ASDM and WebVPN Enabled on the Same Interface of the ASA

Available Languages

Updated:March 23, 2015
Document ID:118842

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to access the Cisco Adaptive Security Device Manager (ASDM) and the WebVPN portal when they are both enabled on the same interface of the Cisco 5500 Series Adaptive Security Appliance (ASA).

Note: This document is not applicable for the Cisco 500 Series PIX Firewall, because it does not support WebVPN.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Components Used

The information in this document is based on the Cisco 5500 Series ASA.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Problem

In ASA versions earlier than Version 8.0(2), ASDM and WebVPN cannot be enabled on the same interface of the ASA, as both listen on the same port (443) by default. In Versions 8.0(2) and later, the ASA supports both clientless Secure Sockets Layer (SSL) VPN (WebVPN) sessions and ASDM administrative sessions simultaneously on Port 443 of the outside interface. However, when both services are enabled together, the default URL for a particular interface on the ASA always defaults to the WebVPN service. For example, consider this ASA configuration data:

rtpvpnoutbound6# show run ip
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.150.172.46 255.255.252.0 
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address dhcp 
!
interface Vlan5
 nameif test
 security-level 0
 ip address 1.1.1.1 255.255.255.255 pppoe setroute 
!
rtpvpnoutbound6# show run web
webvpn
 enable outside
 enable dmz
 anyconnect image disk0:/anyconnect-win-3.1.06078-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.06079-k9.pkg 2
 anyconnect enable
 tunnel-group-list enable
 tunnel-group-preference group-url

rtpvpnoutbound6#  show run http
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 dmz
http 0.0.0.0 0.0.0.0 outside

rtpvpnoutbound6# show run tun
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool ap_fw-policy
 authentication-server-group ldap2
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 group-url https://rtpvpnoutbound6.cisco.com/admin enable
 without-csd

Solution

In order to resolve this issue, you can either use the appropriate URL in order to access the respective service or change the port on which the services are accessed.

Note: One disadvantage with the latter solution is that the port is changed globally, so every interface is affected by the change.

Use the Appropriate URL

In the example configuration data provided in the Problem section, the outside interface of the ASA can be reached by HTTPS via these two URLs:

https://<ip-address> <=> https://10.150.172.46
https://<domain-name> <=> https://rtpvpnoutbound6.cisco.com

However, if you attempt to access these URLs while WebVPN service is enabled, the ASA redirects you to the WebVPN portal:

https://rtpvpnoutbound6.cisco.com/+CSCOE+/logon.html

In order to access ASDM, you can use this URL:

https://rtpvpnoutbound6.cisco.com/admin

Note: As shown in the example configuration data, the default tunnel group has a group-url defined with use of the group-url https://rtpvpnoutbound6.cisco.com/admin enable command, which should conflict with the ASDM access. However, the URL https://<ip-address/domain>/admin is reserved for ASDM access, and if you set it under the tunnel group, there is no effect. You are always redirected to https://<ip-address/domain>/admin/public/index.html.

Change the Port on which Each Service Listens

This section describes how to change the port for both the ASDM and WebVPN services.

Change the Port for the HTTPS Server Service Globally

Complete these steps in order to change the port for the ASDM service:

  1. Enable the HTTPS server to listen on a different port in order to change the configuration that is related to the ASDM service on the ASA, as shown here:
    ASA(config)#http server enable <1-65535>

    configure mode commands/options:
      <1-65535>  The management server's SSL listening port. TCP port 443 is the
                 default.
    Here is an example:
    ASA(config)#http server enable 65000
  2. After you change the default port configuration, use this format in order to launch the ASDM from a supported web browser on the security appliance network:
    https://interface_ip_address:<customized port number>
    Here is an example:
    https://192.168.1.1:65000

Change the the Port for the WebVPN Service Globally

Complete these steps in order to change the port for the WebVPN service:

  1. Allow WebVPN to listen on a different port in order to change the configuration that is related to the WebVPN service on the ASA:

    1. Enable the WebVPN feature on the ASA:
      ASA(config)#webvpn
    2. Enable the WebVPN service for the outside interface of the ASA:
      ASA(config-webvpn)#enable outside
    3. Allow the ASA to listen to the WebVPN traffic on the customized port number:
      ASA(config-webvpn)#port <1-65535>

      webvpn mode commands/options:
        <1-65535>  The WebVPN server's SSL listening port. TCP port 443 is the
                   default.
    Here is an example:
    ASA(config)#webvpn
    ASA(config-webvpn)#enable outside
    ASA(config-webvpn)#port 65010
  2. After you change the default port configuration, open a supported web browser and use this format in order to connect to the WebVPN server:
    https://interface_ip_address:<customized port number>
    Here is an example:
    https://192.168.1.1:65010

Related Information

Revision History

Revision Publish Date Comments
1.0
23-Mar-2015
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Atri Basu
    Cisco TAC Engineer.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco