snchelpdesk
asked on
Accessing PIX ASDM from outside
I have added my specific network and "0.0.0.0 0.0.0.0" but still get :
"unable to launch device manager from 66.249.107.100"
Related commands in config:
pdm location 10.10.1.109 255.255.255.255 inside
pdm location 10.10.1.176 255.255.255.240 outside
pdm location 10.10.2.0 255.255.255.0 outside
pdm location 10.10.1.192 255.255.255.192 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 69.151.5.168 255.255.255.255 outside
pdm location 69.26.203.210 255.255.255.255 outside
http server enable
http 66.64.26.242 255.255.255.255 outside
http 69.26.203.210 255.255.255.255 outside
http 69.151.5.168 255.255.255.255 outside
http 0.0.0.0 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 10.10.1.109 255.255.255.255 inside
http 10.10.1.0 255.255.255.0 inside
Thanks again for your assist,
Dave
pix-config-110808f.txt
"unable to launch device manager from 66.249.107.100"
Related commands in config:
pdm location 10.10.1.109 255.255.255.255 inside
pdm location 10.10.1.176 255.255.255.240 outside
pdm location 10.10.2.0 255.255.255.0 outside
pdm location 10.10.1.192 255.255.255.192 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 69.151.5.168 255.255.255.255 outside
pdm location 69.26.203.210 255.255.255.255 outside
http server enable
http 66.64.26.242 255.255.255.255 outside
http 69.26.203.210 255.255.255.255 outside
http 69.151.5.168 255.255.255.255 outside
http 0.0.0.0 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 10.10.1.109 255.255.255.255 inside
http 10.10.1.0 255.255.255.0 inside
Thanks again for your assist,
Dave
pix-config-110808f.txt
ASKER
Tried it all - download cert from local server where it runs from https://10.10.11.
Changed management-interface from outside to inside.
Added http 10.10.2.0 255.255.255.0 inside.
Get prompted for authentication then get error:
unable to load device manager from 10.10.1.1
Changed management-interface from outside to inside.
Added http 10.10.2.0 255.255.255.0 inside.
Get prompted for authentication then get error:
unable to load device manager from 10.10.1.1
What happens when you try to access it via the public IP address? https://publicip ?
Do you have Java installed? Your PIX uses java based PDM and not ASDM, so you can't use the ASDM client if that is what you are trying to do..
Do you have Java installed? Your PIX uses java based PDM and not ASDM, so you can't use the ASDM client if that is what you are trying to do..
ASKER
Are you able to access the PDM from inside? The only thing I can think of is if the PDM image is pointed to the wrong file or something.
Do a show flash
the a show run
the flash image should be listed on there - on the ASA it's
asdm image disk0:/<image name>
Do a show flash
the a show run
the flash image should be listed on there - on the ASA it's
asdm image disk0:/<image name>
ASKER
flash file system: version:3 magic:0x12345679
file 0: origin: 0 length:1966136
file 1: origin: 2097152 length:7081
file 2: origin: 0 length:0
file 3: origin: 2228224 length:3150260
file 4: origin: 0 length:0
file 5: origin:16646144 length:308
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(3)
Compiled on Fri 02-Jul-04 00:07 by morlee
pixfirewall up 9 days 16 hours
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 0014.a861.d384, irq 10
1: ethernet1: address is 0014.a861.d385, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
Maximum Physical Interfaces: 3
Maximum Interfaces: 5
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: 809245161 (0x303c19e9)
Running Activation Key: 0x26f3e9c2 0xdf435e62 0xe48260fe 0x28594157
Configuration last modified by enable_15 at 08:08:17.127 UTC Sun Nov 9 2008
pixfirewall(config)#
I have attached complete "sh version" , "sh flashfs", "sh run"
Thank you!
sh-ver-flashfs-run.txt
file 0: origin: 0 length:1966136
file 1: origin: 2097152 length:7081
file 2: origin: 0 length:0
file 3: origin: 2228224 length:3150260
file 4: origin: 0 length:0
file 5: origin:16646144 length:308
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(3)
Compiled on Fri 02-Jul-04 00:07 by morlee
pixfirewall up 9 days 16 hours
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 0014.a861.d384, irq 10
1: ethernet1: address is 0014.a861.d385, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
Maximum Physical Interfaces: 3
Maximum Interfaces: 5
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: 809245161 (0x303c19e9)
Running Activation Key: 0x26f3e9c2 0xdf435e62 0xe48260fe 0x28594157
Configuration last modified by enable_15 at 08:08:17.127 UTC Sun Nov 9 2008
pixfirewall(config)#
I have attached complete "sh version" , "sh flashfs", "sh run"
Thank you!
sh-ver-flashfs-run.txt
>management-access outside
Change this to "inside"
no management-access outside
management-access inside
With this command in place, you should be able to vpn in and use the inside ip address https://10.10.1.1
The Management-access command does some weird things that I would not apply to the outside interface.
Change this to "inside"
no management-access outside
management-access inside
With this command in place, you should be able to vpn in and use the inside ip address https://10.10.1.1
The Management-access command does some weird things that I would not apply to the outside interface.
ASKER
I had done this orginally - tried again and still "no page found". I can ping the interface but thats all.
Make sure you aren't using port redirection for TCP 443 on the outside interface. You can verify this by looking at your static commands.
I don't see in your config you have a port redirect - but try switching off of 443 anyways....
do like
http server enable 8443
wr mem
rel
do like
http server enable 8443
wr mem
rel
ASKER
I don't have port 443 redirection in my static commands and the HTTP SERVER ENABLE was in effect already. Not able to add "8843"
Result of firewall command: "http server enable 8443"
Usage: [no] http <local_ip> [<mask>] [<if_name>]
[no] http server enable
Command failed
Result of firewall command: "http server enable 8443"
Usage: [no] http <local_ip> [<mask>] [<if_name>]
[no] http server enable
Command failed
Changing port is not an option with PIX 6.x.
You do not have 443 redirected anyplace else in your config.
By all indications, it "should" be working.
Can you access the private IP after you VPN in?
Can you access the PDM from a PC on the inside?
Can you RDP to a server and from there, get to the inside IP with PDM?
Page not found is often result of using http and not https, or you have a proxy set in the IE settings, or you are using Mozilla and not IE. Mozilla apparently has some java issues.
You do not have 443 redirected anyplace else in your config.
By all indications, it "should" be working.
Can you access the private IP after you VPN in?
Can you access the PDM from a PC on the inside?
Can you RDP to a server and from there, get to the inside IP with PDM?
Page not found is often result of using http and not https, or you have a proxy set in the IE settings, or you are using Mozilla and not IE. Mozilla apparently has some java issues.
ASKER
Can you access the private IP after you VPN in? YES
Can you access the PDM from a PC on the inside? YES
Can you RDP to a server and from there, get to the inside IP with PDM? YES
Page not found is often result of using http and not https, or you have a proxy set in the IE settings, or you are using Mozilla and not IE. Mozilla apparently has some java issues. USING IE 7 w/o Proxy... HTTPS://10.10.1.1
Dave
Can you access the PDM from a PC on the inside? YES
Can you RDP to a server and from there, get to the inside IP with PDM? YES
Page not found is often result of using http and not https, or you have a proxy set in the IE settings, or you are using Mozilla and not IE. Mozilla apparently has some java issues. USING IE 7 w/o Proxy... HTTPS://10.10.1.1
Dave
Ok... pardon me if I am beating a dead horse..
VPN in and then https://10.10.1.1 = YES?
Can you access it https://66.249.107.100 ? NO --- Internet Explorer cannot display the webpage
>ip address outside 66.249.107.100
>route outside 0.0.0.0 255.255.255.255 75.48.93.126
I'm confused as to how you get to the gateway from your outside interface. I typically see the gateway as on the same subnet as the outside interface unless it is PPPoE and I don't see any PPPoE configuration in here.
>route outside 0.0.0.0 0.0.0.0 75.48.93.126 1
>route inside CFG2k3SBS 255.255.255.255 10.10.1.1 0
>route outside 10.10.2.0 255.255.255.0 10.10.1.1 1
Irrelevant to your problem, but you can remove all three of these routes. Never ever add a static route to a connected network, especially back to yourself.
I know this is a production firewall, but have you tried saving what you have and rebooting the PIX?
VPN in and then https://10.10.1.1 = YES?
Can you access it https://66.249.107.100 ? NO --- Internet Explorer cannot display the webpage
>ip address outside 66.249.107.100
>route outside 0.0.0.0 255.255.255.255 75.48.93.126
I'm confused as to how you get to the gateway from your outside interface. I typically see the gateway as on the same subnet as the outside interface unless it is PPPoE and I don't see any PPPoE configuration in here.
>route outside 0.0.0.0 0.0.0.0 75.48.93.126 1
>route inside CFG2k3SBS 255.255.255.255 10.10.1.1 0
>route outside 10.10.2.0 255.255.255.0 10.10.1.1 1
Irrelevant to your problem, but you can remove all three of these routes. Never ever add a static route to a connected network, especially back to yourself.
I know this is a production firewall, but have you tried saving what you have and rebooting the PIX?
ASKER
Ok - making sense now - we switched providers and changed the IP but now the default route. Here' what I have for route:
route outside 0.0.0.0 0.0.0.0 66.249.107.100 1
Do I need the following as well or in place of above:
route outside 0.0.0.0 255.255.255.255 66.249.107.100
Thank you!
route outside 0.0.0.0 0.0.0.0 66.249.107.100 1
Do I need the following as well or in place of above:
route outside 0.0.0.0 255.255.255.255 66.249.107.100
Thank you!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks - I changed the gateway to 66.249.107.99.
I have attached current running config
Still can't access https://10.10.1.1 but will schedule a reboot and try again after.
pix-config-110809a.txt
I have attached current running config
Still can't access https://10.10.1.1 but will schedule a reboot and try again after.
pix-config-110809a.txt
>Still can't access https://10.10.1.1
Of course not from the outside, unless you VPN in first.
Can you access https://66.249.107.100
ASKER
Thank you - I appreciate the help and clarification of ASDM & PDM. My old PIX needs to be upgraded but fortunately works great and is strong as a tank!!
Dave
Dave
you are sure you are using https:// ??
Can you access it from inside?
If you add "management-interface inside" and "http 10.10.2.0 255.255.255.0 inside"
can you access the ASDM via the inside ip address when connected to the VPN?