Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1593
Views
0
Helpful
3
Replies

ASDM Config Help

jwood1650
Level 1
Level 1

‎05-21-2012 05:14 PM - edited ‎03-11-2019 04:09 PM

I am trying to veiw my PIX515e via the ASDM, but I am unable to...Can you review my config and make sure I have everything setup the way it is supposed to?

PIX Version 8.0(4)32

!

hostname pixfirewall

domain-name jkkcc.com

enable password DQucN59Njn0OjpJL encrypted

passwd DQucN59Njn0OjpJL encrypted

no names

!

interface Ethernet0

nameif outside

security-level 0

ip address 24.234.xxx.xxx 255.255.255.224

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.20.1 255.255.255.248

!

interface Ethernet2

shutdown

nameif exchange

security-level 100

ip address 10.0.30.1 255.255.255.248

!

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 68.105.28.16

name-server 68.105.29.16

domain-name jkkcc.com

access-list ouside-acl extended permit tcp any host 24.234.xxx.xxx eq smtp

access-list ouside-acl extended permit tcp any host 24.234.xxx.xxx eq www

access-list ouside-acl extended permit tcp any host 24.234.xxx.xxxeq https

pager lines 24

mtu outside 1500

mtu inside 1500

mtu exchange 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image flash:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 192.168.2.22 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.2.22 https netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.2.22 www netmask 255.255.255.255

access-group ouside-acl in interface outside

!

router eigrp 1

network 10.0.0.0 255.0.0.0

network 192.168.0.0 255.255.255.0

network 192.168.2.0 255.255.255.0

network 192.168.4.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 24.234.118.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 0.0.0.0 0.0.0.0 inside

http 10.0.20.0 255.255.255.248 inside

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect http

  inspect ils

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:abd41b3df257873d44a6fc1545ae4418

: end

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎05-21-2012 08:22 PM

Hello Jonathan,

Looks good to me can you do a sh version and confirm you have this file there: asdm-602.bin

Also provide us the show run ssl

Regards,

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

jwood1650
Level 1
Level 1
In response to Julio Carvajal

‎05-21-2012 08:58 PM

pixfirewall# show ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: des-sha1

Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1

No SSL trust-points configured

Certificate authentication is not enabled

pixfirewall# show flash

Directory of flash:/

5      -rw-  7649280     16:05:24 Feb 06 2012  pix804.bin

6      -rw-  6889764     14:12:28 May 19 2012  asdm-602.bin

When I try to go to the PIX via web browser, I get:

Secure Connection Failed

An error occurred during a connection to 10.0.20.1.

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to jwood1650

‎05-21-2012 09:20 PM

Hello,

Yes I know what the problem is

the Cipher used by the web browser is not the same than the one the ASA uses.

You will need to get the des/aes license and then change the SSL cipher

Unfortunatelly I do not have the link with me, but as soon as I has it ( tomorrow morning as maximum)  I will give it to you

100 % sure this will solve your problem.

EDIT: Here is the link to get the license you need ( it will be for free)

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139

After installing the license please add the following command:

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

Finally test it one more time! That should do it

DO rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card