.255.0 management http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh 192.168.2.0 255.255.255.0 inside ssh timeout 5 console timeout 0 management-access inside dhcpd address 192.168.2.3-192.168.2.10 inside dhcpd dns 68.94.156.1 68.94.157.1 interface inside dhcpd enable inside ! dhcpd address 192.168.1.3-192.168.1.10 management dhcpd dns 68.94.156.1 68.94.157.1 interface management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable outside enable inside group-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn webvpn svc ask enable group-policy eng internal group-policy eng attributes vpn-tunnel-protocol webvpn webvpn url-list value EngineerBookmarks username user1 password mbO2jYs13AXlIAGa encrypted privilege 15 username user1 attributes vpn-group-policy eng webvpn url-list value EngineerBookmarks tunnel-group test type remote-access tunnel-group test general-attributes address-pool vpn tunnel-group Engineering type remote-access tunnel-group Engineering general-attributes default-group-policy eng ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:05f3afe3383542c8f62b1873421a7484 : end asdm image disk0:/asdm-714.bin asdm location 99.66.203.150 255.255.255.255 inside no asdm history enable
Solved! Go to Solution.
11-06-2013 11:39 AM
I am from TAC if you give me a number I can help you out, I think we are just going to extend this if we continue over support forum
11-06-2013 02:38 PM
After helping with the VPN setup we need an answered here!!!
11-05-2013 05:17 PM
With help from jumora I have internet access working on the inside interface, still working on the vpn issue though...
11-05-2013 06:06 PM
enable
config t
webvpn no enable inside
Try to access the ASDM
11-05-2013 06:10 PM
I've edited my original post and added the updated config. I'll give it a try...
11-05-2013 06:10 PM
But I think that the issue is that you don't have ASDM image if not this could be related to:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtu02353
11-05-2013 06:11 PM
can you get me a show version and show disk0
11-05-2013 06:22 PM
Result of the command: "show version"
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
ALP5510 up 20 days 7 hours
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: Ethernet0/0 : address is 4403.a707.25f6, irq 9
1: Ext: Ethernet0/1 : address is 4403.a707.25f7, irq 9
2: Ext: Ethernet0/2 : address is 4403.a707.25f8, irq 9
3: Ext: Ethernet0/3 : address is 4403.a707.25f9, irq 9
4: Ext: Management0/0 : address is 4403.a707.25fa, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5510 Security Plus license.
Serial Number: JMX17128011
Running Activation Key: 0x7719dc5d 0xf82807f8 0x2ce1ed7c 0xa9184c0c 0x881c27bf
Configuration register is 0x1
Configuration last modified by enable_15 at 18:56:25.810 UTC Tue Nov 5 2013
11-05-2013 06:23 PM
Result of the command: "show disk0"
--#-- --length-- -----date/time------ path
106 15390720 Mar 19 2013 08:00:42 asa825-k8.bin
107 16280544 Mar 19 2013 09:58:06 asdm-645.bin
108 28672 Jan 01 1980 00:00:00 FSCK0000.REC
3 4096 Jan 01 2003 00:02:44 log
10 4096 Jan 01 2003 00:02:58 crypto_archive
11 4096 Jan 01 2003 00:03:02 coredumpinfo
12 43 Jan 01 2003 00:03:02 coredumpinfo/coredump.cfg
110 4096 Jan 01 1980 00:00:00 FSCK0001.REC
111 12998641 Mar 19 2013 09:55:16 csd_3.5.2008-k9.pkg
112 4096 Mar 19 2013 09:55:20 sdesktop
145 1462 Mar 19 2013 09:55:20 sdesktop/data.xml
113 6487517 Mar 19 2013 09:55:24 anyconnect-macosx-i386-2.5.2014-k9.pkg
114 6689498 Mar 19 2013 09:55:28 anyconnect-linux-2.5.2014-k9.pkg
115 4678691 Mar 19 2013 09:55:30 anyconnect-win-2.5.2014-k9.pkg
116 28672 Jan 01 1980 00:00:00 FSCK0002.REC
117 4096 Jan 01 1980 00:00:00 FSCK0003.REC
255320064 bytes total (192106496 bytes free)
11-05-2013 06:29 PM
Thanks but still no access
11-06-2013 09:25 AM
Yeah its the bug that I mentioned:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtu02353
11-06-2013 09:26 AM
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=%20CSCtu02353
11-06-2013 09:26 AM
Symptom:
Unable to launch ASDM when webvpn is enabled on ASA.
Conditions:
ASA running version 8.2.5 and ASDM 6.4.5/6.3.4
Webvpn enabled on ASA.
On trying to launch ASDM, the following error message is seen,
"unable to launch device manager from x.x.x.x"
Configuring http server on a different port(4443,8888 etc) does not help.
Workaround:
Webvpn needs to be disabled completely from ASA with the command "no webvpn". Disabling it from the interface is not sufficient.
11-06-2013 09:27 AM
11-06-2013 10:06 AM
Let me add some detail to my "no access" answer. Before I entered the commands, adding /admin to the https vpn url would result in "Page not found". After I made the change I can get to the certificate warning but when I tried to continue to page then I would get Page not found.
Sounds like I need to update version?
11-06-2013 10:27 AM
Yes, just update and let me know if you need assistance I can help just tell me where to reach you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide