Help setting up ASDM on an ASA 5505

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi guys

Reasonably new to cisco and done a bit of work on ASA's via ASDM at work, so bought one of ebay to muck around with and learn from, but I am having real troubles getting ASDM to work and was wondering if someone could help....

So far I have:

1) from ROMMOM erase all
2) Setup TFTP server on laptop and set ip address, gateway etc to run the TFTP command and boot into ASA831-k8.bin.
3) Setup ip address on vlan 1 and run "nameif inside" and no shut. Confirm I can ping TFTP laptop. I am plugged into ethernet 0/1 (port 1).
4) Run "copy to flash" and copied the asa831-k8.bin and asdm-631.bin to the flash.
5) Set the boot image to asa831-k8.bin and set the asdm image to asdm-631.bin
6) enable password *****
7) username steve password *** privilege 15
http server enable
9) http 0 0 inside

I get page cannot displayed when browsing to https://192.168.1.1/admin. From the laptop I can ping the vlan 1 IP.

I have tried to find answers but not having much luck. I am only working on the inside interface and one VLAN, so I havent touched routing or NAT yet (or didnt think I needed to?). I read that a PIX needs a free DES license, but cant see any mention of what license an ASA needs. I think it just has the "base" license as I havent put in any license codes.

Any help would be much appreciated!

Many thanks
Steve

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

configure the ASA with the correct IP addresses and prepare the ASA to accept connections to the ASDM.
Start by going to the Ethernet 0/1 interface and setting the name on the interface, the name will be “inside”, when the ASA sees this particular name being applied to an interface it will automatically assign the interface the highest security level of 100. Even so you will enter the security level of the interface manually. Apply the IP addres of 192.168.1.1/24 to the eth0/0 interface and then bring it live.

ciscoasa> enable
Password:
ciscoasa# conf t
ciscoasa(config)# interface e0/1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# no shut
ciscoasa(config-if)#exit


The ASA uses the Secure Sockets Layer (SSL) protocol to communicate with a client. The ASA acts as web server to process the requests from the clients and therefore you must enable the web server on the ASA with the “http server enable” command.
The ASA will also discard all incoming packets to the web server until the management clients IP address is in the trusted network.

ciscoasa(config)# http server enable
ciscoasa(config)# http 192.168.1.0 255.255.255.0 inside
ciscoasa(config)# wri mem

Hope this helps

Joe

 

Hi Joe

Thanks again for your help!

Im pretty sure I have followed your instructions but still cant get the web page to load. Only difference is that when you try and run "nameif" on the ethernet 0/1 interface it says this must be made in a VLAN. I think this is a quirk of a 5505 from reading around? So the only thing I dont understand is how the VLAN 1 interface links to port 0/1? Although i can ping the IP address I have assigned, so I assume it has somehow linked the two.

Testing PC is on the 192.168.1/24 range along with inside port of the firewall.

I have copied my show run below, there may be some rubbish in there from me trying to get it working in despiration, but if you notice anything odd - please let me know!

Cheers


: Saved
: Written by enable_15 at 02:53:40.989 UTC Tue Jan 13 2009
!
ASA Version 8.3(1)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa831-k8.bin
ftp mode passive
access-list outside_access_in extended permit ip any host 192.168.1.1
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username steve password Dt4qNrv3ojM/D.Cn encrypted privilege 15
!
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:11ec3327d26706462e98ff669f67adb3
: end

 

Can you get rid of the following commands, not tried accessing the ASA's with these commands, but you never know

http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside

I don't have any 5505, all of my ASA are 5510's

Cheers

Joe

 

Hi Joe

Just tried this but no change unfortunately. But the plot thickens...randomly I tried opening the page with firefox and rather then a complete page cannot be displayed error, I got:

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

I then randomly tried with my ipod running safari - and the ASDM front page loaded!

Will keep trying

Cheers
Steve

 

Fixed it!
Found this command on a forum to run:
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

I already had "ssl encryption des-sha1" in the list but ran the command above and now it loads!

Is this something that must be run each time an ASA is setup, or is there another reason it might have been missing the encryption types?

Cheers
Steve

 

Well now it wont install the ASDM unfortunalty - get page cannot be displayed clicking on the .msi link or java link - will dig around further...

EDIT - strange it seems intermittent, I tried again 10 minutes later, and I couldnt load the site, and another 5 minutes later, I can run the .msi or java!!!