Solved

How to reset the password for Cisco ASDM tool

Posted on 2013-12-23
22
912 Views
Last Modified: 2014-01-13
I have a cisco ASA5505 firewall. I can ssh to it and enter executive mode without problem. But when I run Cisco ASDM tool and want to connect to it, it doesn't let me connect.

Which username I should use for this GUI tool and how to reset the password?

thanks.
0
Comment
Question by:Jason Yu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 5
  • 2
  • +1
22 Comments
 
LVL 10

Assisted Solution

by:convergint
convergint earned 200 total points
ID: 39736546
Have you tried cisco, asa or blank for the username?  The password should be the same as the one you are using for executive mode.

You also need to check if ASDM is allowed.  To identify the IP addresses from which the ASA accepts HTTPS connections, enter the following command for each address or subnet:

hostname(config)# http source_IP_address mask source_interface


If ASDM is not allowed, to allow it and let a host on the inside interface with an address of 192.168.1.2 access ASDM, enter the following commands:

hostname(config)# crypto key generate rsa modulus 1024
hostname(config)# write mem
hostname(config)# http server enable
hostname(config)# http 192.168.1.2 255.255.255.255 inside
To allow all users on the 192.168.3.0 network to access ASDM on the inside interface, enter the following command:

hostname(config)# http 192.168.3.0 255.255.255.0 inside
0
 

Author Comment

by:Jason Yu
ID: 39736620
what is the source_interface of this command:
hostname(config)# http source_IP_address mask source_interface


BFD-PIX505> http 10.10.4.39 255.255.252.0
Type help or '?' for a list of available commands.
BFD-PIX505> http 10.10.4.39 255.255.252.0 10.10.4.39
Type help or '?' for a list of available commands.
BFD-PIX505>
0
 

Author Comment

by:Jason Yu
ID: 39736628
sorry, it's in the unprivilege mode to run the above command.

Got another prompt as follows:

BFD-PIX505(config)# http 10.10.4.39 255.255.252.0
ERROR: entry for address/mask = 10.10.4.39/255.255.252.0 exists
BFD-PIX505(config)#
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Jason Yu
ID: 39736634
I got the error "Unable to launch device manger from 10.10.4.39"

Please see the attachment.
pix-5505-error.png
0
 

Author Comment

by:Jason Yu
ID: 39736638
BFD-PIX505(config)# http server enable
BFD-PIX505(config)#  http 10.10.4.39 255.255.255.255 inside
BFD-PIX505(config)# crypto key generate rsa modulus 1024
Invalid keyword:  "key"
BFD-PIX505(config)# crypto keygenerate rsa modulus 1024
Invalid keyword:  "keygenerate"
BFD-PIX505(config)#
0
 
LVL 10

Expert Comment

by:convergint
ID: 39736696
Can you check if a compatible ASDM image is on the flash?

show asdm image
0
 

Author Comment

by:Jason Yu
ID: 39736704
BFD-PIX505(config)# write mem
Building configuration...
Cryptochecksum: fbd3efd9 f11844e1 ffd12557 660b5a6d
[OK]
BFD-PIX505(config)# clear arp
BFD-PIX505(config)# show asdm image
Type help or '?' for a list of available commands.
BFD-PIX505(config)#


It looks like not.
0
 
LVL 10

Assisted Solution

by:convergint
convergint earned 200 total points
ID: 39736715
If the ASDM-image is still on the flash:
Do a "show flash" and look for the asdm-image file. It's named asdm-xxx.bin, where xxx=version.
Then in config mode, type "asdm image disk0:/asdm-xxx.bin"
0
 

Author Comment

by:Jason Yu
ID: 39736732
BFD-PIX505(config)# show flash
flash file system:  version:3  magic:0x12345679
  file 0: origin:       0 length:1966136
  file 1: origin: 2621440 length:5643
  file 2: origin: 2752512 length:1923
  file 3: origin:       0 length:0
  file 4: origin:       0 length:0
  file 5: origin: 8257536 length:308
BFD-PIX505(config)#
0
 

Author Comment

by:Jason Yu
ID: 39736735
on my another firewall, it shows this kind of results:

pix515e(config)# show flash

Directory of flash:/

4      -rw-  1894        07:27:21 Nov 04 2005  downgrade.cfg
7      -rw-  6514852     10:24:16 Nov 15 2008  asdm-524.bin
11     -rw-  8515584     08:55:19 Nov 15 2008  pix724.bin

16128000 bytes total (1042432 bytes free)
pix515e(config)#

pix515e(config)#  show asdm image
Device Manager image file, flash:/asdm-524.bin
pix515e(config)#
0
 
LVL 10

Expert Comment

by:convergint
ID: 39736746
Looks like you may need to upgrade the firmware and/or load the ASDM image to the ASA.  This article might help you:

https://supportforums.cisco.com/thread/2104720
0
 

Author Comment

by:Jason Yu
ID: 39736762
Is my ASA OS version 6.3(4)? Do I need upgrade this ASA OS first? Based on this link, http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html, this version is even not listed there. Please advise, thank you.


BFD-PIX505(config)# show version

Cisco PIX Firewall Version 6.3(4)

Compiled on Fri 02-Jul-04 00:07 by morlee

BFD-PIX505 up 2 years 256 days

Hardware:   PIX-506, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 8MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0005.328f.e95a, irq 11
1: ethernet1: address is 0005.328f.e95b, irq 10
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Limited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.

Serial Number: 405122436 (0x1825ad84)
Running Activation Key: 0x11bdfd23 0x6e3e9df3 0xa902d125 0xd8848fb9
Configuration last modified by enable_15 at 17:58:45.688 UTC Mon Dec 23 2013
BFD-PIX505(config)#
0
 
LVL 10

Expert Comment

by:convergint
ID: 39736799
It looks like you have a PIX 506 with only 32 meg of ram.  ASDM isn't supported according to the Cisco link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml
0
 

Author Comment

by:Jason Yu
ID: 39736848
Is there a way to increase the ram inside this device?
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 200 total points
ID: 39737038
Mmm - You will not get an ASDM to run on a PIX 506E At all.

TO answer your Q - can I upgrade the RAM, yes you can
Upgrading a PIX 506E to Version 7

However that's NOT supported by Cisco, and I would not recommend doing it in a production environment.

You have three choices

1. Install and use the PDM (to do this you will need an old PC with an old version of Java or it wont work)
2. Sling it and replace it with an ASA 5505
3. Learn command line.

Pete
0
 

Author Comment

by:Jason Yu
ID: 39737182
Hi, PeterLong:

You are absolutely right! After I checked this ASA model number in the server room, I found it's indeedly a PIX 506 device. It was up for 2 years on the backup network.

Luckily, I have an extra ASA 5505 device as a spare one on my desk. If you think this ASA 5505 is higher than the 506 one, I am gonna to replace the 506 one.

Could I export policies from 506 and import them into 5505?

Please advise a replacement solution. Thank you.
0
 

Author Comment

by:Jason Yu
ID: 39737204
I have another working firewall in my production env, it has OS 7.2(4), could I download that pix724.bin file to the tftp server? IF I can get the file then I can upload it to the pix 505.


pix515e# show version

Cisco PIX Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)

Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "flash:/pix724.bin"
Config file at boot was "startup-config"

pix515e up 21 days 10 hours

Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

 0: Ext: Ethernet0           : address is 0015.c64f.166a, irq 10
 1: Ext: Ethernet1           : address is 0015.c64f.166b, irq 11
 2: Ext: Ethernet2           : address is 000e.0c84.04bf, irq 11

Licensed features for this platform:
Maximum Physical Interfaces : 3
Maximum VLANs               : 10
Inside Hosts                : Unlimited
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Cut-through Proxy           : Enabled
Guards                      : Enabled
URL Filtering               : Enabled
Security Contexts           : 0
GTP/GPRS                    : Disabled
VPN Peers                   : Unlimited

This platform has a Restricted (R) license.

Serial Number: 809390681
Running Activation Key: 0xdd36cf65 0xac62cc4a 0x3402e1bc 0x8e2c3440 0xca05019a
Configuration last modified by admin at 15:30:06.305 PST Thu Dec 12 2013
pix515e# show flash

Directory of flash:/

4      -rw-  1894        07:27:21 Nov 04 2005  downgrade.cfg
7      -rw-  6514852     10:24:16 Nov 15 2008  asdm-524.bin
11     -rw-  8515584     08:55:19 Nov 15 2008  pix724.bin

16128000 bytes total (1042432 bytes free)
pix515e#
0
 
LVL 7

Accepted Solution

by:
kellemann earned 100 total points
ID: 39737734
The 515 model supports version 7 and higher of the software. As Peter Long already stated, it is NOT recommended to try and shoehorn it in a 506 firewall.
The 5505 you found is a much better choice. Just remember to check which license is installed on it. For example it would be bad to replace the a Pix506 with a unlimited user license with a 10 user ASA5505.
Regarding the conversion of the Pix506 configuration, you can downgrade (if necessary) the ASA5505 to an old 7.x version. The old versions support copy/pasting the Pix configuration directly and will convert commands automatically (save a few special cases).
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 200 total points
ID: 39737751
>>Could I export policies from 506 and import them into 5505?

To be honest no there's a lot of changes in the code.

>>I have another working firewall in my production env, it has OS 7.2(4), could I download that pix724.bin file to the tftp server? IF I can get the file then I can upload it to the pix 505.

No! PIX OS is different to ASA OS!

eg
PIX file is called pix722.bin
ASA File is caled asa722-k8.bin
0
 

Author Comment

by:Jason Yu
ID: 39738509
Thank you guys very much! May you nice guys and your families have a wonderful Christmas !
0
 

Author Comment

by:Jason Yu
ID: 39762510
I am configuring the spared ASA 5505 and will replace the old PIX 506. How could I check the existing license information on the ASA5505 and PIX506. thanks.
0
 
LVL 7

Expert Comment

by:kellemann
ID: 39764519
Use the "show version" command. I can't remember the output on the Pix, but the line on the ASA reads "Inside hosts", and either 10, 50 or unlimited.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question