Accessing PIX ASDM from outside

I have added my specific network and "0.0.0.0 0.0.0.0"  but still get :
"unable to launch device manager from 66.249.107.100"

Related commands in config:
pdm location 10.10.1.109 255.255.255.255 inside
pdm location 10.10.1.176 255.255.255.240 outside
pdm location 10.10.2.0 255.255.255.0 outside
pdm location 10.10.1.192 255.255.255.192 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 69.151.5.168 255.255.255.255 outside
pdm location 69.26.203.210 255.255.255.255 outside

http server enable
http 66.64.26.242 255.255.255.255 outside
http 69.26.203.210 255.255.255.255 outside
http 69.151.5.168 255.255.255.255 outside
http 0.0.0.0 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 10.10.1.109 255.255.255.255 inside
http 10.10.1.0 255.255.255.0 inside

Thanks again for your assist,
Dave
pix-config-110808f.txt
snchelpdeskAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Given your config, you "should" be able to access it. Do you get any error messages or get prompted with certificate error or anything?
you are sure you are using https://  ??
Can you access it from inside?
If you add "management-interface inside" and "http 10.10.2.0 255.255.255.0 inside"
can you access the ASDM via the inside ip address when connected to the VPN?
0
snchelpdeskAuthor Commented:
Tried it all - download cert from local server where it runs from https://10.10.11.
Changed management-interface from outside to inside.
Added http 10.10.2.0 255.255.255.0 inside.

Get prompted for authentication then get error:
unable to load device manager from 10.10.1.1
0
lrmooreCommented:
What happens when you try to access it via the public IP address? https://publicip ?
Do you have Java installed? Your PIX uses java based PDM and not ASDM, so you can't use the ASDM client if that is what you are trying to do..
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

snchelpdeskAuthor Commented:
Java is installed - I cannot access https://66.249.107.100 - page not found.


0
clearacidCommented:
Are you able to access the PDM from inside?  The only thing I can think of is if the PDM image is pointed to the wrong file or something.

Do a show flash
the a show run
the flash image should be listed on there - on the ASA it's
asdm image disk0:/<image name>
0
snchelpdeskAuthor Commented:
flash file system:  version:3  magic:0x12345679
  file 0: origin:       0 length:1966136
  file 1: origin: 2097152 length:7081
  file 2: origin:       0 length:0
  file 3: origin: 2228224 length:3150260
  file 4: origin:       0 length:0
  file 5: origin:16646144 length:308
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(3)

Compiled on Fri 02-Jul-04 00:07 by morlee

pixfirewall up 9 days 16 hours

Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0014.a861.d384, irq 10
1: ethernet1: address is 0014.a861.d385, irq 11
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Disabled
Maximum Physical Interfaces: 3
Maximum Interfaces:          5
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.

Serial Number: 809245161 (0x303c19e9)
Running Activation Key: 0x26f3e9c2 0xdf435e62 0xe48260fe 0x28594157
Configuration last modified by enable_15 at 08:08:17.127 UTC Sun Nov 9 2008
pixfirewall(config)#


I have attached complete "sh version" , "sh flashfs", "sh run"

Thank you!
sh-ver-flashfs-run.txt
0
lrmooreCommented:
>management-access outside
Change this to "inside"

no management-access outside
management-access inside

With this command in place, you should be able to vpn in and use the inside ip address https://10.10.1.1
The Management-access command does some weird things that I would not apply to the outside interface.
0
snchelpdeskAuthor Commented:
I had done this orginally - tried again and still "no page found".  I can ping the interface but thats all.
0
batry_boyCommented:
Make sure you aren't using port redirection for TCP 443 on the outside interface.  You can verify this by looking at your static commands.
0
clearacidCommented:
I don't see in your config you have a port redirect - but try switching off of 443 anyways....

do like

http server enable 8443
wr mem
rel

0
snchelpdeskAuthor Commented:
I don't have port 443 redirection in my static commands and the HTTP SERVER ENABLE was in effect already.   Not able to add "8843"

Result of firewall command: "http server enable 8443"
 
Usage:      [no] http <local_ip> [<mask>] [<if_name>]
      [no] http server enable
Command failed
0
lrmooreCommented:
Changing port is not an option with PIX 6.x.
You do not have 443 redirected anyplace else in your config.
By all indications, it "should" be working.
Can you access the private IP after you VPN in?
Can you access the PDM from a PC on the inside?
Can you RDP to a server and from there, get to the inside IP with PDM?
Page not found is often result of using http and not https, or you have a proxy set in the IE settings, or you are using Mozilla and not IE. Mozilla apparently has some java issues.
0
snchelpdeskAuthor Commented:
Can you access the private IP after you VPN in?  YES
Can you access the PDM from a PC on the inside?  YES
Can you RDP to a server and from there, get to the inside IP with PDM? YES

Page not found is often result of using http and not https, or you have a proxy set in the IE settings, or you are using Mozilla and not IE. Mozilla apparently has some java issues.  USING IE 7 w/o Proxy...  HTTPS://10.10.1.1

Dave
0
lrmooreCommented:
Ok... pardon me if I am beating a dead horse..
VPN in and then https://10.10.1.1 = YES?
Can you access it https://66.249.107.100  ? NO --- Internet Explorer cannot display the webpage

>ip address outside 66.249.107.100
>route outside 0.0.0.0 255.255.255.255 75.48.93.126
I'm confused as to how you get to the gateway from your outside interface. I typically see the gateway as on the same subnet as the outside interface unless it is PPPoE and I don't see any PPPoE configuration in here.

>route outside 0.0.0.0 0.0.0.0 75.48.93.126 1
>route inside CFG2k3SBS 255.255.255.255 10.10.1.1 0
>route outside 10.10.2.0 255.255.255.0 10.10.1.1 1
Irrelevant to your problem, but you can remove all three of these routes. Never ever add a static route to a connected network, especially back to yourself.

I know this is a production firewall, but have you tried saving what you have and rebooting the PIX?
0
snchelpdeskAuthor Commented:
Ok - making sense now - we switched providers and changed the IP but now the default route.  Here' what I have for route:

route outside 0.0.0.0 0.0.0.0 66.249.107.100 1

Do I need the following as well or in place of above:

route outside 0.0.0.0 255.255.255.255 66.249.107.100

Thank you!
0
lrmooreCommented:
>route outside 0.0.0.0 255.255.255.255 66.249.107.100
You do NOT need this.

>ip address outside 66.249.107.100
>route outside 0.0.0.0 0.0.0.0 66.249.107.100 1
You cannot point your default route to yourself, it must be the next-hop...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
snchelpdeskAuthor Commented:
Thanks - I changed the gateway to 66.249.107.99.

I have attached current running config

Still can't access https://10.10.1.1 but will schedule a reboot and try again after.  
pix-config-110809a.txt
0
lrmooreCommented:

>Still can't access https://10.10.1.1 
Of course not from the outside, unless you VPN in first.
Can you access https://66.249.107.100 
0
snchelpdeskAuthor Commented:
Thank you - I appreciate the help and clarification of ASDM & PDM.  My old PIX needs to be upgraded but fortunately works great and is strong as a tank!!
Dave
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.