Getting ASDM working on ASA5505
hey guys, i am tring to get the ASDM working on my ASA firewall.
Having some issues for some reason.
here is my config.
ciscoasa# sh run
: Saved
:
ASA Version 8.4(1)
!
hostname ciscoasa
enable password*** encrypted
passwd *** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address dhcp
!
interface Vlan2
nameif outside
security-level 0
no ip address
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5fd847168f6
: end
ciscoasa#
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.1.127 255.255.255.0 DHCP
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.1.127 255.255.255.0 DHCP
ciscoasa# sh interface ip br
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.127 YES DHCP up up
Vlan2 unassigned YES unset down down
Virtual0 127.0.0.1 YES unset up up
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset down down
Ethernet0/2 unassigned YES unset down down
Ethernet0/3 unassigned YES unset down down
Ethernet0/4 unassigned YES unset down down
Ethernet0/5 unassigned YES unset down down
Ethernet0/6 unassigned YES unset down down
Ethernet0/7 unassigned YES unset down down
I am running ASA841-k8.bin
i have asdm-641.bin
Having some issues for some reason.
here is my config.
ciscoasa# sh run
: Saved
:
ASA Version 8.4(1)
!
hostname ciscoasa
enable password*** encrypted
passwd *** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address dhcp
!
interface Vlan2
nameif outside
security-level 0
no ip address
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5fd847168f6
: end
ciscoasa#
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.1.127 255.255.255.0 DHCP
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.1.127 255.255.255.0 DHCP
ciscoasa# sh interface ip br
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.127 YES DHCP up up
Vlan2 unassigned YES unset down down
Virtual0 127.0.0.1 YES unset up up
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset down down
Ethernet0/2 unassigned YES unset down down
Ethernet0/3 unassigned YES unset down down
Ethernet0/4 unassigned YES unset down down
Ethernet0/5 unassigned YES unset down down
Ethernet0/6 unassigned YES unset down down
Ethernet0/7 unassigned YES unset down down
I am running ASA841-k8.bin
i have asdm-641.bin
btw, i'd make the inside IP static for one. so when you go to https://192.168.1.127/ it doesn't come up with anything?
ASKER
that did not work.
i can ping the 192.168.1.127
i did a port scan and it is up, and it can see port 443
i did a wireshark capture and i am getting a "Handshake failure"
i can ping the 192.168.1.127
i did a port scan and it is up, and it can see port 443
i did a wireshark capture and i am getting a "Handshake failure"
ASKER
37 16.990504 192.168.1.127 192.168.1.12 TLSv1 61 Alert (Level: Fatal, Description: Handshake Failure)
that's odd. handshake denotes its failing during SSL negotiation. perhaps client doesn't like options it has with what the asa is offering
try the following or attempt a different browser (what are you using anyway?)
ssl encryption aes256-sha1
try the following or attempt a different browser (what are you using anyway?)
ssl encryption aes256-sha1
ASKER
i get this error:
The 3DES/AES algorithms require a VPN-3DES-AES activation key.
The 3DES/AES algorithms require a VPN-3DES-AES activation key.
hmmm. because what I'm thinking is going on here is that single des is used for the cert and the client is rejecting it due to its insecure nature thus a handshake can't be formed since the asa can't do any of the options the client will accept.
which browser are you running? we may need to lower the browser security to allow it to communicate to the asa
which browser are you running? we may need to lower the browser security to allow it to communicate to the asa
ASKER
using ie 8
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
also, see if firefox brings it up.
ASKER
that was fantastic! this link for the key was the winner!
then run the following commands
http server enable
http 0.0.0.0 0.0.0.0 inside
asdm image flash:/asdm-641.bin
that should enable any clients from inside network to have access to ASDM configuration