Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 968
  • Last Modified:

How to reset the password for Cisco ASDM tool

I have a cisco ASA5505 firewall. I can ssh to it and enter executive mode without problem. But when I run Cisco ASDM tool and want to connect to it, it doesn't let me connect.

Which username I should use for this GUI tool and how to reset the password?

thanks.
0
Jason Yu
Asked:
Jason Yu
  • 13
  • 5
  • 2
  • +1
5 Solutions
 
convergintCommented:
Have you tried cisco, asa or blank for the username?  The password should be the same as the one you are using for executive mode.

You also need to check if ASDM is allowed.  To identify the IP addresses from which the ASA accepts HTTPS connections, enter the following command for each address or subnet:

hostname(config)# http source_IP_address mask source_interface


If ASDM is not allowed, to allow it and let a host on the inside interface with an address of 192.168.1.2 access ASDM, enter the following commands:

hostname(config)# crypto key generate rsa modulus 1024
hostname(config)# write mem
hostname(config)# http server enable
hostname(config)# http 192.168.1.2 255.255.255.255 inside
To allow all users on the 192.168.3.0 network to access ASDM on the inside interface, enter the following command:

hostname(config)# http 192.168.3.0 255.255.255.0 inside
0
 
Jason YuAuthor Commented:
what is the source_interface of this command:
hostname(config)# http source_IP_address mask source_interface


BFD-PIX505> http 10.10.4.39 255.255.252.0
Type help or '?' for a list of available commands.
BFD-PIX505> http 10.10.4.39 255.255.252.0 10.10.4.39
Type help or '?' for a list of available commands.
BFD-PIX505>
0
 
Jason YuAuthor Commented:
sorry, it's in the unprivilege mode to run the above command.

Got another prompt as follows:

BFD-PIX505(config)# http 10.10.4.39 255.255.252.0
ERROR: entry for address/mask = 10.10.4.39/255.255.252.0 exists
BFD-PIX505(config)#
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
Jason YuAuthor Commented:
I got the error "Unable to launch device manger from 10.10.4.39"

Please see the attachment.
pix-5505-error.png
0
 
Jason YuAuthor Commented:
BFD-PIX505(config)# http server enable
BFD-PIX505(config)#  http 10.10.4.39 255.255.255.255 inside
BFD-PIX505(config)# crypto key generate rsa modulus 1024
Invalid keyword:  "key"
BFD-PIX505(config)# crypto keygenerate rsa modulus 1024
Invalid keyword:  "keygenerate"
BFD-PIX505(config)#
0
 
convergintCommented:
Can you check if a compatible ASDM image is on the flash?

show asdm image
0
 
Jason YuAuthor Commented:
BFD-PIX505(config)# write mem
Building configuration...
Cryptochecksum: fbd3efd9 f11844e1 ffd12557 660b5a6d
[OK]
BFD-PIX505(config)# clear arp
BFD-PIX505(config)# show asdm image
Type help or '?' for a list of available commands.
BFD-PIX505(config)#


It looks like not.
0
 
convergintCommented:
If the ASDM-image is still on the flash:
Do a "show flash" and look for the asdm-image file. It's named asdm-xxx.bin, where xxx=version.
Then in config mode, type "asdm image disk0:/asdm-xxx.bin"
0
 
Jason YuAuthor Commented:
BFD-PIX505(config)# show flash
flash file system:  version:3  magic:0x12345679
  file 0: origin:       0 length:1966136
  file 1: origin: 2621440 length:5643
  file 2: origin: 2752512 length:1923
  file 3: origin:       0 length:0
  file 4: origin:       0 length:0
  file 5: origin: 8257536 length:308
BFD-PIX505(config)#
0
 
Jason YuAuthor Commented:
on my another firewall, it shows this kind of results:

pix515e(config)# show flash

Directory of flash:/

4      -rw-  1894        07:27:21 Nov 04 2005  downgrade.cfg
7      -rw-  6514852     10:24:16 Nov 15 2008  asdm-524.bin
11     -rw-  8515584     08:55:19 Nov 15 2008  pix724.bin

16128000 bytes total (1042432 bytes free)
pix515e(config)#

pix515e(config)#  show asdm image
Device Manager image file, flash:/asdm-524.bin
pix515e(config)#
0
 
convergintCommented:
Looks like you may need to upgrade the firmware and/or load the ASDM image to the ASA.  This article might help you:

https://supportforums.cisco.com/thread/2104720
0
 
Jason YuAuthor Commented:
Is my ASA OS version 6.3(4)? Do I need upgrade this ASA OS first? Based on this link, http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html, this version is even not listed there. Please advise, thank you.


BFD-PIX505(config)# show version

Cisco PIX Firewall Version 6.3(4)

Compiled on Fri 02-Jul-04 00:07 by morlee

BFD-PIX505 up 2 years 256 days

Hardware:   PIX-506, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 8MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0005.328f.e95a, irq 11
1: ethernet1: address is 0005.328f.e95b, irq 10
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Limited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.

Serial Number: 405122436 (0x1825ad84)
Running Activation Key: 0x11bdfd23 0x6e3e9df3 0xa902d125 0xd8848fb9
Configuration last modified by enable_15 at 17:58:45.688 UTC Mon Dec 23 2013
BFD-PIX505(config)#
0
 
convergintCommented:
It looks like you have a PIX 506 with only 32 meg of ram.  ASDM isn't supported according to the Cisco link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml
0
 
Jason YuAuthor Commented:
Is there a way to increase the ram inside this device?
0
 
Pete LongConsultantCommented:
Mmm - You will not get an ASDM to run on a PIX 506E At all.

TO answer your Q - can I upgrade the RAM, yes you can
Upgrading a PIX 506E to Version 7

However that's NOT supported by Cisco, and I would not recommend doing it in a production environment.

You have three choices

1. Install and use the PDM (to do this you will need an old PC with an old version of Java or it wont work)
2. Sling it and replace it with an ASA 5505
3. Learn command line.

Pete
0
 
Jason YuAuthor Commented:
Hi, PeterLong:

You are absolutely right! After I checked this ASA model number in the server room, I found it's indeedly a PIX 506 device. It was up for 2 years on the backup network.

Luckily, I have an extra ASA 5505 device as a spare one on my desk. If you think this ASA 5505 is higher than the 506 one, I am gonna to replace the 506 one.

Could I export policies from 506 and import them into 5505?

Please advise a replacement solution. Thank you.
0
 
Jason YuAuthor Commented:
I have another working firewall in my production env, it has OS 7.2(4), could I download that pix724.bin file to the tftp server? IF I can get the file then I can upload it to the pix 505.


pix515e# show version

Cisco PIX Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)

Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "flash:/pix724.bin"
Config file at boot was "startup-config"

pix515e up 21 days 10 hours

Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

 0: Ext: Ethernet0           : address is 0015.c64f.166a, irq 10
 1: Ext: Ethernet1           : address is 0015.c64f.166b, irq 11
 2: Ext: Ethernet2           : address is 000e.0c84.04bf, irq 11

Licensed features for this platform:
Maximum Physical Interfaces : 3
Maximum VLANs               : 10
Inside Hosts                : Unlimited
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Cut-through Proxy           : Enabled
Guards                      : Enabled
URL Filtering               : Enabled
Security Contexts           : 0
GTP/GPRS                    : Disabled
VPN Peers                   : Unlimited

This platform has a Restricted (R) license.

Serial Number: 809390681
Running Activation Key: 0xdd36cf65 0xac62cc4a 0x3402e1bc 0x8e2c3440 0xca05019a
Configuration last modified by admin at 15:30:06.305 PST Thu Dec 12 2013
pix515e# show flash

Directory of flash:/

4      -rw-  1894        07:27:21 Nov 04 2005  downgrade.cfg
7      -rw-  6514852     10:24:16 Nov 15 2008  asdm-524.bin
11     -rw-  8515584     08:55:19 Nov 15 2008  pix724.bin

16128000 bytes total (1042432 bytes free)
pix515e#
0
 
kellemannCommented:
The 515 model supports version 7 and higher of the software. As Peter Long already stated, it is NOT recommended to try and shoehorn it in a 506 firewall.
The 5505 you found is a much better choice. Just remember to check which license is installed on it. For example it would be bad to replace the a Pix506 with a unlimited user license with a 10 user ASA5505.
Regarding the conversion of the Pix506 configuration, you can downgrade (if necessary) the ASA5505 to an old 7.x version. The old versions support copy/pasting the Pix configuration directly and will convert commands automatically (save a few special cases).
0
 
Pete LongConsultantCommented:
>>Could I export policies from 506 and import them into 5505?

To be honest no there's a lot of changes in the code.

>>I have another working firewall in my production env, it has OS 7.2(4), could I download that pix724.bin file to the tftp server? IF I can get the file then I can upload it to the pix 505.

No! PIX OS is different to ASA OS!

eg
PIX file is called pix722.bin
ASA File is caled asa722-k8.bin
0
 
Jason YuAuthor Commented:
Thank you guys very much! May you nice guys and your families have a wonderful Christmas !
0
 
Jason YuAuthor Commented:
I am configuring the spared ASA 5505 and will replace the old PIX 506. How could I check the existing license information on the ASA5505 and PIX506. thanks.
0
 
kellemannCommented:
Use the "show version" command. I can't remember the output on the Pix, but the line on the ASA reads "Inside hosts", and either 10, 50 or unlimited.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 13
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now