Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASDM 524 not working on PIX 515e 7.2.4(30)

Status
Not open for further replies.

playdekit

IS-IT--Management
May 21, 2012
2
US
Hi,

I've been struggling to get ASDM (PDM) installed and running on my PIX 515e.
The PIX IOS version is 7.2.4(30)
The ASDM version I've copied to flash is 524.

I've followed the Cisco documentation verbatim however I still cannot connect via the Java ASDM client or http.
When I try to connect via http, my PIX shows the following error:
"tcp access denied by acl from..."
I do not this this is a security (ACL) issue as I've tested this after opening everything up and still no luck.

Please let me know if you can figure this one out.


 
...and here's my running config (w/ the relevant statements prepended with ">>>"):


----------------------------------------------
show run
: Saved
:
PIX Version 7.2(4)30
hostname ########
domain-name ########
enable password ######## ########
passwd ######## ########
names
dns-guard
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address ###.###.###.### 255.255.255.248
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.16.1.250 255.255.255.0
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ########
access-list acl_in extended permit icmp any any
access-list acl_in extended permit icmp any any echo-reply
access-list acl_in extended permit icmp any any time-exceeded
access-list acl_in extended permit icmp any any unreachable
access-list acl_in extended deny ip host ###.###.###.### any
access-list acl_in extended permit tcp any host ###.###.###.### eq ####
...
access-list acl_in extended permit tcp any host ###.###.###.### range #### ####
access-list acl_in extended permit tcp any host ###.###.###.### eq #### log
access-list acl_out extended permit ip any any
access-list acl_out extended permit tcp host 10.16.1.125 any eq ####
access-list acl_out extended deny tcp any any eq smtp
access-list ACL_pdgs extended permit tcp any host ###.###.###.### eq #### log
access-list ACL_pdgs extended permit tcp any host ###.###.###.### eq #### log
access-list ACL_pdgs extended permit tcp any host ###.###.###.### eq #### log
access-list acl_pri_in extended permit ip any any
pager lines 24
logging enable
logging standby
logging console warnings
logging monitor errors
logging buffered informational
logging trap informational
logging asdm informational
logging host inside 10.16.1.13
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
>>> asdm image flash:/asdm-524.bin
>>> asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.16.0.0 255.255.0.0
nat (inside) 1 10.160.0.0 255.255.0.0
static (inside,outside) tcp ###.###.###.### ftp 10.16.1.105 ftp netmask 255.255.255.255
...
static (inside,outside) tcp ###.###.###.### #### 10.16.1.52 #### netmask 255.255.255.255
static (inside,outside) ###.###.###.### 10.16.1.125 netmask 255.255.255.255
no threat-detection statistics tcp-intercept
access-group acl_in in interface outside
access-group acl_pri_in in interface inside
access-group acl_pri_in out interface inside
route outside 0.0.0.0 0.0.0.0 ###.###.###.### 1
route inside 10.1.0.0 255.255.0.0 10.16.1.254 1
route inside 10.3.0.0 255.255.0.0 10.16.1.254 1
route inside 10.16.0.0 255.255.0.0 10.16.1.254 1
route inside 10.18.0.0 255.255.0.0 10.16.1.254 1
route inside 10.19.0.0 255.255.0.0 10.16.1.254 1
route inside 10.100.0.0 255.255.0.0 10.16.1.254 1
route inside 10.160.0.0 255.255.0.0 10.16.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication telnet console LOCAL
>>> http server enable
>>> http 10.16.1.0 255.255.255.0 inside
snmp-server host inside 10.16.4.155 community public
snmp-server location ########
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
no sysopt connection permit-vpn
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.16.0.0 255.255.0.0 inside
telnet timeout 60
ssh timeout 5
ssh version 1
console timeout 5
dhcpd auto_config outside
priority-queue outside
tftp-server outside 199.120.223.1 /pix.cfg
username superroot password oazMD.5jOUdNYLKe encrypted privilege 15
class-map CM_pdgs
match access-list ACL_pdgs
class-map inspection_default
match default-inspection-traffic
policy-map PM_pdgs
class CM_pdgs
priority
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
service-policy PM_pdgs interface outside
prompt hostname context
Cryptochecksum:89cbb84d365653943ab73a186b130019
: end
----------------------------------------------
 
Well, I don't see where you have allowed the IP address for your workstation or the network address for whoever is on that network to be allowed to run ASDM on the desktop. Also, connecting to the firewall will be over SSH.


example. ssh 10.16.1.XXX 255.255.255.0 inside

The 10.16.1.xxx is the address of an internal workstation you will use to connect to the firewall. I think you could specify 10.16.1.0 and it will allow all workstations on that network, but, that would be something I would not do.

I think that might do you.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top