cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2383
Views
20
Helpful
13
Replies

Cisco ASA 5510 and ASDM.

antrikos_kal
Level 1
Level 1

HELLO I NEED HELP TO ACCESS ASA 5510 VIA ASDM.HERE'S MY SH RUN

 

ciscoasa(config)# show run
: Saved
:
ASA Version 8.2(3)
!
hostname ciscoasa
domain-name wonderland
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 duplex full
 nameif outside
 security-level 0
 ip address dhcp
!
interface Ethernet0/1
 duplex full
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif manage
 security-level 80
 ip address 10.1.1.3 255.0.0.0
 management-only
!
ftp mode passive
dns server-group DefaultDNS
 domain-name wonderland
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu manage 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.2 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
http 10.1.1.1 255.255.255.255 inside
http 192.168.100.0 255.255.255.0 manage
http 10.0.0.0 255.0.0.0 inside
http 10.1.1.69 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.123 208.67.220.123
dhcpd auto_config outside
!
dhcpd address 10.1.1.3-10.1.1.15 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
username whiterabbit password MRJSOlS0aAQHYByr encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:22ea9b020147570f8466a3badf50e7ee
: end

4 Accepted Solutions

Accepted Solutions

ASDM should be reachable from any of the subnets specified in the "http x.x.x.x" commands.

 

You remove those commands by entering configuration mode ("conf t" which is itself entered from enable mode - i.e # in the command line prompt) and using the command "no http x.x.x.x" for each line (substituting the actual addresses for x.x.x.x).

View solution in original post

Your defined gateway is the ASA inside address. The laptop address is on the same subnet. Just point ASDM to the ASA's address of 10.1.1.1.

 

It is allowed ASDM access by virtue of the command "http 10.0.0.0 255.0.0.0 inside" which grants access to any address in the 10.0.0.0/8 supernet.

View solution in original post

Is this the same ASA you posted about before that was wiped clean and then recovered?

 

Most likely you don't have the free 3DES-AES license on the ASA. Please share the output of "show version | i 3DES". If it show the license is not present then you need to get a license / activation key from software.cisco.com and install it.

View solution in original post

You have the extremely old (>10 years) ASDM image version 6.3(4) installed.

 

It won't support the modern ciphers that are required by any modern browser (even though you have the 3DES-AES license on the ASA).

 

You either have to get a new ASDM image or use cli to configure.

View solution in original post

13 Replies 13

antrikos_kal
Level 1
Level 1

REMOVED.DON'T NEED HELP FOR THIS.

ALSO HOW DO I REMOVE THE FOLLOWING?

 

http 10.1.1.2 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
http 10.1.1.1 255.255.255.255 inside
http 192.168.100.0 255.255.255.0 manage
http 10.0.0.0 255.0.0.0 inside
http 10.1.1.69 255.255.255.255 inside

ciscoasa(config)# show run
: Saved
:
ASA Version 8.2(3)
!
hostname ciscoasa
domain-name wonderland
enable password SbnysBJF7Ls1GfkK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
duplex full
nameif outside
security-level 0
ip address dhcp
!
interface Ethernet0/1
duplex full
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif manage
security-level 80
no ip address
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name wonderland
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu manage 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.123 208.67.220.123
dhcpd auto_config outside
!
dhcpd address 10.1.1.3-10.1.1.15 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
username whiterabbit password MRJSOlS0aAQHYByr encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c803f65943a9c7f35c4e915cfe376a10
: end
ciscoasa(config)#

 

what is wrong w/ this and can't access asdm? I get ip via dhcp.

ASDM should be reachable from any of the subnets specified in the "http x.x.x.x" commands.

 

You remove those commands by entering configuration mode ("conf t" which is itself entered from enable mode - i.e # in the command line prompt) and using the command "no http x.x.x.x" for each line (substituting the actual addresses for x.x.x.x).

I don't know what IPs should I use to have access from my laptop.I know the command.Subnet is 255.255.255.0 that's all I know and that I should use inside.I just don't know what ip range should I use.

my laptop has ip 10.1.1.4 255.255.255.0 and the gateway is 10.1.1.1

Your defined gateway is the ASA inside address. The laptop address is on the same subnet. Just point ASDM to the ASA's address of 10.1.1.1.

 

It is allowed ASDM access by virtue of the command "http 10.0.0.0 255.0.0.0 inside" which grants access to any address in the 10.0.0.0/8 supernet.

I think it worked but I get this error in firefox SSL_ERROR_NO_CYPHER_OVERLAP

Says it's not safe to continue and I don't have an option for exception.I tried latest firefox and internet explorer.OS is 10 64bit home.

Is this the same ASA you posted about before that was wiped clean and then recovered?

 

Most likely you don't have the free 3DES-AES license on the ASA. Please share the output of "show version | i 3DES". If it show the license is not present then you need to get a license / activation key from software.cisco.com and install it.

ciscoasa(config)# show ver

Cisco Adaptive Security Appliance Software Version 8.2(3)
Device Manager Version 6.3(4)

Compiled on Fri 06-Aug-10 07:51 by builders
System image file is "disk0:/asa823-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 58 mins 23 secs

Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 32MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: Ethernet0/0 : address is c84c.75da.9c36, irq 9
1: Ext: Ethernet0/1 : address is c84c.75da.9c37, irq 9
2: Ext: Ethernet0/2 : address is c84c.75da.9c38, irq 9
3: Ext: Ethernet0/3 : address is c84c.75da.9c39, irq 9
4: Ext: Management0/0 : address is c84c.75da.9c35, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled

This platform has a Base license.

yes but i never managed to get the activation key.i lost it.i got the free from cisco for 3DES/AES.

You have the extremely old (>10 years) ASDM image version 6.3(4) installed.

 

It won't support the modern ciphers that are required by any modern browser (even though you have the 3DES-AES license on the ASA).

 

You either have to get a new ASDM image or use cli to configure.

ok!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: