asa gui wizard

hi you have mentioned this smartnet before what is it & does it cost if so how much ?

my isp: xln is delivering my basic router so i will set it to 'bridge mode or modem enable' so that i can then connect my asa5505.

I have a security plus full access to my asa but not sure what that exactly means other than i can access all built in features or whatever.

version 9.1(2)
dual isp
anyconnect for mobile
anyconnect for cisco vpn phone
advanced endpoint assessment
encryption des
encryption 3des aes
inside hosts - unlimited

& more etc

I have unlimited users/perpetual
asa5505-sec-bun-k9 - yes im sure this is what it said when I purchased it.

I have a permanent activation key.

asa912-k8.bin
boot microcode: cn1000-mc-boot-2.00
ssl/ike microde: cnlite-mc-sslm-plus-2_05
ipsec microcode: cnlite-mc-ipsecm-main-2.08
number of accelerators:1

ive also got a serial number on my spec sheet when I purchased it.

ive just done (dir) and there is the following:

- asdm-713.bin - showing

Ok, so after you added
http server enable
http x.x.x.x y.y.y.y inside

You aren't able to connect to the ASDM?

ive booted up the asa a few weeks ago and logged on and just created the (hostname) only

ive then done the following:

config t
http server enable
http 10.0.0.1 255.0.0.0 - enter states:
"configure mode commands/options:
current available interfaces(s):

so does not accept (inside) & no options just the above comment!

aside from allowing management, you also need to point it to the correct ASDM image

asdm image disk0:/<asdm image>.bin

apologies yes I did:

config t
http 10.0.0.0 255.0.0.0 inside - invalid input

hi bamsi

according to my sheet of paper it states:

system image file is "disk0:/asa912-k8.bin - how can I check  ?

But is 10.0.0.0 your inside network? and is inside the name of your (inside) interface?

The asdm image disk0:/<asdm image>.bin is another line in your config, don't touch the disk0:/asa912-k8.bin one.

hi ernie,

what about

config t
http server enable (1-65535) - the management servers ssl listening port.  tcp port 443 is the default - ?

hi ernie, I have only configured the hostname & nothing else except for:

config t
http server enable

ive also done:

config t
int vlan 1
 10.0.0.1 255.0.0.0
no shut

now shows as up/up

int ethernet0/0
description xp pc
no shut

https://10.0.0.1 - enter (fail)

tried:

int ethernet0/1
description xp pc
no shut

https://10.0.0.1 - enter (fail)

xp pc currently set to static:

ip: 10.0.0.2
sm:/8
dg: 10.0.0.2

apologies:

ip: 10.0.0.2
 sm:/8
 dg: 10.0.0.1

xp:

ping 10.0.0.1 - fail

asa:

ethernet0/1 - up/up
vlan 1 - up/up

asa:

sh int ip brief:

vlan1 - unassigned up/up - was expecting to see: 10.0.0.1

Under int ethernet0/0 enter: switchport access vlan 1

int fa0/1
 vlan1
!
int vlan 1
 nameif inside
 ip address 10.x.x.x 255.x.x.x
no shut

if you could paste a cleaned up show run. it will be faster to check

what about

config t
http server enable (1-65535) - the management servers ssl listening port.  tcp port 443 is the default

Just leave that at the default for now.

hi ernie, currently:

int vlan 1
no nameif

now set to:

int vlan 1
nameif inside
no shut

int eth0/1
switchport mode access vlan 1 - excepted but does not show in config as vlan 1 is default
no shut

xp - can now ping 10.0.0.1 - successfully

https://10.0.0.1 - fail still

config t
http 10.0.0.0 255.0.0.0 inside - now successful

http://10.0.0.1 - fail

after above command it states:

"http server is not yet enabled to allow asdm access"

yes

Ok, try:

ive got the choice of:

- 1024
- 2048
- 512
- 768

1024 should be sufficient.

why not 2048  -  ?

ive read somewhere that 2048 is better, but for some unknown reason everyone chooses 1024, which I do not understand, althlough I assume banks do use: 2048

crypto key generate rsa modulus 1024 ? noconfirm - specifiy this keyword to suppress all interactive prompting - what does that mean ?

I have now asdm 7.1(3) gui showing.

what does that mean ?

Exactly what is says :)
With noconfirm it won't prompt you with any additional question, like 'is 1024 correct?' which you will have to confirm. Comes in handy if you're scripting things.

oh ok.

right I have the web browser open so thinking of going for: "run startup wizard" instead of "install asdm launcher", just so I know what is what but later I may blank asa and re-install and install the "asdm launcher" for desktop use!!!!

currently when I click on "the asdm wizard" it shows: 10.0.0.1 - & I accept it to proceed with the certificate validation... but it fails...!

ive just saved the config and reloading the asa to try again.

after reload of 'asa' same issue 'application error'

what I noticed was when I open the browser it prompts me with the option to process 'yes or no' but next to that is an option to 'view certificate' & when I click on that option there is a button to select 'install certificate'  ?

Not sure what you're doing right now. Did you download and install the ASDM? Or are you trying to run the 'java web start'?

i have java 6 update 11 installed on xp.

however my search engines might be out of date:

ie6 - currently installed
google chrome - installed
firefox - currently installing now as downloaded the other day and copied across to my xp standalone while plugged into my asa

But have you downloaded the ASDM or are you trying to use the java web start?

ive just installed:

- firefox

still same issue.. im wondering if i need to unplug my standalone and plug back into my current firewall to gain internet access and update my browsers, but not sure what versions i need !

hi ernie, i have not downloaded the 'asdm', i assumed because i already have 'adsm' installed within my asa, that all i need to do was open a browser..this is what i thought.

when i click on the 'desktop' method i am now prompted to download the 'dm-launcher.msi' - if i was to do this method.

That's no answer to my question. To be able to help I would like to know exactly what you've tried.

When you go to https://10.0.0.1 You should see two options:


Which did you choose and what happened next?

yes i explained which option above on previous thread:

step 1

internet explorer 6:

https://10.0.0.1
i chose: "install jave web start"
java flashed up on screen
'application error'

step 2
google chrome - same as ie6 above

step 3
firefox - installed
prompted to add username & password
logged onto asa and added:
username & password privilege 15
prompted to install 'dm-launcher.msc' - installed successfully
asdm - installed now on desktop

- asdm - has now opened up on desktop currently

Ah, ok.

So the desktop install is working?

yes.

ive now clicked the 'wizard' and currently decided to set the vlans so far to:

outside:
vlan 98

inside:
vlan 99

dmz:
disabled & unticked - currently

i have stopped at this point

i am currently waiting on my router to get delivered this afternoon so that i can set it to 'bridge mode' and then continue with this wizard.

any suggestions  ?

ive decided to select:

outside Ethernet:
eth0 - this port will connect between my isp/bridge mode router once delivered this afternoon

ethernet0/1 - i have selected just incase i decided to use the dmz

inside:
ethernet0/2 - will use to connect to my cisco layer 2 switch

ethernet0/3 - i will use this for my xp pc for testing internet access first

ethernet0/4-5 - unused

ethernet0/6-7 - do not have any poe devices yet ie voip

Ok let's wait until that router is up and running and then take it from there.

Although that isn't quite in the scope of the original question, is it?
;)

apologies for being out of scope.

after completing the wizard it did not work but i did also change rhe internal ip from 10.... to 192.... using vlans 98 & 99.

Ive now write my asa & starting again

I might be an idea to erase the ASA and start all over when you receive your router.
Do make a backup of your config so you know what you have done so far.

Yes i write erase asa.

I manually inside ip on asa etc
I added isp username & password provide
I can logon to desktop asdm using isp username & password provided

I followed the wizard multiple times & inside/outside show as up/up

when configuring outside interfaceci have tried the below dg:

- 62.24.254.203 & 204

But still no internet.

My xp can ping my internal gateway but not my public static ip.

Im going to call it a day now & return to this tomorrow.

My isp: xln router by the way is set to bridge mode.

I appreciate your help.

hi

question1. m back again trying to understand which part of the wizard i have completed wrong but if i can see in asdm that the inside/outside as up/up i cannot understand what is wrong as i write erased my asa & put outside as vlan2 & inside vlan 1 as defaults ?

hi ive changed my wizard multiple times and now attached what I think is correct.

my xp machine also does show my isp dns address & the gateway is my internal 192.168.0.1 as this links the inside to the outside.

still no internet access although both (inside/outside) shows as up.

have you any ideas  ?
asa-pic-config.docx

Could you do me a favour and upload a complete (sanitized) configuration?
With a bit of luck I should be able to point out where the problem is.

hi ernie,  ive resolved it.  I should have selected 'pppoe' & tick the box for 'ppoe'.

I now have internet access.

Ah, cool :)

thanks for your advice..appreciated!!!

As always, the pleasure was all mine.

sound advice...appreciated!!