08-31-2011 09:57 AM - edited 03-11-2019 02:18 PM
I am trying to setup SSL so I can manage my ASA via any internet browser on my network. I am new to the cisco world, but I think I have most of it down. When I try to log into the ASA via firefox I get:
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
Below is my current config ( I have a lot of extra info that populates everytime I enter a command, not sure what I turned on, but if you have a fix to clear that as well, I would apprciate it.
ASA Version 8.2(3)wn coldstart' comm
!d
hostname Wood-ASA1-if
%ASA-5-111008:
domain-name lv.cox.net the 'inspect ip-optio
enable password 8Ry2YjIyt7RRXU24 encrypted8cb69fe 20cfb60adisk0:/asa823.bin
%
passwd 2KFQnbNIdI.2KYOU encrypteded the 'service-policy global_pol
namesobal'
!a
interface Ethernet0/0in ^
switchport access vlan 2%ASA-5-
command.ser 'Con
!S
interface Ethernet0/1ig' executed the 'pro
!t
interface Ethernet0/2mand.tics access-lirv
!-
interface Ethernet0/3 securi
rd DfltAccess
!l
interface Etherne
interface Vlan1ecuted the 'pro
nameif inside' command.omma
security-level 100
%ASA-5-111008: Use
ip address 192.168.1.1 255.255.255.01008: User 'Config' executed the 'no
!t
interface Vlan2 the '
%ASA-5-1
nameif outsidefig' executed t
security-level 0-5-111008: User '
ip address dhcp setrouteination address http http
!/
boot system disk0:/asa823-k8.bing' executed the 'class-map inspe
boot config disk0:/asa823.binom/its/service/oddce/services
ftp mode passivemand. User 'Conf
dns server-group DefaultDNS User 'Config' execut
%ASA-
domain-name lv.cox.netexecuted the 'destinati
object-group icmp-type ICMP-INBOUNDation linkup linkdown coldstart' co
description Permit necessary inbound ICMP trafficand.'policy-map type
%ASA-5-111008: User 'Config'
icmp-object echo-replyon transport-method htt
icmp-object unreachable
s_map' command.t
icmp-object t
%ASA-
logging buffered warningsecuted the 'subscribe-to-
logging asdm notificationsxecuted t
%ASA-5-111008: U
mtu inside 1500cuted the 'poli
mtu outside 1500ct
riodic month
icmp unreachable rate-limit 1 burst-size 1-111008: User 'Config' executed the 'subsc
asdm image disk0:/asdm-625.bino5-111008: User 'Config' execu
no asdm history enablemmand.outside' command
arp timeout 14400monthly' command.
nat-control
%ASA-5-111
global (outside) 1 interfacenfig' executed the 'subscrib
nat (inside) 1 0.0.0.0 0.0.0.0andasa# threat-detec
d.n
%ASA
access-group INBOUND in interface outside08: Us
riodic daily' command.e
timeout xlate 3:
aaa authentication ssh console LOCALe Ethernet0/5, changed state to admi
http server enableas
%ASA-5-111008:
http 192.168.1.0 255.255.255.0 inside' executed the
%ASA-4-411003: Interfa
no snmp-server locationstate to administra con
no snmp-server contact
telnet timeout 5# nat-contr
%ASA
ssh 0.0.0.0 0.0.0.0 insideec
%ASA-4-411001: Line pro
ssh 0.0.0.0 0.0.0.0 outside/3, changed state to upomma
ssh timeout 5SA-5-111
%ASA
console timeout 0onfig' executed t
dhcpd dns 8.8.8.8 8.8.4.4ne protocol on Interface
dhcpd auto_config outside to ups_map' com
%ASA-5-1
!0
dhcpd address 192.168.1.2-192.168.1.33 insideommand
enableR: % I
Password:SA-5-1110
Wood-A
dhcpd dns 8.8.8.8 8.8.4.4 interface inside: Uname: enable_15 From: 1 To:pect netbios
dhcpd enable insidescoas
%ASA-5-111008
!U
threat-detection basic-threat%ASA-5-111008: User 'enable_1
threat-detection statistics acce
.0.0.0 0.0.0.
parametersprompt host
message-length maximum client auto1008: User 'enable_15' executed the
message-length maximum 512A-5-111008: User 'Config' ex
policy-map type inspect dns prsent_dns_map 0/0' command. executed the 'inspe
no shut
parametersA-5
Wood-AS
message-length maximum 512 Interface Ethernet0/0, chan
policy-map global_policyg' executed the 'inspect
class inspection_defaultA-5-111008: User 'Con
ini
inspect dns preset_dns_map
%ASA-5-111008: User 'enable
inspect ftpthe 'no shutd
inspect h323 h225111008: User 'Confi
inspect h323 rasstination address
inspect rsh1001: Line pr
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c3a35118ab34143a5e73e414ead343c1
08-31-2011 11:03 AM
Hi,
When you mean setting up SSL, the concept is too big, can mean SSLVPN, WebVPN, ASDM etc. Are you trying to setup ASDM to manage your device, or are you trying to configure a VPN anyconnect so you can manage your device?
Thanks!
Mike
08-31-2011 11:07 AM
SSL VPN and VPN anyconnect
08-31-2011 11:14 AM
Hi,
It would be better if you move the case to the VPN forum, they will assist you better. On your configuration, I cannot see anything configured yet. Here is a guide that you can follow:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide