Solved

Help enabling http access for Cisco ASA - (ET)

Posted on 2016-09-23
20
81 Views
Last Modified: 2016-10-07
I'm having trouble enabling http on my Cisco ASA. I am trying to do this so i can download and use the Cisco ASDM.

You'll see in the screenshot i already ran
http server enable
http 192.168.1.0 255.255.255.0 inside


however when i try try to browse to my device the page still wont open.
I tried browsing to it using the following
http://192.168.1.1
https://192.168.1.1
http://192.168.1.1/admin
https://192.168.1.1/admin

None of these are working.


cisco asa ssh
0
Comment
Question by:tabush
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 3
  • +3
20 Comments
 
LVL 14

Expert Comment

by:SIM50
ID: 41812991
Do you have asdm image specified?
0
 
LVL 2

Author Comment

by:tabush
ID: 41813008
Not that i'm aware of. What's that for and how to i set that?
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41813020
Do "sh run | i asdm". If nothing comes up, check flash for asdm image "sh flash" and then configure it with "asdm image disk0:/asdm-xxx.bin".
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 14

Expert Comment

by:SIM50
ID: 41813041
I also see aaa only for ssh. You will need one https too.
aaa authentication http console LOCAL
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41813490
0
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 41814761
I see your SNMP info points to a host on 192.168.1.0/24. Can we assume that the internal/private subnet that you're trying to access the ASDM on is actually on the 192.168.1.0/24 as well?

MO
0
 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 41814905
Hi,

You are missing a very useful wivered syntax in ASA always you have apply this Syntax in Policy unless and untill you define in policy  you will not be able to access http Server whereas in Router it works with the given syntax .So,plz follow these steps in order to Access http Server.

ASA(Config-t) #Policy-Map Global_policy
ASA(Config-t)#class inspection_default
ASA(Config-t)#Inspect http

It should work if you apply this Syntax on ASA Configuration Mode.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41815431
http inspection does not have to be on, to access the ASDM?

heres. mine

PetesASA# show run policy-map
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
  inspect ipsec-pass-thru 
  inspect ip-options 
  inspect pptp 
 class class-default
  set connection decrement-ttl
!

Open in new window


And the ASDM works fine?

P
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41816035
Service policies and ACLs (with one exception) on ASA are for the pass through traffic. The traffic directed at ASA itself isn't filtered by them.  One exception to ACLs is the keyword "control-plane" which allows to filter control-plane traffic destined to ASA.
0
 
LVL 2

Author Comment

by:tabush
ID: 41816170
Thanks everyone for your answers. I am still having trouble though.
@sim50. Yes it does look like it was enabled. See screenshot. Not sure if "no asdm history enabled" is an issue.
ASDM image file
I also ran this command however dont think helped: aaa authentication http console LOCAL
Or is there a different command i should run for enabling https?

@michael. Yes i am trying to connect from a computer in that subnet.

@Feroz. I ran the first 2 commands however i'm hesitant to run the third because i dont know what affect it will have on my network.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41816180
What page do you get when you go to https://192.168.1.1?
What's your current version on ASA? sh ver
ASDM 5.22 is very old.

aaa authentication http console LOCAL - this configures authentication so you could login with the local user name/pw.
0
 
LVL 2

Author Comment

by:tabush
ID: 41816214
Software version 8.2 (5) 59

I get "this webpage cannot be found" from IE.
Chrome says "404 Not Found. The requested URL /admin/public/index.html was not found on this server."
0
 
LVL 14

Assisted Solution

by:SIM50
SIM50 earned 250 total points
ID: 41816227
That version of ASDM is not compatible with your ASA version. Download newer version from Cisco.com, upload it and do the following:
no asdm image disk0:/asdm-522.bin
asdm image disk0:/asdm-xxx.bin

asdm-xxx.bin is the new file.
0
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 41816232
@tabush,

You should update the System and ASDM software. That version is quite old. Can you serial into the device and update the software via TFTP?

MO
0
 
LVL 2

Author Comment

by:tabush
ID: 41820137
thank you.
That might be the only option however we're going to leave it on the current version. We're planning on replacing it very soon and dont want to make any big changes before we do so.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41820180
You don't need to upgrade ASA image, just ASDM image. ASA image upgrade is optional.
0
 
LVL 2

Author Comment

by:tabush
ID: 41820189
Are you able to attach that image file to this thread? This device doesnt have an active license with cisco so cannot login and download it.
0
 
LVL 16

Accepted Solution

by:
Michael Ortega earned 250 total points
ID: 41820220
@SIM50,

Yes, you don't need  to update the system image, which is why I only mentioned that you should update the system image as well as the ASDM image.

Attached is a recent ASDM image. Just rename it from .txt to .bin.

MO
asdm-762.txt
0
 
LVL 1

Expert Comment

by:Muhannad Abushamma
ID: 41833543
Dear Tabush,

Try to reset the rsa keys, and test again.

Also it will be great if you provide me with show run all output.

Regards,
Muhannad
0
 
LVL 2

Author Closing Comment

by:tabush
ID: 41833707
thank you for your help
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question