Cisco ASA 5500-X Series Next-Generation Firewalls

Introduction

This document provides information on how Adaptive Security Device Manager (ASDM) and WebVPN are enabled on the same interface of the Cisco 5500 Series Adaptive Security Appliances (ASA).

Note: This document is not applicable for the Cisco 500 Series PIX Firewall, because it does not support WebVPN.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• WebVPN configuration—Refer to the ConfiguringWebVPN section of Cisco Security Appliance Command Line Configuration Guide for more information.

• Basic configuration required to launch ASDM—Refer to the Configuring the Security Appliance for ASDM Access section of Cisco Security Appliance Command Line Configuration Guide for more information.

Components Used

The information in this document is based on the Cisco 5500 Series ASA.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Problem

In versions before 8.0(2), ASDM and WebVPN cannot be enabled on the same interface of the ASA, as both are listening on the same port, 443, by default. Beginning with version 8.0(2), the ASA supports both clientless SSL VPN (WebVPN) sessions and ASDM administrative sessions simultaneously on Port 443 of the outside interface.

Solution(s)

You can either change the https server port number for launching ASDM, or the listening port for WebVPN in order to overcome this problem.

Solution 1

Complete these steps:

1. Enable the https server to listen on a different port in order to change the configuration related to the ASDM in ASA, as shown here:

   ASA(config)#http server enable <1-65535>
   
   
   configure mode commands/options:
     <1-65535>  The management server's SSL listening port. TCP port 443 is the
                default.

   This is an example:

   ASA(config)#http server enable 65000
   

2. After you change the default port configuration, launch the ASDM from a supported web browser on the security appliance network as the format shown:

   https://interface_ip_address:<customized port number>
   
   

   This is an example:

   https://192.168.1.1:65000
   

Solution 2

Complete these steps:

1. Allow WebVPN to listen on a different port in order to change the configuration related to WebVPN in ASA, as shown here:

   
   !--- Enable the WebVPN feature on the ASA.
   
   ASA(config)#webvpn
   
   !--- Enables WebVPN for the outside interface of ASA.
   
   ASA(config-webvpn)#enable outside
   
   !--- Allow the ASA to listen to the WebVPN traffic on the customized 
   !--- port number.
   
   ASA(config-webvpn)#port <1-65535>
   
   webvpn mode commands/options:
     <1-65535>  The WebVPN server's SSL listening port. TCP port 443 is the
                default.

   This is an example:

   ASA(config)#webvpn
   ASA(config-webvpn)#enable outside
   ASA(config-webvpn)#port 65010
   

2. After you change the default port configuration, open a supported web browser and connect to the WebVPN server as the format shown:

   https://interface_ip_address:<customized port number>
   
   

   This is an example:

   https://192.168.1.1:65010
   

Related Information

• Cisco Adaptive Security Device Manager - Support Page
• Cisco ASA 5500 Series Adaptive Security Appliances
• Technical Support & Documentation - Cisco Systems