Solved: ASA5520 - Unit not accessable on network for initial configurati - Page 2

dhawe · ‎12-16-2011

We received an ASA5520-K8 through Cisco's Loan program so we could demo it as a replacement for our aging Cisco 3005 VPN appliances. Given that we are a non Cisco shop (except for specific appliances like concentrators and wireless access points), I don't have a great deal of experience with Cisco gear.

I started to set to setup the appliance this morning but immediately ran into issues. The 5520 doesnt seem to be acting as a DHCP server, and worse yet, I can't access the unit even if I hard code the IP on the PC being used for configuration. I have to say that I feel kinda stupid having to post this, since I actually followed the documentation avaiable for this menial task and I fully expect the problem to be a simple one. Namely, I am using two specific sources of info for connections:

1. http://www.cisco.com/en/US/docs/security/asa/quick_start/5500/inst5500.html#wpxref77381

2. Cisco ASA 5500 Series Getting Started Guide

I've tried a few things so far:

1. PC and 5520 Management Port on dedicated switch, Internet plugged into Ether0

2. PC connected directly to Management Port

3. PC plugged into Ether3, Internet plugged into Port0

4. Multiple cables and laptops to confirm non issue.

Am I missing something? Please tell me so, point at me, then have a hearty laugh.

(FYI, unit did boot OS, confirmed with console connection)

Julio Carvajal · ‎12-22-2011

Hello Darrin,

Please add the following command and let me know the result:

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dhawe · ‎12-22-2011

ciscoasa(config)# ssl encryption aes256-sha1 aes128-sha1 3des-sha1

The 3DES/AES algorithms require a VPN-3DES-AES activation key.

As I explained above, I don't appear to have a valid CCO login (given this is a loaner), so I can't grab the free license to activate this feature. If you can provide me with the proper place to login, I can confirm that I can or can't crab the appropriate license.

dhawe · ‎12-22-2011

Solved.

FYI, I used the following procedure:

5520 Initial Commands - using gigabit port 0/1

enable

conf t

int gi0/1

no shut

ip add 192.168.0.1 255.255.255.0

security-level 100

exit

http server enable

int gi0/1

nameif inside

exit

http 192.168.0.0 255.255.255.0

Applied VPN-3DES key (obtained from Cisco TAC)

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

Not sure if this encryption issue is something unique to me or a common occurance in that I dont know if most the 5520s ship with the VPN-3DES key preinstalled, but that issue turned what should have been a 30 min install into an epic. Thanks Julio and Adam for the help.

Julio Carvajal · ‎12-22-2011

Hello Darrin,

My pleasure, glad you found the problem.

Please mark the question as answered for future purposes.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

adam.sibille · ‎12-22-2011

Bah,

Sorry I forgot the "nameif inside" command under the interface.

I'm not sure how the 3des encryption plays a part in the initial config, but that's interesting to say the least. I may have to do a little bit of research on that just for my own personal knowledge.

dhawe · ‎12-23-2011

Adam said:

"I'm not sure how the 3des encryption plays a part in the initial config, but that's interesting to say the least. I may have to do a little bit of research on that just for my own personal knowledge."

At least on my loaner 5520, the unit did not ship with the 3DES-AES key enabled. As a result (as I understand it), there was no common SSL protocol between the 5520 and the browsers being used, therefore making the encrypted 5520 web page inaccessable. IMO, there should be a way (if there isnt already) to turn off the SSL via CLI so this can be avoided.

Anyways, thanks again for the help

ASA5520 - Unit not accessable on network for initial configuration