I have an ASA 5505 purchased and installed in China running asa8215-k8.bin code. No 3DES due to export controls and I can't legally install it.
ASDM does not launch and from what I've read, the ssl encryption level is the issue.
I can't set ssl encryption to AES or 3DES because those aren't supported on this unit. Does that mean the ASDM, AnyConnect and other features are permanently disabled or is there a way around this?
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(9)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
fw-01 up 6 days 7 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is 7c0e.ce3c.f9a5, irq 11
1: Ext: Ethernet0/0 : address is 7c0e.ce3c.f99d, irq 255
2: Ext: Ethernet0/1 : address is 7c0e.ce3c.f99e, irq 255
3: Ext: Ethernet0/2 : address is 7c0e.ce3c.f99f, irq 255
4: Ext: Ethernet0/3 : address is 7c0e.ce3c.f9a0, irq 255
5: Ext: Ethernet0/4 : address is 7c0e.ce3c.f9a1, irq 255
6: Ext: Ethernet0/5 : address is 7c0e.ce3c.f9a2, irq 255
7: Ext: Ethernet0/6 : address is 7c0e.ce3c.f9a3, irq 255
8: Ext: Ethernet0/7 : address is 7c0e.ce3c.f9a4, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Disabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
You could generate 3DES license free of cost from cisco.com website and activate the same on ASA.
Please follow the below link to generate the key :
- Click on "Product License Registration" Tab on the Right.
- Click on Get Other Licenses dropdown menu on the Right and select "IPS, Crypto, Other..." link
- Select "Security Product" from the Product family and Select Cisco ASA "3DES/AES License".
- Enter the Serial Number of the ASA (New ASA).
- Next and then Select the “I Agree” check box and Type your “Email Address” and Click Submit.
- Activate the License Key on ASA with the "activation-key" command in Configuration Terminal Mode. Do not reload the ASA and check the license once again with ‘show activation-key’ command.
Also check if ssl encryption is enabled.
conf t )#ssl encryption ? (now it would display all the available encryption sets. Select everything in a single line with a space.
Let me know if you have any query on this.
I could generate and install a 3DES license, but since I'd rather stay out of federal prison for exporting cryptography to a country on the government export control list, I won't ;-)
My question again is if there is a way you can use ASDM without 3DES. Does Cisco restrict that functionality for devices in Russia, China and other countries who we can't use 3DES and AES? Am I stuck with telnet for management?
I did some research on this and here i could find :
ASDM requires an SSL connection from the browser to the adaptive security appliance. By default, Firefox does not support base encryption (DES) for SSL and therefore requires the adaptive security appliance to have a strong encryption (3DES/AES) license. As a workaround, you can enable the security .ssl3.dhe_dss_des_sha setting in Firefox. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences. 1. Open Firefox web browser and follow instruction from above link to open about:config 2. Add the new preference security .ssl3.dhe_dss_des_sha (Boolean with value true) 3. Reload Firefox web browser Please verify bellow setting and configuration: 1. The ASDM runs using Java so make sure that Java is installed on the PC 2. Be sure that ASA is configured correctly: - the ASDM is enabled with "http server enabled" - the IP address or subnet you accessing from is allowed (follow example "http 192.168.1.1 255.255.255.255 inside") - there is the rule pointing the ASDM file asdm image disk0:/<name of the asdm bin file> - the asdm file exist on the flash: (check with the command "show flash") - the user is configured (check with the command "show run user ") - ssl setting in your case should use DES (check with the command "show run all ssl" -> "ssl encryption des-sha1")
For IE :
You need to have Java version 6.
Please try the same and let me know if this works for you.
Thanks very much for pursing a solution. Unfortunately, that didn't seem to work.
All of the needed settings are present and the ASDM file exists. I've checked and double-checked settings.
I added the preference to Firefox (see attached jpg) as you suggested but any connection attempt still fails.
What source tells you China is on the embargoed list? As far as I know, strong encryption export is only restricted to the embargoed countries list that currently includes only Cuba, Iran, North Korea, Sudan, and Syria.
Do not appear the capcha information, only a black space without any info when we try.
Tested with two diferents computers and internet accesses, with diferents browsers.
How to fix it?