Tuesday, February 16, 2010

Changing the ASDM Port on a Cisco ASA

I very rarely ever use the Cisco GUI ASDM configuration tool. I've been a CLI guy my whole career. There's just something not right about being a Cisco guy, and using the GUI. Almost, always!

Yes, there are some exceptions. For instance, when you want to run the packet tracer utility. You can do it in the CLI, but I wouldn't recommend it. It's way too complicated, and who has time to figure out the hard way, when there's an easy way?

It's also very nice to use ASDM to monitor used system resources on the ASA.

But, what if you have already mapped a static connection using tcp/443 to your outside interface?

In this case, the default ASDM configuration will not work, because the static command will take precedence over the ASDM configuration. So, the default ASDM port will need to be changed from tcp/443 to something else.

You can accomplish this by using the following command:
hostname(config)# http server enable [port]
For instance, to change the ASDM port to tcp/444, use the following statement:
hostname(config)# http server enable 444
Now you will be able to open a web browser and point it to your ASA's external IP address, using port 444. How? Well, let's say your ASA's IP address is You can get to the ASDM by pointing your web browser to:

That will get you where you want to be.

Thursday, February 11, 2010

See you at Cisco Live!

I'll be there. It's in Las Vegas, again. But, that's okay. I think the best Cisco Live conferences are held in Vegas. Not because of the 'nite life', or other adult indiscretions (of which I have no desire to waste my time with). But, because Vegas knows how to accommodate 20,000 socially inept network engineers. There's enough space at the conference centers to allow for the bulky backpacks and the buffet tables.

Now to wait for the scheduler to open, so I can be involved in the geeky equivalent to Black Friday.

What do you look forward to at Cisco Live?

Tuesday, February 2, 2010

Changing TCP Port for Remote Access VPN Connections

Firewalls of the MindImage by beedieu via Flickr

Has it really been almost two months since I've written a blog post? Wow.

I recently experienced an issue with a customer that could not establish a remote access VPN connection to their Cisco ASA from a hotel. The hotel was blocking the standard UDP (500) port, and would not allow the alternate TCP/10000 port, to establish the connection.

Fortunately, this is not the first time I, or Cisco, have experienced this issue.

Using IPSec over TCP, we can control the port on the firewall that will respond to the remote access requests. When the tunnel is established, both VPN devices (Cisco ASA and the VPN client) pass traffic using the same connection.

To change the TCP port that the client will use to connect to the ASA, use the 'isakmp ipsec-over-tcp port' command. The Cisco ASA allows up to ten TCP port to be used for this feature. So, you can keep the default TCP/10000 and add TCP/80, by entering the following command:
crypto isakmp ipsec-over-tcp port 80 10000
Reblog this post [with Zemanta]