Cisco ASA Firewall – Web Administration and Web VPN

Cisco ASA Firewalls (ASA 5500 series) offer several ways for remote administration and management of the devices such as SSH access, Telnet access, and Web HTTP access. The last one (HTTP access) makes use of the ASDM (Adaptive Security Device Manager) which is a powerful graphical application for administration and management of the firewall device. The ASDM application file is stored on the firewall’s flash and is accessed by a browser using HTTPs.

To gain access to the graphical ASDM Web management tool you need to enable the HTTPs server on the firewall, and allow HTTPs connections.

Enabling HTTPs Access

  1. Generate cryptographic keys for HTTPs
  2. Enable the web server on the firewall
  3. Specify which management PCs are allowed to access the device

ASA(config)# crypto key generate rsa modulus 1024
ASA(config)# write mem
ASA(config)# http server enable
ASA(config)# http inside
ASA(config)# http inside

The example above enables HTTPs access and allows access only from two IP addresses ( and from the inside interface of the firewall.

Now, in order to access the Graphical ASDM web interface from a PC (e.g from PC with address, just open a web browser and enter the URL https://<inside firewall IP address>


Web VPN (or SSL VPN, or clientless VPN) is a new type of remote VPN access using a browser with HTTPs protocol. A remote teleworker for example can access internal corporate services and resources by usingĀ  his/her secure browser. The teleworker just points the browser to the external public IP address of the corporate ASA firewall which authenticates the user and gives him secure access to the internal network.

However, if you use both ASDM and Web VPN on the same firewall interface, there is going to be a conflict since both of these services use the default HTTPs port (443). To avoid this conflict we can change the default listening port of the Web VPN service to something different than 443. Lets see an example:


ASA(config)# http server enable
ASA(config)# http outside
ASA(config)# webvpn
ASA(config-webvpn)# port 444
ASA(config-webvpn)# enable outside

On the example above, we enabled HTTP access for management (ASDM) on the outside interface, and also we have enabled webvpn access again on the outside using a different port (444). This way we avoid conflict of the two services (ASDM access listens on the default port 443 and webvpn listens on port 444).

In this case, in order for a remote teleworker to access the firewall on the outside he needs to point his browser to https://<external IP of Firewall>:444

Multimedia Traffic Issues Through a Firewall

Multimedia applications (such as RealAudio, VoIP Telephony, Video Streaming etc) were always an issue when passing through a network firewall. These kind of applications behave in unique ways:

  • They use dynamic ports.
  • They transmit request using TCP and get responses in UDP or TCP.
  • They use the same port for source and destination.
  • For each multimedia request, the multimedia server might send numerous streams of data in reply.

All the above impose an “unacceptable” traffic behavior for a network firewall, thus multimedia traffic needs some special treatment in order to be permitted through the firewall. Continue reading “Multimedia Traffic Issues Through a Firewall”