https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940378#M150534 <P>Hi,</P> <P></P> <P>You can try using <STRONG>show </STRONG><G class="gr_ gr_6 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" id="6" data-gr-id="6">ssl</G><STRONG> ciphers all </STRONG>command on the ASA.</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P></P> <P>Please rate helpful posts and mark correct answers.</P> Wed, 24 Aug 2016 15:38:29 GMT Aditya Ganjoo 2016-08-24T15:38:29Z https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940375#M150531 <P>Hello,</P> <P>I wan to understand on which protocols/security standards does the ASA communicate with ASDM</P> <P></P> <P>Thanks</P> Tue, 12 Mar 2019 08:10:13 GMT https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940375#M150531 amarnathtiwari 2019-03-12T08:10:13Z https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940376#M150532 <P>Hi</P> <P>The communication is over HTTPS. The ciphers that are allowed can be verified using "show run all ssl". I dont know how to verify which ciphers are actually used by ASDM.</P> Tue, 23 Aug 2016 10:58:12 GMT https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940376#M150532 Henrik Grankvist 2016-08-23T10:58:12Z https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940377#M150533 <P>Hello Henrik,</P> <P></P> <P>I tried running the command but got blank output. I am using&nbsp;Version 9.1(6)</P> <P></P> <P>Please help if any Cisco document mentioned this.&nbsp;</P> <P></P> <P>Thanks</P> Wed, 24 Aug 2016 14:24:03 GMT https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940377#M150533 amarnathtiwari 2016-08-24T14:24:03Z https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940378#M150534 <P>Hi,</P> <P></P> <P>You can try using <STRONG>show </STRONG><G class="gr_ gr_6 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" id="6" data-gr-id="6">ssl</G><STRONG> ciphers all </STRONG>command on the ASA.</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P></P> <P>Please rate helpful posts and mark correct answers.</P> Wed, 24 Aug 2016 15:38:29 GMT https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940378#M150534 Aditya Ganjoo 2016-08-24T15:38:29Z https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940379#M150535 <P>The ciphers actually used are negotiated dynamically between your ASA and your local Java installation on the host where ASDM is launched. (ASDM is a Java applet uses the Java libraries including the cryptographic bits.)</P> <P>They will negotiate the strongest mutually supported cipher.</P> <P>The command "show ssl ciphers all" will show what the ASA code on your appliance can support.</P> <P>Best practice is to restrict them using an "ssl cipher ..." command. For instance here is mine with only strong ciphers allowed:</P> <PRE class="prettyprint" style="padding-left: 30px;">asa-5512# show run ssl<BR />ssl cipher default custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA"<BR />ssl cipher tlsv1 custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA"<BR />ssl cipher dtlsv1 custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA"<BR />ssl trust-point SSLVPN_TrustPoint outside</PRE> <P>If you capture the traffic while connecting to ASDM, you will se a "Client Hello" frame in which your client (ASDM/Java) provides to the server a list of the cipher suites it supports. The server (ASA) will pick the strongest one and reply with a "Change Cipher Spec" request directing the client to use the strongest mutually supported suite.</P> <P>Something like this (open images in new window to zoom):</P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/client_hello.png" class="migrated-markup-image" /></P> <P></P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/server_change_cipher_spec.png" class="migrated-markup-image" /></P> Wed, 24 Aug 2016 18:30:42 GMT https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940379#M150535 Marvin Rhoads 2016-08-24T18:30:42Z https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940380#M150536 <P>Hello Marvin,</P> <P>I am using Cisco ASA 5520 with ver&nbsp;9.1(6), when I run the command "sh run ssl" I get blank output. Seems ssl encryption is not configured on my firewall. But when I run "sh ssl" command I get below output&nbsp;</P> <P>I am also not able to run "<SPAN>show ssl ciphers all" as its not executing. I can configure "ssl encryption" from global config mode.</SPAN></P> <P></P> <P>So my question is do I need to configure SSL encryption in my firewall to more secure my communication bw ASA &amp; ASDM or java applet negotiation is enough.&nbsp;</P> <P></P> <P>NOD-ASA/pri/act# sh ssl<BR />Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1<BR />Start connections using TLSv1 and negotiate to TLSv1<BR />Enabled cipher order: rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1<BR />Disabled ciphers: des-sha1 rc4-md5 null-sha1<BR />No SSL trust-points configured<BR />Certificate authentication is not enabled</P> <P></P> <P>Thanks</P> <P></P> <P><BR />&nbsp;</P> Thu, 25 Aug 2016 08:59:06 GMT https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940380#M150536 amarnathtiwari 2016-08-25T08:59:06Z https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940381#M150537 <P>I am using Cisco ASA 5520 with ver&nbsp;9.1(6), when I run the command "sh run ssl" I get blank output. Seems ssl encryption is not configured on my firewall. But when I run "sh ssl" command I get below output&nbsp;</P> <P>I am also not able to run "<SPAN>show ssl ciphers all" as its not executing. I can configure "ssl encryption" from global config mode.</SPAN></P> <P></P> <P>So my question is do I need to configure SSL encryption in my firewall to more secure my communication bw ASA &amp; ASDM or java applet negotiation is enough.&nbsp;</P> <P>Hello Aditya,</P> <P></P> <P>NOD-ASA/pri/act# sh ssl<BR />Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1<BR />Start connections using TLSv1 and negotiate to TLSv1<BR />Enabled cipher order: rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1<BR />Disabled ciphers: des-sha1 rc4-md5 null-sha1<BR />No SSL trust-points configured<BR />Certificate authentication is not enabled</P> <P></P> <P>Thanks</P> Thu, 25 Aug 2016 08:59:38 GMT https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940381#M150537 amarnathtiwari 2016-08-25T08:59:38Z https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940382#M150538 <P>The command "show run ssl" coming back with no output just means you have't specifically restricted your list to use anything other than the default.</P> <P>The command "show ssl ciphers all" was introduced in ASA 9.3(2) which is why you can't use it.</P> <P>The fact that "show ssl" tells you the available ciphers is listing the defaults for your platform and ASA software level.</P> <P>The older 5500 series (non-X) are limited in their support in that the newer TLS 1.2 ciphersuites are not available on their software. You could disable the rc4-sha1 cipher as it is the least strong of the ones your ASA currently has available and active.</P> Thu, 25 Aug 2016 18:13:29 GMT https://community.cisco.com/t5/network-security/firewall-asdm-communication/m-p/2940382#M150538 Marvin Rhoads 2016-08-25T18:13:29Z