[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3212
  • Last Modified:

Cant access ASA 5505 via webpage!

Hi, after exporting configuration from an ASA5505 to a new asa 5505, i cannot get in the the new ASA web GUI "ASDM". when i put the device address on the browser, it sends me normal to the user/password prompt, and after i put the info an try to login i get a "page cannot be displayed" error and cannot access the web gui. If i try putting a incorrect password, i remain in the prompt.

 Everything else works fine. I also can access the GUI on the old ASA5505.
0
Comptx
Asked:
Comptx
  • 12
  • 10
1 Solution
 
Voltz-dkCommented:
Is it the same version of ASDM you are running on both?
Is there any help to get from syslogs?

Is there maybe some difference in crypto keys?  These aren't in the config, so maybe the new one lacks such..
sh crypto key mypub rsa

(Although can't remember having seen that as a problem except for ssh..)
0
 
ComptxAuthor Commented:
i dont know if they are the same version, bu it shouldnt matter if im loggin in to the device using its IP address right? i dont see how can that affect the login. I will try that command and see what happens..
0
 
Voltz-dkCommented:
There have been various incompatibilities with different versions of ASDM vs. different versions of Java.  Although I haven't seen any of them end up with page can't be displayed..

Please also try the logging.  That is have a console or telnet session open to the ASDM, and then turn on logging for it:

logging enable
(either of, depending on type of connection) logging monitor info OR logging console info
(if telnet or ssh connection, ie. monitor above) term moni

Now try your ASDM connection, and see what logs you get on the terminal screen.
You can disable it with prefix of no:
no logg moni
or
no logg cons
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
ComptxAuthor Commented:
doesnt recognize logging enable command.. any other ideas?
0
 
Voltz-dkCommented:
You are in enable mode, and then in configure mode?

ciscoasa> en
Password: ********
ciscoasa# conf t
ciscoasa(config)#
---
From this mode it should..
0
 
ComptxAuthor Commented:
ok, i get

TCP access denied by ACL from 10.200.1.12 (my pc ip) to inside 10.200.1.1 (asaip)

Any command to allow me in?
0
 
ComptxAuthor Commented:
or to allow any PC connected to inside interface access it?
0
 
Voltz-dkCommented:
Hm, I would have thought you'd never be asked user name then..  Didn't it write anything else?

Command to allow all inside:

http 0 0 inside
0
 
Voltz-dkCommented:
And did you check the key?  If you don't have one, generate it:

crypto key generate rsa mod 1024
0
 
ComptxAuthor Commented:
shoulda tell you, when i replace the old asa for the new one, i can get to the  user/pass screen. now i have the new asa on its own connected to my laptop just for troubleshoot and i assigned myself an ip from the internal range to be able to access it. here i dont get anything, as soon as i type the address on the webpage it stays loading and i get the denied messages.
0
 
ComptxAuthor Commented:
ok we are making progress, now i can get to the user/pass screen with the http 0 0 command. buw i get page cannot be displayed after i put credentials.

And i did not see that key on the config, so i added it. did some stuff then i tried, but still couldnt get to asdm.
0
 
ComptxAuthor Commented:
to make it more clear. after user/pass what i exactly get is a HTTP 404 Not Found (page cannot be displayed)
0
 
Voltz-dkCommented:
Ok, can you display it here?  The output of the following commands:

sh vers
sh run asdm
sh run http
sh crypto key mypub rsa

And maybe also what syslog you are getting now, as I take it that is different from before.
0
 
ComptxAuthor Commented:
sh ver

Sv1 session.-server enab
%ASA-6-725003: SSL client
comptx(config)#.12/1149 reques
comptx(config)#ious ses      
comptx(config)#              
comptx(config)#ec transform-se
comptx(config)# sh version-6-725002: Device complete

Cisco Adaptive Security Appliance Software Version 7.2(4)side_map 1 match address outside_1_cryptomap            

Compiled on Sun 06-Apr-08 13:39 by builders from 10.200.1.12/1149 to inside:10.200.1.1
System image file is "disk0:/asa724-k8.bin"302010: 0 in use, 1 most used              
Config file at boot was "startup-config"007: SSL session with client inside:10.2

comptx up 1 day 1 hour                      

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
%ASA-6-302014: Teardown TCP connection 13 for ins
Internal ATA Compact Flash, 128MB_map interface outside          
BIOS Flash M50FW080 @ 0x    
             
   
telnet 10.200.1.5 255.255.
00.1.12/1150) to NP Iden
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03            
console timeou
%ASA-6-725001: Starting SSL handshake with cli
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

tftp-server inside 10.200.1.5 \asa.b
 8: Ext: Ethernet0/7         : address is 0024.97d6.a000, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 10
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
VPN Peers                   : 10
WebVPN Peers                : 2
Dual ISPs                   : Disabled
VLAN Trunk Ports            : 0

This platform has a Base license.

Serial Number: ***
Running Activation Key: ***
Configuration register is 0x1
Configuration last modified by enable_15 at 11:03:32.871 UTC Tue Apr 28 2009

sh run asdm

comptx(config)# sh run asdm
asdm image disk0:/asdm-523.bin
no asdm history enable

sh run http

comptx(config)# sh run http
http server enable
http 0.0.0.0 0.0.0.0 inside
http 10.200.1.5 255.255.255.255 inside

sh crypto key mypub rsa

comptx(config)# sh crypto key mypub rsa
Key pair was generated at: 11:03:32 UTC Apr 28 2009
Key name: <Default-RSA-Key>
 Usage: General Purpose Key
 Modulus Size (bits): 1024
 Key Data:

  30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00bb546b
  81bd6803 ff55814e d9f66387 50da2c86 4889bee9 5d934593 c3439088 5f6b44be
  f0d54623 8c074ac1 fc3742ca dc7643f1 58469285 c35a354a d763394f dbb985f1
  c829cbcb e6a76296 05e03f8d bfab9f84 8d4f2a29 cbae74b5 721c1acd 2413c698
  1403a230 716ef262 6e8b1861 27420aa2 2684baec e43408ab 7818ca7d 2b020301 0001
comptx(config)#
0
 
Voltz-dkCommented:
I don't think your ASDM is compatible.  Normally it will appear in show version, but it doesn't here.
I do notice your ASA version is 7.2(4) tho.
I see in the boot cmd for a potential ASDM, that it's set for 5.2(3) - that should be 5.2(4), and I am not sure it can work without that.

One final command to show result of:

sh flash:
0
 
ComptxAuthor Commented:
comptx(config)# sh flash
Initializing disk0: cache, please wait....Done.
-#- --length-- -----date/time------ path
  6 8515584    Mar 10 2009 08:05:30 asa724-k8.bin
  7 4181246    Mar 10 2009 08:06:28 securedesktop-asa-3.2.1.103-k9.pkg
  8 398305     Mar 10 2009 08:06:48 sslclient-win-1.1.0.154.pkg
  9 6514852    Mar 10 2009 08:08:30 asdm-524.bin
 12 0          Mar 10 2009 08:12:38 crypto_archive

107458560 bytes available (19652608 bytes used)

0
 
Voltz-dkCommented:
Aha, it does have the proper version.. It's just not been updated to use it.

So do this command, and let's cross our fingers:

asdm image disk0:/asdm-524.bin
0
 
ComptxAuthor Commented:
ok i did it, should i

clear xlate
write mem  

 after that?
0
 
Voltz-dkCommented:
clear xlate shouldn't be needed, but yes write mem.
0
 
ComptxAuthor Commented:
That worked perfectly. after typing the address on browser, it sent me straight to the menu where i can click to launch asdm.  No password prompt, tho..  But i should just be able to create one again on the gui, eh?
0
 
ComptxAuthor Commented:
Thanks alot
0
 
Voltz-dkCommented:
Well if you had kept the browser open after typing it earlier, it would have cached it.  I believe it will ask for password even if it is a blank one (as default is).
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 12
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now