[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Wrong ASDM software installed

Posted on 2008-02-08
18
Medium Priority
?
7,687 Views
Last Modified: 2012-08-14
So, i can't get into the ASDM anymore. I get an error message saying that the ASDM software is not compatible with the ASA software. now i can't get into the ASA5510 via asdm. how can i fix this?
0
Comment
Question by:FOTC
  • 10
  • 5
  • 3
18 Comments
 
LVL 12

Expert Comment

by:tgtran
ID: 20853194
Download the appropriate ASDM from Cisco
Setup TFTP
Telnet or SSH into the ASA
Transfer the right ASDM to ASA via TFTP

0
 
LVL 8

Author Comment

by:FOTC
ID: 20853681
ok so i got putty and that tftp.

i dont know how to change the file though
0
 
LVL 12

Accepted Solution

by:
tgtran earned 1000 total points
ID: 20854049
ssh or telnet into the ASA
show disk0:
~ this cmd shows what files are in flash and how much space available
copy tftp disk0:
~ fill in the tftp info and the asdm file name

~ once done, you need to tell ASA to use the new asdm
sh run | i asdm
~ this is to find the old asdm in your config
conf t
no asdm image disk0:<whatever the file name is>
~ this is to tell ASA not to use the old asdm image (you can copy the line you found from "sh run.."
   above, add "no" and paste it - save some typing)
asdm image disk0:<name of the new asdm>
~ this is to set the new asdm image
exit
wr me
reload
~  exit out of conf mode, write changes to memory, and reboot the ASA
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
LVL 8

Author Comment

by:FOTC
ID: 20854487
i'm not so sure what i'm doing wrong..this is what i'm doing:

loginas: me
pwd: *********
router>enable
pwd:*******

router> show disk0:
-#- --length-- -----date/time------ path
  6 6764544    Jan 01 2003 00:05:06 asa712-k8.bin
  7 2160398    Jan 01 2003 00:05:34 securedesktop-asa-3.1.1.16.pkg
  8 398305     Jan 01 2003 00:05:48 sslclient-win-1.1.0.154.pkg
  9 5539756    Feb 09 2008 18:05:02 asdm512-k8.bin


240484352 bytes available (14942208 bytes used)

route# copy tftp disk0:

Address or name of remote host []? 192.168.0.63

Source filename []? asdm502.bin

Destination filename [asdm502.bin]?

Accessing tftp://192.168.0.63/asdm502.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
%Error copying tftp://192.168.0.63/asdm502.bin (Not enough space on device)
firewall#

(my pc is the tftp 192.168.0.63) the firewall is 192.186.0.1

the asdm file i need to upload is only 5,828KB

the log on the TFTP server says this:

Connection received from 192.168.0.1 on port 1042 [08/02 16:45:27.598]
Read request for file <asdm502.bin>. Mode octet [08/02 16:45:27.598]
Using local port 31931 [08/02 16:45:27.598]
Peer returns ERROR <> -> aborting transfer [08/02 16:45:29.709]


I'm using tftpd32 (the cisco recommneded)
0
 
LVL 8

Author Comment

by:FOTC
ID: 20854492
Putty displays this:

Accessing tftp://192.168.0.63/asdm502.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
%Error copying tftp://192.168.0.63/asdm502.bin (Not enough space on device)
firewall#
0
 
LVL 12

Expert Comment

by:tgtran
ID: 20855334
You need to delete the other asdm to free up space:
delete asdm512.-k8.bin
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20855960
From your filesystem output you posted:

router> show disk0:
-#- --length-- -----date/time------ path
  6 6764544    Jan 01 2003 00:05:06 asa712-k8.bin
  7 2160398    Jan 01 2003 00:05:34 securedesktop-asa-3.1.1.16.pkg
  8 398305     Jan 01 2003 00:05:48 sslclient-win-1.1.0.154.pkg
  9 5539756    Feb 09 2008 18:05:02 asdm512-k8.bin

It looks to me like you have the correct ASDM version.  If you try to use the 5.02 version with the 7.12 ASA code, I don't think it will be compatible.  You should have a line in your ASA configuration that reads something like this:

asdm image disk0:/asdm512-k8.bin

Is this what it says?  If so, the file may be corrupt.  However, this is the correct version to use.

I would suggest deleting that file and reloading it from a fresh copy that you have downloaded from Cisco's web site.  You can delete the file with the following command:

delete disk0:/asdm512-k8.bin
0
 
LVL 8

Author Comment

by:FOTC
ID: 20857337
this is the error i get when it attempts to load the ASDM:

"Your ASA image has a version number 7.1(2) which is not supported by ASDM 5.2(1)"


and according to this link: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

i need to have ASDM 5.1. which i have available.

but it says it has version 5.1(2) loaded (which should be compatible I agree. but it says i have asdm 5.2(1).

i attached an image of the error.
asdm.jpg
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20857540
Please post the output of the commands:

sh disk0:
sh run

so we can sort this out...
0
 
LVL 8

Author Comment

by:FOTC
ID: 20857660
firewall# sh disk0:
-#- --length-- -----date/time------ path
  6 6764544    Jan 01 2003 00:05:06 asa712-k8.bin
  7 2160398    Jan 01 2003 00:05:34 securedesktop-asa-3.1.1.16.pkg
  8 398305     Jan 01 2003 00:05:48 sslclient-win-1.1.0.154.pkg
  9 5539756    Feb 09 2008 18:05:02 asdm512-k8.bin

240484352 bytes available (14942208 bytes used)


firewall#sh run

ASA Version 7.1(2)
!
hostname ********
domain-name ********.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
name x.x.0.2 WIn-FTP
name x.x.1.0 DMZ_NET
name x.x.1.4 Web_Server
!
interface Ethernet0/0
 description Interface connected to Cavtel - OUTSIDE
 nameif outside
 security-level 0
 ip address X.X.X.10 255.255.255.248
!
interface Ethernet0/1
 description LAN Interface
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
 description DMZ Network
 nameif dmz
 security-level 50
 ip address X.X.X.1 255.255.255.0
!
interface Ethernet0/3
 description Interface connected to ISPCable - OUTSIDE
 nameif outside2
 security-level 0
 ip address X.X.X.214 255.255.255.224
!
interface Management0/0
 description LAN/STATE Failover Interface
!
passwd .aku5OEWM9ojdx0e encrypted
boot system disk0:/asa712-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup outside2
dns server-group DefaultDNS
 name-server 192.168.0.18
 name-server 192.168.0.170
 domain-name il2000tiber.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Web_Access
 network-object Web_Server 255.255.255.255
object-group service FTP-Service tcp
 port-object eq ftp-data
 port-object eq ftp
object-group service Web_Service tcp
 description This is port 80 and 443
 port-object eq https
 port-object eq www
 port-object eq 8082
object-group service DNS_Service tcp-udp
 port-object eq domain
object-group network LAN_FTP_Group
 network-object WIn-FTP 255.255.255.255
object-group network NAT-Outside
 network-object host X.X.X.10
 network-object host X.X.X.214
 network-object host X.X.X.219
object-group service DNS udp
 port-object eq domain
access-list red extended permit tcp any any object-group FTP-Service
access-list red extended permit tcp any any object-group Web_Service
access-list red extended permit tcp any any object-group DNS_Service
access-list red extended permit udp any any object-group DNS
access-list red extended permit ip host X.X.X.16 object-group NAT-Outside
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any gt 1023 any eq ssh
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 DMZ_NET 255.255.255.0
access-list dmz_access_in extended permit tcp object-group Web_Access gt 1023 any eq 8082 log
access-list dmz_access_in extended permit icmp object-group Web_Access any echo log
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in remark Cleanup rule for the DMZ to anything else but implicit allows
access-list dmz_access_in extended deny ip any any log
access-list VPNACL extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging list standard level warnings
logging list VPNlog level notifications class vpn
logging list VPNlog level notifications class webvpn
logging buffered notifications
logging trap standard
logging asdm informational
logging facility 23
logging host outside2 X.X.X.200
logging host inside 192.168.0.25
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu outside2 1500
ip local pool VPNUSERS 192.168.111.100-192.168.111.211 mask 255.255.255.0
ip audit name IDSPolicy attack action alarm drop
ip audit interface outside2 IDSPolicy
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2002 disable
ip audit signature 2003 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
failover
failover lan unit primary
failover lan interface lan-fo Management0/0
failover link lan-fo Management0/0
failover interface ip lan-fo X.X.X.1 255.255.255.0 standby X.X.X.100
icmp permit 192.168.0.0 255.255.255.0 inside
icmp permit any dmz
asdm image disk0:/asdm512-k8.bin
asdm location Web_Server 255.255.255.255 dmz
asdm location 192.168.0.200 255.255.255.255 inside
asdm location WIn-FTP 255.255.255.255 inside
asdm group Web_Access dmz
asdm group LAN_FTP_Group inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside2) 1 X.X.X.219
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside2) tcp X.X.X.214 ftp WIn-FTP ftp netmask 255.255.255.255
static (dmz,outside2) tcp X.X.X.214 https Web_Server https netmask 255.255.255.255
static (inside,outside) tcp X.X.X.10 www 192.168.0.4 www netmask 255.255.255.255
static (inside,outside2) tcp interface 81 192.168.0.200 81 netmask 255.255.255.255
access-group red in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group red in interface outside2
route outside 0.0.0.0 0.0.0.0 66.16.34.9 100
route outside 216.154.222.16 255.255.255.255 66.16.34.9 1
route outside2 0.0.0.0 0.0.0.0 70.168.208.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server value 192.168.0.18 192.168.0.170
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 5
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy RA_Policy internal
group-policy RA_Policy attributes
 banner value Authorized Users Only!
 vpn-tunnel-protocol IPSec
 ip-comp enable
 re-xauth disable
 pfs enable
 ipsec-udp enable
group-policy ********VPN internal
group-policy ********VPN attributes
 dns-server value 192.168.0.18
 vpn-tunnel-protocol IPSec
 ipsec-udp enable
group-policy clientgroup internal
group-policy clientgroup attributes
 vpn-idle-timeout 20
 split-tunnel-policy tunnelall
username ******** password SxpL.qV0hN25Pw8m encrypted
username ******** password ARmLGvatoBpwM33Q encrypted
username ******** password ARmLGvatoBpwM33Q encrypted
username ********l password VvOtNYT4i15vdae5 encrypted
username ******** password 5HXKBxi6ikkwdJHd encrypted privilege 15
username ******** attributes
 vpn-group-policy RA_Policy
 vpn-filter value VPNACL
username ******** password Hr8t6Wy9Eq2DNHru encrypted
username ******** password OvSif7zQKk//yfAb encrypted
username ******** password DpMAB1IpGlA14kdT encrypted
username ******** password wmEkuF8VVwqYr5gJ encrypted privilege 15
username ******** attributes
 vpn-group-policy RA_Policy
username ******** password TB5RJs7iQeQr7ECl encrypted
username ******** password GgMf/j3fVYEtafx7 encrypted
username ******** password lpOit0n2ECSG8V56 encrypted
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 outside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 2 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside2
isakmp enable outside2
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp nat-traversal  20
tunnel-group DefaultRAGroup general-attributes
 default-group-policy RA_Policy
 dhcp-server 192.168.0.19
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key test
tunnel-group *****VPN type ipsec-ra
tunnel-group *****VPN general-attributes
 address-pool VPNUSERS
 default-group-policy IL200VPN
tunnel-group *****VPN ipsec-attributes
 pre-shared-key ***********
 peer-id-validate nocheck
tunnel-group rtptacvpn type ipsec-ra
no vpn-addr-assign aaa
vpn-sessiondb max-session-limit 30
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
ntp server 192.43.244.18 source outside prefer
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command vpn-sessiondb
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
Cryptochecksum:69a21e3b81c96a0318b6338d32de87f7
: end

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20857682
Your config looks good and you appear to have the proper version of the ASDM installed.  However, that error message seems to indicate that it thinks you're trying to load version 5.21.  The only thing that I can think of is that the ASDM 5.21 version was downloaded and copied to the ASA but renamed 5.12 when it was saved.

I would suggest you get a fresh copy of 5.12 from Cisco and copy it to the ASA and try again.

All of this discussion aside, you really should upgrade to version 7.23 of the ASA code and 5.23 of the ASDM, since 7.1x had a few bugs that have been worked out...
0
 
LVL 8

Author Comment

by:FOTC
ID: 20857775
well, i dont have access to the cisco site, but i do have the ASDM cd's that came with our firewalls. I'm assuming that will work fine. So i need to delete the ASDM image on the firewall, then install the fresh version right?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20857967
Yes, that is correct...and I would take notice as to what the file name is on the CD itself.  We just need to make sure you have 5.12 and not 5.21 that you load from the CD.
0
 
LVL 8

Author Comment

by:FOTC
ID: 20858272
I just looked at the CD. I do have file name "asdm-512.bin" on there.

how do i delete the version on the firewall now?

also, once that is done, do i just follow tgtrans response to this post?
0
 
LVL 28

Assisted Solution

by:batry_boy
batry_boy earned 1000 total points
ID: 20858347
Command to delete current ASDM image:

delete disk0:/asdm512-k8.bin

>>also, once that is done, do i just follow tgtrans response to this post?

Yes, pretty much.
0
 
LVL 8

Author Comment

by:FOTC
ID: 20858484
thanks so much! I'm about to head into the office to try and get this back online. I'll let you know how it goes.
0
 
LVL 8

Author Comment

by:FOTC
ID: 20859052
you guys are miracle works. I can't thank you both enough for all your assistance.
0
 
LVL 8

Author Closing Comment

by:FOTC
ID: 31429296
I can't thank you both enough for your help!
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question