02-07-2019 09:56 AM - edited 02-21-2020 08:46 AM
HELLO I NEED HELP TO ACCESS ASA 5510 VIA ASDM.HERE'S MY SH RUN
ciscoasa(config)# show run
: Saved
:
ASA Version 8.2(3)
!
hostname ciscoasa
domain-name wonderland
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
duplex full
nameif outside
security-level 0
ip address dhcp
!
interface Ethernet0/1
duplex full
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif manage
security-level 80
ip address 10.1.1.3 255.0.0.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name wonderland
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu manage 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.2 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
http 10.1.1.1 255.255.255.255 inside
http 192.168.100.0 255.255.255.0 manage
http 10.0.0.0 255.0.0.0 inside
http 10.1.1.69 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.123 208.67.220.123
dhcpd auto_config outside
!
dhcpd address 10.1.1.3-10.1.1.15 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
username whiterabbit password MRJSOlS0aAQHYByr encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:22ea9b020147570f8466a3badf50e7ee
: end
Solved! Go to Solution.
02-07-2019 07:03 PM
ASDM should be reachable from any of the subnets specified in the "http x.x.x.x" commands.
You remove those commands by entering configuration mode ("conf t" which is itself entered from enable mode - i.e # in the command line prompt) and using the command "no http x.x.x.x" for each line (substituting the actual addresses for x.x.x.x).
02-07-2019 07:09 PM
Your defined gateway is the ASA inside address. The laptop address is on the same subnet. Just point ASDM to the ASA's address of 10.1.1.1.
It is allowed ASDM access by virtue of the command "http 10.0.0.0 255.0.0.0 inside" which grants access to any address in the 10.0.0.0/8 supernet.
02-07-2019 07:27 PM
Is this the same ASA you posted about before that was wiped clean and then recovered?
Most likely you don't have the free 3DES-AES license on the ASA. Please share the output of "show version | i 3DES". If it show the license is not present then you need to get a license / activation key from software.cisco.com and install it.
02-07-2019 07:40 PM
You have the extremely old (>10 years) ASDM image version 6.3(4) installed.
It won't support the modern ciphers that are required by any modern browser (even though you have the 3DES-AES license on the ASA).
You either have to get a new ASDM image or use cli to configure.
02-07-2019 10:31 AM - edited 02-07-2019 06:57 PM
REMOVED.DON'T NEED HELP FOR THIS.
ALSO HOW DO I REMOVE THE FOLLOWING?
http 10.1.1.2 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
http 10.1.1.1 255.255.255.255 inside
http 192.168.100.0 255.255.255.0 manage
http 10.0.0.0 255.0.0.0 inside
http 10.1.1.69 255.255.255.255 inside
02-07-2019 06:56 PM
ciscoasa(config)# show run
: Saved
:
ASA Version 8.2(3)
!
hostname ciscoasa
domain-name wonderland
enable password SbnysBJF7Ls1GfkK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
duplex full
nameif outside
security-level 0
ip address dhcp
!
interface Ethernet0/1
duplex full
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif manage
security-level 80
no ip address
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name wonderland
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu manage 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.123 208.67.220.123
dhcpd auto_config outside
!
dhcpd address 10.1.1.3-10.1.1.15 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
username whiterabbit password MRJSOlS0aAQHYByr encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c803f65943a9c7f35c4e915cfe376a10
: end
ciscoasa(config)#
what is wrong w/ this and can't access asdm? I get ip via dhcp.
02-07-2019 07:03 PM
ASDM should be reachable from any of the subnets specified in the "http x.x.x.x" commands.
You remove those commands by entering configuration mode ("conf t" which is itself entered from enable mode - i.e # in the command line prompt) and using the command "no http x.x.x.x" for each line (substituting the actual addresses for x.x.x.x).
02-07-2019 07:05 PM
I don't know what IPs should I use to have access from my laptop.I know the command.Subnet is 255.255.255.0 that's all I know and that I should use inside.I just don't know what ip range should I use.
02-07-2019 07:06 PM
my laptop has ip 10.1.1.4 255.255.255.0 and the gateway is 10.1.1.1
02-07-2019 07:09 PM
Your defined gateway is the ASA inside address. The laptop address is on the same subnet. Just point ASDM to the ASA's address of 10.1.1.1.
It is allowed ASDM access by virtue of the command "http 10.0.0.0 255.0.0.0 inside" which grants access to any address in the 10.0.0.0/8 supernet.
02-07-2019 07:20 PM
I think it worked but I get this error in firefox SSL_ERROR_NO_CYPHER_OVERLAP
02-07-2019 07:22 PM
Says it's not safe to continue and I don't have an option for exception.I tried latest firefox and internet explorer.OS is 10 64bit home.
02-07-2019 07:27 PM
Is this the same ASA you posted about before that was wiped clean and then recovered?
Most likely you don't have the free 3DES-AES license on the ASA. Please share the output of "show version | i 3DES". If it show the license is not present then you need to get a license / activation key from software.cisco.com and install it.
02-07-2019 07:33 PM
ciscoasa(config)# show ver
Cisco Adaptive Security Appliance Software Version 8.2(3)
Device Manager Version 6.3(4)
Compiled on Fri 06-Aug-10 07:51 by builders
System image file is "disk0:/asa823-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 58 mins 23 secs
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 32MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is c84c.75da.9c36, irq 9
1: Ext: Ethernet0/1 : address is c84c.75da.9c37, irq 9
2: Ext: Ethernet0/2 : address is c84c.75da.9c38, irq 9
3: Ext: Ethernet0/3 : address is c84c.75da.9c39, irq 9
4: Ext: Management0/0 : address is c84c.75da.9c35, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
02-07-2019 07:35 PM
yes but i never managed to get the activation key.i lost it.i got the free from cisco for 3DES/AES.
02-07-2019 07:40 PM
You have the extremely old (>10 years) ASDM image version 6.3(4) installed.
It won't support the modern ciphers that are required by any modern browser (even though you have the 3DES-AES license on the ASA).
You either have to get a new ASDM image or use cli to configure.
02-07-2019 07:42 PM
ok!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: