If k9 not active and vista/win7 used to connect to Asa via https , Asa will.drop connection because DES not supported by default in vista/win7 SSL ciphers

Sent from Cisco Technical Support iPad App

Thank you so much for your reply.

Yes, my OS is Win 7

How can I active k9

So what is your recommendation

I'm using Win7. Could someone show me their outpu on asa 5505 so that I could compare it to mine? Thanks

This is my output:

ciscoasa# show run

: Saved

:

ASA Version 8.4(3)

!

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!            

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server asdm protocol tacacs+

accounting-mode simultaneous

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication secure-http-client

http server enable

http 192.168.10.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.10.5-192.168.10.36 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username ADMIN password xlaEBzC9eIymxW7v encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

Cryptochecksum:91ec6c81a5b77bb7da9743edafe60cc0

: end

Below is the command that I ran but the show run command doesn't show the changes that I want. Please help me on this issue.

ciscoasa# conf t

ciscoasa(config)# int e

ciscoasa(config)# int ethernet 0/1

ciscoasa(config-if)# no shut

ciscoasa(config-if)# switch

ciscoasa(config-if)# switchport access vlan 1

ciscoasa(config-if)# exit

ciscoasa(config)# exit

ciscoasa# show run

: Saved

:

ASA Version 8.4(3)

!

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

Hi

As noted on this thread, vlan1 is the default vlan so you will not see this in the running config.

Regards Craig

have you tried my above recomendation?

also have you verified that your image is K9... a show ver would help    

I used asdm-647.bin. What else do I need to do to make it work?  When I used Cisco ASDM Launcher it pop up as Unable to launch device from 192.168.1.1.

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 8.4(3)

Device Manager Version 6.4(7)

Compiled on Fri 06-Jan-12 10:24 by builders

System image file is "disk0:/asa843-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 48 mins 49 secs

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW080 @ 0xfff00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

                             Boot microcode        : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06

                             Number of accelerators: 1

0: Int: Internal-Data0/0    : address is 001b.5446.d78a, irq 11

1: Ext: Ethernet0/0         : address is 001b.5446.d782, irq 255

2: Ext: Ethernet0/1         : address is 001b.5446.d783, irq 255

3: Ext: Ethernet0/2         : address is 001b.5446.d784, irq 255

4: Ext: Ethernet0/3         : address is 001b.5446.d785, irq 255

5: Ext: Ethernet0/4         : address is 001b.5446.d786, irq 255

6: Ext: Ethernet0/5         : address is 001b.5446.d787, irq 255

7: Ext: Ethernet0/6         : address is 001b.5446.d788, irq 255

8: Ext: Ethernet0/7         : address is 001b.5446.d789, irq 255

9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255

10: Int: Not used            : irq 255

11: Int: Not used            : irq 255

The Running Activation Key is not valid, using default settings:

Licensed features for this platform:

Maximum Physical Interfaces       : 8              perpetual

VLANs                             : 3              DMZ Restricted

Dual ISPs                         : Disabled       perpetual

VLAN Trunk Ports                  : 0              perpetual

Inside Hosts                      : 10             perpetual

Failover                          : Disabled       perpetual

VPN-DES                           : Enabled        perpetual

VPN-3DES-AES                      : Disabled       perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 10             perpetual

Total VPN Peers                   : 12             perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

This platform has a Base license.

Serial Number: JMX1116Z0TP

Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

Configuration register is 0x1

Configuration last modified by enable_15 at 01:09:27.579 UTC Mon Mar 12 2012d

Hello Tho Vo,

As already explained all ports that  are part of vlan 1 are assigned to the default vlan so no matter how many times you run the command show run you will not see it, Although you can run show run interface x/x and you should see the configuration there

Regarding the HTTPS problem you could get the 3DES/AES license for free.

Go to the following link and do it so you can have this:

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139

Afterwards add the command

ssl encryption aes128-sha1 3des-sha1 aes256-sha1

And you should be good to go

Remember to rate all of the helpful posts

I for the life of me couldn't figure out why I couldn't get my ASDM to load with all the proper configs and license.  

The command: ssl encryption aes128-sha1 3des-sha1 aes256-sha1

is the one that you need to use to get ASDM up a running through web.  Thanks for this.

VPN-3DES-AES                      : Disabled       perpetual

you can't because 3des is disabled. browser doesnt support des. you can check ssl handshake and you will see supported ciphers on both side.

solution:

1) connect from win xp (vista and win 7 doesnt support des on ssl)

2) install ASDM from cisco site (from installer) and connect to device

3) connect from console (com port)

also you can't use strong encryption with VPN, ssh2. iphone\ipad will not work. anyconnect will work from win xp

ciscoasa(config)# aaa authentication http console local

ERROR: aaa-server group local does not exist

Usage: [no] aaa mac-exempt match

        [no] aaa authentication secure-http-client

        [no] aaa authentication listener http|https [port ] [redirect]

        [no] aaa authentication|authorization|accounting include|exclude

                [ ]

        [no] aaa authentication serial|telnet|ssh|http|enable console

                [LOCAL]

        [no] aaa accounting telnet|ssh|serial|enable console

        [no] aaa authentication|authorization|accounting match

        [no] aaa authorization command {LOCAL | [LOCAL]}

        [no] aaa accounting command {privilege }

        [no] aaa proxy-limit | disable

        [no] aaa local authentication attempts max-fail

        clear configure aaa

        clear aaa local user {fail-attempts|lockout} {all | username }}

        show running-config [all] aaa [authentication|authorization|accounting

                |max-exempt|proxy-limit]

        show aaa local user [lockout]

ciscoasa(config)# aaa authentication http console local

ERROR: aaa-server group local does not exist

Usage: [no] aaa mac-exempt match

        [no] aaa authentication secure-http-client

        [no] aaa authentication listener http|https [port ] [redirect]

        [no] aaa authentication|authorization|accounting include|exclude

                [ ]

        [no] aaa authentication serial|telnet|ssh|http|enable console

                [LOCAL]

        [no] aaa accounting telnet|ssh|serial|enable console

        [no] aaa authentication|authorization|accounting match

        [no] aaa authorization command {LOCAL | [LOCAL]}

        [no] aaa accounting command {privilege }

        [no] aaa proxy-limit | disable

        [no] aaa local authentication attempts max-fail

        clear configure aaa

        clear aaa local user {fail-attempts|lockout} {all | username }}

        show running-config [all] aaa [authentication|authorization|accounting

                |max-exempt|proxy-limit]

        show aaa local user [lockout]

astonishing as it may seem, the "LOCAL" keyword is case-sensitive in:

    aaa authentication http console LOCAL

Try it in uppercase.

-- Jim Leinweber, WI State Lab of Hygiene