Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

ASDM and WebVPN Enabled on the Same Interface of ASA

Cisco - ASDM and WebVPN Enabled on the Same Interface of ASA

Document ID: 72893

Updated: Jan 11, 2007

   Print

Introduction

This document provides information on how Adaptive Security Device Manager (ASDM) and WebVPN are enabled on the same interface of the Cisco 5500 Series Adaptive Security Appliances (ASA).

Note: This document is not applicable for the Cisco 500 Series PIX Firewall, because it does not support WebVPN.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Components Used

The information in this document is based on the Cisco 5500 Series ASA.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Problem

In versions before 8.0(2), ASDM and WebVPN cannot be enabled on the same interface of the ASA, as both are listening on the same port, 443, by default. Beginning with version 8.0(2), the ASA supports both clientless SSL VPN (WebVPN) sessions and ASDM administrative sessions simultaneously on Port 443 of the outside interface.

Solution(s)

You can either change the https server port number for launching ASDM, or the listening port for WebVPN in order to overcome this problem.

Solution 1

Complete these steps:

  1. Enable the https server to listen on a different port in order to change the configuration related to the ASDM in ASA, as shown here:

    ASA(config)#http server enable <1-65535>
    
    
    configure mode commands/options:
      <1-65535>  The management server's SSL listening port. TCP port 443 is the
                 default.

    This is an example:

    ASA(config)#http server enable 65000
    
  2. After you change the default port configuration, launch the ASDM from a supported web browser on the security appliance network as the format shown:

    https://interface_ip_address:<customized port number>
    
    

    This is an example:

    https://192.168.1.1:65000
    

Solution 2

Complete these steps:

  1. Allow WebVPN to listen on a different port in order to change the configuration related to WebVPN in ASA, as shown here:

    
    !--- Enable the WebVPN feature on the ASA.
    
    ASA(config)#webvpn
    
    !--- Enables WebVPN for the outside interface of ASA.
    
    ASA(config-webvpn)#enable outside
    
    !--- Allow the ASA to listen to the WebVPN traffic on the customized 
    !--- port number.
    
    ASA(config-webvpn)#port <1-65535>
    
    webvpn mode commands/options:
      <1-65535>  The WebVPN server's SSL listening port. TCP port 443 is the
                 default.

    This is an example:

    ASA(config)#webvpn
    ASA(config-webvpn)#enable outside
    ASA(config-webvpn)#port 65010
    
  2. After you change the default port configuration, open a supported web browser and connect to the WebVPN server as the format shown:

    https://interface_ip_address:<customized port number>
    
    

    This is an example:

    https://192.168.1.1:65010
    

Related Information

Updated: Jan 11, 2007
Document ID: 72893