Getting ASDM working on ASA5505

Posted on 2013-05-17
Last Modified: 2013-05-17
hey guys, i am tring to get the ASDM working on my ASA firewall.  

Having some issues for some reason.

here is my config.

ciscoasa# sh run
: Saved
ASA Version 8.4(1)
hostname ciscoasa
enable password*** encrypted
passwd *** encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address dhcp
interface Vlan2
 nameif outside
 security-level 0
 no ip address
interface Ethernet0/0
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
object network obj_any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network obj_any
 nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
: end

System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside          DHCP
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside          DHCP

ciscoasa# sh interface ip br
Interface                  IP-Address      OK? Method Status                Protocol
Internal-Data0/0           unassigned      YES unset  up                    up
Internal-Data0/1           unassigned      YES unset  up                    up
Vlan1               YES DHCP   up                    up
Vlan2                      unassigned      YES unset  down                  down
Virtual0                YES unset  up                    up
Ethernet0/0                unassigned      YES unset  up                    up
Ethernet0/1                unassigned      YES unset  down                  down
Ethernet0/2                unassigned      YES unset  down                  down
Ethernet0/3                unassigned      YES unset  down                  down
Ethernet0/4                unassigned      YES unset  down                  down
Ethernet0/5                unassigned      YES unset  down                  down
Ethernet0/6                unassigned      YES unset  down                  down
Ethernet0/7                unassigned      YES unset  down                  down

I am running ASA841-k8.bin
i have asdm-641.bin
Question by:sterudpa
  • 6
  • 5
LVL 25

Expert Comment

ID: 39175507
first tftp an asdm image to the asa (looks like you already did that)

then run the following commands

http server enable
http inside
asdm image flash:/asdm-641.bin

that should enable any clients from inside network to have access to ASDM configuration
LVL 25

Expert Comment

ID: 39175516
btw, i'd make the inside IP static for one.  so when you go to it doesn't come up with anything?

Author Comment

ID: 39175607
that did not work.

i can ping the
i did a port scan and it is up, and it can see port 443

i did a wireshark capture and i am getting a "Handshake failure"

Author Comment

ID: 39175616
37      16.990504      TLSv1      61      Alert (Level: Fatal, Description: Handshake Failure)
LVL 25

Expert Comment

ID: 39175643
that's odd.  handshake denotes its failing during SSL negotiation. perhaps client doesn't like options it has with what the asa is offering

try the following or attempt a different browser (what are you using anyway?)

ssl encryption aes256-sha1
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.


Author Comment

ID: 39175663
i get this error:

The 3DES/AES algorithms require a VPN-3DES-AES activation key.
LVL 25

Expert Comment

ID: 39175685
hmmm.  because what I'm thinking is going on here is that single des is used for the cert and the client is rejecting it due to its insecure nature thus a handshake can't be formed since the asa can't do any of the options the client will accept.

which browser are you running?  we may need to lower the browser security to allow it to communicate to the asa

Author Comment

ID: 39175700
using ie 8
LVL 25

Accepted Solution

Cyclops3590 earned 500 total points
ID: 39175729
while i research that, I came across this url where you can get a free 3des/aes license.  might want to try that.
LVL 25

Expert Comment

ID: 39175735
also, see if firefox brings it up.

Author Closing Comment

ID: 39175831
that was fantastic!  this link for the key was the winner!

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
OSPF Cost 2 51
Possible RST Flood on IF X0 Sonicwall 6 187
Turn off SIP ALG - Cisco ASA 5505 1 32
PEAP authentication 7 29
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now