Solved

How to reset the password for Cisco ASDM tool

Posted on 2013-12-23
22
879 Views
Last Modified: 2014-01-13
I have a cisco ASA5505 firewall. I can ssh to it and enter executive mode without problem. But when I run Cisco ASDM tool and want to connect to it, it doesn't let me connect.

Which username I should use for this GUI tool and how to reset the password?

thanks.
0
Comment
Question by:Jason Yu
  • 13
  • 5
  • 2
  • +1
22 Comments
 
LVL 10

Assisted Solution

by:convergint
convergint earned 200 total points
Comment Utility
Have you tried cisco, asa or blank for the username?  The password should be the same as the one you are using for executive mode.

You also need to check if ASDM is allowed.  To identify the IP addresses from which the ASA accepts HTTPS connections, enter the following command for each address or subnet:

hostname(config)# http source_IP_address mask source_interface


If ASDM is not allowed, to allow it and let a host on the inside interface with an address of 192.168.1.2 access ASDM, enter the following commands:

hostname(config)# crypto key generate rsa modulus 1024
hostname(config)# write mem
hostname(config)# http server enable
hostname(config)# http 192.168.1.2 255.255.255.255 inside
To allow all users on the 192.168.3.0 network to access ASDM on the inside interface, enter the following command:

hostname(config)# http 192.168.3.0 255.255.255.0 inside
0
 

Author Comment

by:Jason Yu
Comment Utility
what is the source_interface of this command:
hostname(config)# http source_IP_address mask source_interface


BFD-PIX505> http 10.10.4.39 255.255.252.0
Type help or '?' for a list of available commands.
BFD-PIX505> http 10.10.4.39 255.255.252.0 10.10.4.39
Type help or '?' for a list of available commands.
BFD-PIX505>
0
 

Author Comment

by:Jason Yu
Comment Utility
sorry, it's in the unprivilege mode to run the above command.

Got another prompt as follows:

BFD-PIX505(config)# http 10.10.4.39 255.255.252.0
ERROR: entry for address/mask = 10.10.4.39/255.255.252.0 exists
BFD-PIX505(config)#
0
 

Author Comment

by:Jason Yu
Comment Utility
I got the error "Unable to launch device manger from 10.10.4.39"

Please see the attachment.
pix-5505-error.png
0
 

Author Comment

by:Jason Yu
Comment Utility
BFD-PIX505(config)# http server enable
BFD-PIX505(config)#  http 10.10.4.39 255.255.255.255 inside
BFD-PIX505(config)# crypto key generate rsa modulus 1024
Invalid keyword:  "key"
BFD-PIX505(config)# crypto keygenerate rsa modulus 1024
Invalid keyword:  "keygenerate"
BFD-PIX505(config)#
0
 
LVL 10

Expert Comment

by:convergint
Comment Utility
Can you check if a compatible ASDM image is on the flash?

show asdm image
0
 

Author Comment

by:Jason Yu
Comment Utility
BFD-PIX505(config)# write mem
Building configuration...
Cryptochecksum: fbd3efd9 f11844e1 ffd12557 660b5a6d
[OK]
BFD-PIX505(config)# clear arp
BFD-PIX505(config)# show asdm image
Type help or '?' for a list of available commands.
BFD-PIX505(config)#


It looks like not.
0
 
LVL 10

Assisted Solution

by:convergint
convergint earned 200 total points
Comment Utility
If the ASDM-image is still on the flash:
Do a "show flash" and look for the asdm-image file. It's named asdm-xxx.bin, where xxx=version.
Then in config mode, type "asdm image disk0:/asdm-xxx.bin"
0
 

Author Comment

by:Jason Yu
Comment Utility
BFD-PIX505(config)# show flash
flash file system:  version:3  magic:0x12345679
  file 0: origin:       0 length:1966136
  file 1: origin: 2621440 length:5643
  file 2: origin: 2752512 length:1923
  file 3: origin:       0 length:0
  file 4: origin:       0 length:0
  file 5: origin: 8257536 length:308
BFD-PIX505(config)#
0
 

Author Comment

by:Jason Yu
Comment Utility
on my another firewall, it shows this kind of results:

pix515e(config)# show flash

Directory of flash:/

4      -rw-  1894        07:27:21 Nov 04 2005  downgrade.cfg
7      -rw-  6514852     10:24:16 Nov 15 2008  asdm-524.bin
11     -rw-  8515584     08:55:19 Nov 15 2008  pix724.bin

16128000 bytes total (1042432 bytes free)
pix515e(config)#

pix515e(config)#  show asdm image
Device Manager image file, flash:/asdm-524.bin
pix515e(config)#
0
 
LVL 10

Expert Comment

by:convergint
Comment Utility
Looks like you may need to upgrade the firmware and/or load the ASDM image to the ASA.  This article might help you:

https://supportforums.cisco.com/thread/2104720
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:Jason Yu
Comment Utility
Is my ASA OS version 6.3(4)? Do I need upgrade this ASA OS first? Based on this link, http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html, this version is even not listed there. Please advise, thank you.


BFD-PIX505(config)# show version

Cisco PIX Firewall Version 6.3(4)

Compiled on Fri 02-Jul-04 00:07 by morlee

BFD-PIX505 up 2 years 256 days

Hardware:   PIX-506, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 8MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0005.328f.e95a, irq 11
1: ethernet1: address is 0005.328f.e95b, irq 10
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Limited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.

Serial Number: 405122436 (0x1825ad84)
Running Activation Key: 0x11bdfd23 0x6e3e9df3 0xa902d125 0xd8848fb9
Configuration last modified by enable_15 at 17:58:45.688 UTC Mon Dec 23 2013
BFD-PIX505(config)#
0
 
LVL 10

Expert Comment

by:convergint
Comment Utility
It looks like you have a PIX 506 with only 32 meg of ram.  ASDM isn't supported according to the Cisco link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml
0
 

Author Comment

by:Jason Yu
Comment Utility
Is there a way to increase the ram inside this device?
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 200 total points
Comment Utility
Mmm - You will not get an ASDM to run on a PIX 506E At all.

TO answer your Q - can I upgrade the RAM, yes you can
Upgrading a PIX 506E to Version 7

However that's NOT supported by Cisco, and I would not recommend doing it in a production environment.

You have three choices

1. Install and use the PDM (to do this you will need an old PC with an old version of Java or it wont work)
2. Sling it and replace it with an ASA 5505
3. Learn command line.

Pete
0
 

Author Comment

by:Jason Yu
Comment Utility
Hi, PeterLong:

You are absolutely right! After I checked this ASA model number in the server room, I found it's indeedly a PIX 506 device. It was up for 2 years on the backup network.

Luckily, I have an extra ASA 5505 device as a spare one on my desk. If you think this ASA 5505 is higher than the 506 one, I am gonna to replace the 506 one.

Could I export policies from 506 and import them into 5505?

Please advise a replacement solution. Thank you.
0
 

Author Comment

by:Jason Yu
Comment Utility
I have another working firewall in my production env, it has OS 7.2(4), could I download that pix724.bin file to the tftp server? IF I can get the file then I can upload it to the pix 505.


pix515e# show version

Cisco PIX Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)

Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "flash:/pix724.bin"
Config file at boot was "startup-config"

pix515e up 21 days 10 hours

Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

 0: Ext: Ethernet0           : address is 0015.c64f.166a, irq 10
 1: Ext: Ethernet1           : address is 0015.c64f.166b, irq 11
 2: Ext: Ethernet2           : address is 000e.0c84.04bf, irq 11

Licensed features for this platform:
Maximum Physical Interfaces : 3
Maximum VLANs               : 10
Inside Hosts                : Unlimited
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Cut-through Proxy           : Enabled
Guards                      : Enabled
URL Filtering               : Enabled
Security Contexts           : 0
GTP/GPRS                    : Disabled
VPN Peers                   : Unlimited

This platform has a Restricted (R) license.

Serial Number: 809390681
Running Activation Key: 0xdd36cf65 0xac62cc4a 0x3402e1bc 0x8e2c3440 0xca05019a
Configuration last modified by admin at 15:30:06.305 PST Thu Dec 12 2013
pix515e# show flash

Directory of flash:/

4      -rw-  1894        07:27:21 Nov 04 2005  downgrade.cfg
7      -rw-  6514852     10:24:16 Nov 15 2008  asdm-524.bin
11     -rw-  8515584     08:55:19 Nov 15 2008  pix724.bin

16128000 bytes total (1042432 bytes free)
pix515e#
0
 
LVL 7

Accepted Solution

by:
kellemann earned 100 total points
Comment Utility
The 515 model supports version 7 and higher of the software. As Peter Long already stated, it is NOT recommended to try and shoehorn it in a 506 firewall.
The 5505 you found is a much better choice. Just remember to check which license is installed on it. For example it would be bad to replace the a Pix506 with a unlimited user license with a 10 user ASA5505.
Regarding the conversion of the Pix506 configuration, you can downgrade (if necessary) the ASA5505 to an old 7.x version. The old versions support copy/pasting the Pix configuration directly and will convert commands automatically (save a few special cases).
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 200 total points
Comment Utility
>>Could I export policies from 506 and import them into 5505?

To be honest no there's a lot of changes in the code.

>>I have another working firewall in my production env, it has OS 7.2(4), could I download that pix724.bin file to the tftp server? IF I can get the file then I can upload it to the pix 505.

No! PIX OS is different to ASA OS!

eg
PIX file is called pix722.bin
ASA File is caled asa722-k8.bin
0
 

Author Comment

by:Jason Yu
Comment Utility
Thank you guys very much! May you nice guys and your families have a wonderful Christmas !
0
 

Author Comment

by:Jason Yu
Comment Utility
I am configuring the spared ASA 5505 and will replace the old PIX 506. How could I check the existing license information on the ASA5505 and PIX506. thanks.
0
 
LVL 7

Expert Comment

by:kellemann
Comment Utility
Use the "show version" command. I can't remember the output on the Pix, but the line on the ASA reads "Inside hosts", and either 10, 50 or unlimited.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now