Solved: ASA 5505

pastoralsolutions · ‎01-06-2011

Hey Everybody,

My network runs through an ASA 5505. I recently started as the sole administrator at a small business and believe it or not, the previous administrator had documented absolutely nothing. Therefore I have no idea on how to access my device short of bringing it down and reconfiguring it. This being said, I have a few questions that hopefully someone can answer.

1. How can I identify what IP address the ASA resides on? Is it the same as my default gateway? I've read that you can access it via a web shell if you browse to https://xxx.xxx.xxx.xxx/admin although this might only be the case after you have installed the ASDM software on the local machine. I understand that the default is 192.168.1.1, but I'm sure this is not the case in my network because my wireless router uses that IP.

2. Is there a default username and password to use if I get to the administrator screen? If I cannot find this, am I stuck having to reset the device or is there a way to reset it?

3. Can you access it through a domain attached computer or do I need to network to it directly through an ethernet cable?

Thanks for any help, and feel free to add anything that I might have not thought of and left out.

Anthony

srkrehlik · ‎01-10-2011

Hi again Anthony,

it looks like the 'show run...' gave you some good detail. As you can see the only thing that's using the 192.168.1.0 network is the http server.

There is a post a bit higher up about adding an http command to the ASA.

ciscoasa# conf t

ciscoasa(config)# http 10.40.234.0 255.255.255.0 inside

and since we're in config already try...

ciscoasa(config)# dns-server value 10.40.234.23

that should allow you to connect to the ASA and start getting ASDM set up using http://10.40.234.1/ from a PC on the 10.40.234.0 network. It will also add the 10.4.234.23 as a dns-server value.

Hope this helps.

View solution in original post

Jennifer Halim · ‎01-06-2011

1) The only way to identify the ip address of the ASA is to check the configuration, so a couple of tips:

- Does the previous admin has a topology diagram that might have the ASA ip address?

- Does the previous admin happen to have a copy of the ASA configuration somewhere?

- Does anyone else happen to know the ASA ip address?

- I would try to see if you can console into the ASA (maybe the console is not configured with any user password) and at least you can get the bare minimum output from the ASA

2) The default from Cisco would be username: pix and password: cisco, or you can also try username --> blank (nothing type in), with password: cisco. However I doubt that it will be left as default (but you might be lucky).

Here is the procedure to reset the password:

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1049302

(pls carefully follow the procedure step by step)

BTW, do you know which version the ASA 5505 is running?

3) You can access the ASA from your network as long as the ASA is configured to allow access from a certain ip address or subnet.

Hope that provides you with something to start with.

pastoralsolutions · ‎01-06-2011

Thank you for your reply.

Unfortunately I have no documentation whatsoever except for one text file explaining how to log into the VPN. Actually, that's how all of this started - I need to manage the VPN users. Other than that, I think it's good for the network admin to know how to access the firewall!

Would connecting with a VPN client lend any information about the ASA IP address?

I am still waiting to get my license info from CDW where we bought the unit so I can relate it to my online account. It is unfortunate that I have to go through all of this just to download the administrator software. Hopefully once I get hold of that I can try a few IP addresses and maybe get lucky.

Anthony

pastoralsolutions · ‎01-06-2011

I actually just came across a config file dug up from an email on the old admins account. config-log.txt

I'm not quite sure what I'm looking at, but there is a portion that reads:

ciscoasa# config t

ciscoasa(config)# int vlan3

ciscoasa(config-if)# ipaddress 192.168.0.66 255.255.255.0

ciscoasa(config-if)# nat (dmz) 192.168.0.0 255.255.255.0

Is this the IP of my ASA?

Jennifer Halim · ‎01-06-2011

That is one of the ip address of your ASA. It's the ip address of your ASA DMZ interface. Are you able to access 192.168.0.66 from the 192.168.0.0/24 subnet?

Scott Payne · ‎01-07-2011

Have you tried a ping sweep to locate the device?

Also, on an ASA 5505

Int vlan1 will have the priavte ip address for the firewall

Int vlan2 will have the public

From the post it seems like you are looking for the private. I would do a ping sweep and go from there.

Jennifer Halim · ‎01-06-2011

and the IP Address where the VPN Client is connecting to is normally the ASA outside interface ip address. Try to see if you are able to access that ip address from the Internet.

Also try to access the ip address of the default gateway configured on your user PC, it is a possibility that it's the ASA inside interface ip address.

pastoralsolutions · ‎01-10-2011

Okay, I think I have figured out what the inside and outside IP addresses are of the ASA device. I

can use hyperterminal to connect to the IP, and I found that my version is 7.2(4) and device manager is on 5.2(4).

Now I am wondering how to get to the GUI interface. The CLI is more difficult to navigate. I try the IPs as https://10.40.234.1/admin and it gives me nothing. Tried the other IP as well, and with both https and http in the URL. How can I get into the web interface?

Maykol Rojas · ‎01-10-2011

Hello,

First You need to check if you have an ASDM image and if you have access to the ASA via http, you can check
that using the following commands

sh run http, On this ouput, you can check if your IP address from the machine you are trying to connect to
is listed

Sh run asdm, this output will show you wich ASDM image you are going to use.

In case you dont have any of that configure, you can do the following

ciscoasa(config)#http server enable
ciscoasa(config)#http server

If you dont have an ASDM image on flash, you can use the following link in order to upload one

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml#maintask2

Also, you can follow the next chart to see which ASDM image you need to use

http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

Hope it helps

Mike

pastoralsolutions · ‎01-10-2011

Yes, this does help. Here is the output:

ciscoasa(config)# sh run http
http server enable
http 192.168.1.0 255.255.255.0 inside

ciscoasa(config)# sh run asdm
asdm image disk0:/asdm-524.bin
no asdm history enable

So should I be able to access this via https://192.168.1.0/admin ?

Maykol Rojas · ‎01-10-2011

Hi,

Not exactly, that statement says which IP addresses are able to ASDM to the device. Meaning that from the network 192.168.1.0 (say computer 192.168.1.2) you can access the device using the IP address of the inside interface of the firewall.

You can check what is the inside IP address of the firewall using the command "sh run interface", use that IP as follow

https://

Let me know how it goes

Mike

pastoralsolutions · ‎01-10-2011

Here is the output:

nameif inside
security-level 100
ip address 10.40.234.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.0.66 255.255.255.0

I tried https://10.40.234.1 and the connection times out. Any idea what I am doing wrong here?

Thanks for all your help,

Anthony

Maykol Rojas · ‎01-10-2011

Hi Anthony

What is the IP address of your computer? Your computer should be on the inside in order to try to access the ASDM and should have an IP address on the range of 10.40.234.0/24

If you are doing it form the inside and you have an IP address on your computer on the range of 10.40.234.0 you need the following line

ciscoasa(config)#http server 0 0 inside

let me know how it goes

Cheers

Mike

pastoralsolutions · ‎01-10-2011

Slowly but surely this is starting to make more sense to me.

I am on a computer that has IP of 10.40.234.66. Here is the output of the http server command:

ciscoasa(config)# http server 0 0 inside
^
ERROR: % Invalid Hostname

pastoralsolutions · ‎01-10-2011

Ah, didn't read that fully. I have to connect from a computer with IP from 192.168.1.x

I'll try that and let you know what happens.