Solved

Problems connecting to ASA 5505 ASDM and VPN.

Posted on 2013-01-15
13
763 Views
Last Modified: 2013-01-30
We have a Cisco ASA 5505 that has randomly blocked all incoming VPN connections including our site to site VPN connection. The Site to Site VPN actually connects, but no data is passed. I am also not able to access the inside interface of the device using HTTPS which worked previously. Nothing had changed on this device for months so I'm confused as to what has  happened. I've also tried resetting the device back to defaults and loading a newer version of the ASA operating system with the same results. Has anyone else had this problem before? Could the device be going bad? I've attached my sanitized config.

Thank you
12-28-2012-Comcast-Sanitized.txt
0
Comment
Question by:DataDudes
  • 8
  • 5
13 Comments
 
LVL 5

Accepted Solution

by:
Leeeee earned 500 total points
ID: 38780304
If you some how find a way to get in to the device, configure 'management-access inside' in global config mode.

If you were able to manage the device before and all of a sudden things broke, I'd verify there isn't an issue with the ASA itself.
0
 
LVL 2

Author Comment

by:DataDudes
ID: 38780315
I went out with a console cable and was able to access it just fine with that. I was also able to access the CLI through telnet. The odd thing is that HTTPS, SSH, and VPN all broke without anyone touching that device. Could this be a problem with something cryptography related?

Just a thought
0
 
LVL 5

Expert Comment

by:Leeeee
ID: 38780327
That is interesting, any indication of what's going on in the logs?
0
 
LVL 2

Author Comment

by:DataDudes
ID: 38780336
What command should I be using to get some useful information out of logging?
0
 
LVL 5

Expert Comment

by:Leeeee
ID: 38780360
Try 'sh log' to start and see if there is anything fishy. Try and access the device via SSH/HTTP and verify if it is being denied in the logs. Have you tried enabling management-access inside?

Verify that the VPN is up as well show crypto isakmp sa
0
 
LVL 2

Author Comment

by:DataDudes
ID: 38780618
When I type sh log this is what I get:

Syslog logging: enabled
    Facility: 22
    Timestamp logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: level informational, facility 22, 78489 messages logged
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 78488 messages logged


I know the syslog server doesn't exist anymore. Is there a way to have the logs displayed in the telnet session?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 5

Expert Comment

by:Leeeee
ID: 38780718
Enable buffer logging:

ASA#conf t
ASA(config)#logging enable
ASA(config)#logging buffered
ASA(config)#terminal monitor (log to ssh or telnet session)

Enable management to inside network over VPN:
ASA(config)# management-access inside
0
 
LVL 2

Author Comment

by:DataDudes
ID: 38783359
I tried the above and received this:
(config)# logging buffered
ERROR: % Incomplete command


I also don't see anything being logged while in the terminal
0
 
LVL 5

Expert Comment

by:Leeeee
ID: 38783408
logging buffered debug
0
 
LVL 2

Author Comment

by:DataDudes
ID: 38787266
I have to type "show log" to get a chunk of log file displayed to the screen. So far, by doing this, I haven't seen any mention of me trying to connect to SSH or HTTPS. Is there maybe a way to limit what's displayed on the log file to just the IP I'm trying to access HTTPS/SSH from?

Thanks
0
 
LVL 2

Author Comment

by:DataDudes
ID: 38801327
Any other ideas on this one?

Thanks
0
 
LVL 2

Assisted Solution

by:DataDudes
DataDudes earned 0 total points
ID: 38819596
I ended up replacing that device with another ASA 5505 and reloading the configuration on that device. It seems to be working fine so my guess is the original ASA was bad in some way.
0
 
LVL 2

Author Closing Comment

by:DataDudes
ID: 38834535
Found that the device was bad
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
NSD FAIL 2 19
Quick cusco 2091 setup 5 19
server plus 2 43
static routing issue no access to public internet 7 15
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now