?
Solved

Accessing PIX ASDM from outside

Posted on 2008-11-08
19
Medium Priority
?
1,628 Views
Last Modified: 2012-05-05
I have added my specific network and "0.0.0.0 0.0.0.0"  but still get :
"unable to launch device manager from 66.249.107.100"

Related commands in config:
pdm location 10.10.1.109 255.255.255.255 inside
pdm location 10.10.1.176 255.255.255.240 outside
pdm location 10.10.2.0 255.255.255.0 outside
pdm location 10.10.1.192 255.255.255.192 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 69.151.5.168 255.255.255.255 outside
pdm location 69.26.203.210 255.255.255.255 outside

http server enable
http 66.64.26.242 255.255.255.255 outside
http 69.26.203.210 255.255.255.255 outside
http 69.151.5.168 255.255.255.255 outside
http 0.0.0.0 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 10.10.1.109 255.255.255.255 inside
http 10.10.1.0 255.255.255.0 inside

Thanks again for your assist,
Dave
pix-config-110808f.txt
0
Comment
Question by:snchelpdesk
  • 9
  • 7
  • 2
  • +1
19 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 22915028
Given your config, you "should" be able to access it. Do you get any error messages or get prompted with certificate error or anything?
you are sure you are using https://  ??
Can you access it from inside?
If you add "management-interface inside" and "http 10.10.2.0 255.255.255.0 inside"
can you access the ASDM via the inside ip address when connected to the VPN?
0
 

Author Comment

by:snchelpdesk
ID: 22915077
Tried it all - download cert from local server where it runs from https://10.10.11.
Changed management-interface from outside to inside.
Added http 10.10.2.0 255.255.255.0 inside.

Get prompted for authentication then get error:
unable to load device manager from 10.10.1.1
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22915089
What happens when you try to access it via the public IP address? https://publicip ?
Do you have Java installed? Your PIX uses java based PDM and not ASDM, so you can't use the ASDM client if that is what you are trying to do..
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:snchelpdesk
ID: 22915153
Java is installed - I cannot access https://66.249.107.100 - page not found.


0
 
LVL 6

Expert Comment

by:clearacid
ID: 22915529
Are you able to access the PDM from inside?  The only thing I can think of is if the PDM image is pointed to the wrong file or something.

Do a show flash
the a show run
the flash image should be listed on there - on the ASA it's
asdm image disk0:/<image name>
0
 

Author Comment

by:snchelpdesk
ID: 22916085
flash file system:  version:3  magic:0x12345679
  file 0: origin:       0 length:1966136
  file 1: origin: 2097152 length:7081
  file 2: origin:       0 length:0
  file 3: origin: 2228224 length:3150260
  file 4: origin:       0 length:0
  file 5: origin:16646144 length:308
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(3)

Compiled on Fri 02-Jul-04 00:07 by morlee

pixfirewall up 9 days 16 hours

Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0014.a861.d384, irq 10
1: ethernet1: address is 0014.a861.d385, irq 11
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Disabled
Maximum Physical Interfaces: 3
Maximum Interfaces:          5
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.

Serial Number: 809245161 (0x303c19e9)
Running Activation Key: 0x26f3e9c2 0xdf435e62 0xe48260fe 0x28594157
Configuration last modified by enable_15 at 08:08:17.127 UTC Sun Nov 9 2008
pixfirewall(config)#


I have attached complete "sh version" , "sh flashfs", "sh run"

Thank you!
sh-ver-flashfs-run.txt
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22916371
>management-access outside
Change this to "inside"

no management-access outside
management-access inside

With this command in place, you should be able to vpn in and use the inside ip address https://10.10.1.1
The Management-access command does some weird things that I would not apply to the outside interface.
0
 

Author Comment

by:snchelpdesk
ID: 22917210
I had done this orginally - tried again and still "no page found".  I can ping the interface but thats all.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 22917229
Make sure you aren't using port redirection for TCP 443 on the outside interface.  You can verify this by looking at your static commands.
0
 
LVL 6

Expert Comment

by:clearacid
ID: 22917283
I don't see in your config you have a port redirect - but try switching off of 443 anyways....

do like

http server enable 8443
wr mem
rel

0
 

Author Comment

by:snchelpdesk
ID: 22917324
I don't have port 443 redirection in my static commands and the HTTP SERVER ENABLE was in effect already.   Not able to add "8843"

Result of firewall command: "http server enable 8443"
 
Usage:      [no] http <local_ip> [<mask>] [<if_name>]
      [no] http server enable
Command failed
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22917379
Changing port is not an option with PIX 6.x.
You do not have 443 redirected anyplace else in your config.
By all indications, it "should" be working.
Can you access the private IP after you VPN in?
Can you access the PDM from a PC on the inside?
Can you RDP to a server and from there, get to the inside IP with PDM?
Page not found is often result of using http and not https, or you have a proxy set in the IE settings, or you are using Mozilla and not IE. Mozilla apparently has some java issues.
0
 

Author Comment

by:snchelpdesk
ID: 22917436
Can you access the private IP after you VPN in?  YES
Can you access the PDM from a PC on the inside?  YES
Can you RDP to a server and from there, get to the inside IP with PDM? YES

Page not found is often result of using http and not https, or you have a proxy set in the IE settings, or you are using Mozilla and not IE. Mozilla apparently has some java issues.  USING IE 7 w/o Proxy...  HTTPS://10.10.1.1

Dave
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22917478
Ok... pardon me if I am beating a dead horse..
VPN in and then https://10.10.1.1 = YES?
Can you access it https://66.249.107.100  ? NO --- Internet Explorer cannot display the webpage

>ip address outside 66.249.107.100
>route outside 0.0.0.0 255.255.255.255 75.48.93.126
I'm confused as to how you get to the gateway from your outside interface. I typically see the gateway as on the same subnet as the outside interface unless it is PPPoE and I don't see any PPPoE configuration in here.

>route outside 0.0.0.0 0.0.0.0 75.48.93.126 1
>route inside CFG2k3SBS 255.255.255.255 10.10.1.1 0
>route outside 10.10.2.0 255.255.255.0 10.10.1.1 1
Irrelevant to your problem, but you can remove all three of these routes. Never ever add a static route to a connected network, especially back to yourself.

I know this is a production firewall, but have you tried saving what you have and rebooting the PIX?
0
 

Author Comment

by:snchelpdesk
ID: 22918186
Ok - making sense now - we switched providers and changed the IP but now the default route.  Here' what I have for route:

route outside 0.0.0.0 0.0.0.0 66.249.107.100 1

Do I need the following as well or in place of above:

route outside 0.0.0.0 255.255.255.255 66.249.107.100

Thank you!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 22918199
>route outside 0.0.0.0 255.255.255.255 66.249.107.100
You do NOT need this.

>ip address outside 66.249.107.100
>route outside 0.0.0.0 0.0.0.0 66.249.107.100 1
You cannot point your default route to yourself, it must be the next-hop...
0
 

Author Comment

by:snchelpdesk
ID: 22918268
Thanks - I changed the gateway to 66.249.107.99.

I have attached current running config

Still can't access https://10.10.1.1 but will schedule a reboot and try again after.  
pix-config-110809a.txt
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22921234

>Still can't access https://10.10.1.1 
Of course not from the outside, unless you VPN in first.
Can you access https://66.249.107.100 
0
 

Author Closing Comment

by:snchelpdesk
ID: 31514767
Thank you - I appreciate the help and clarification of ASDM & PDM.  My old PIX needs to be upgraded but fortunately works great and is strong as a tank!!
Dave
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question