ASDM Config Help

jwood1650 · ‎05-21-2012

I am trying to veiw my PIX515e via the ASDM, but I am unable to...Can you review my config and make sure I have everything setup the way it is supposed to?

PIX Version 8.0(4)32

!

hostname pixfirewall

domain-name jkkcc.com

enable password DQucN59Njn0OjpJL encrypted

passwd DQucN59Njn0OjpJL encrypted

no names

!

interface Ethernet0

nameif outside

security-level 0

ip address 24.234.xxx.xxx 255.255.255.224

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.20.1 255.255.255.248

!

interface Ethernet2

shutdown

nameif exchange

security-level 100

ip address 10.0.30.1 255.255.255.248

!

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 68.105.28.16

name-server 68.105.29.16

domain-name jkkcc.com

access-list ouside-acl extended permit tcp any host 24.234.xxx.xxx eq smtp

access-list ouside-acl extended permit tcp any host 24.234.xxx.xxx eq www

access-list ouside-acl extended permit tcp any host 24.234.xxx.xxxeq https

pager lines 24

mtu outside 1500

mtu inside 1500

mtu exchange 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image flash:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 192.168.2.22 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.2.22 https netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.2.22 www netmask 255.255.255.255

access-group ouside-acl in interface outside

!

router eigrp 1

network 10.0.0.0 255.0.0.0

network 192.168.0.0 255.255.255.0

network 192.168.2.0 255.255.255.0

network 192.168.4.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 24.234.118.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 0.0.0.0 0.0.0.0 inside

http 10.0.20.0 255.255.255.248 inside

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

inspect ils

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:abd41b3df257873d44a6fc1545ae4418

: end

Julio Carvajal · ‎05-21-2012

Hello Jonathan,

Looks good to me can you do a sh version and confirm you have this file there: asdm-602.bin

Also provide us the show run ssl

Regards,

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jwood1650 · ‎05-21-2012

pixfirewall# show ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: des-sha1

Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1

No SSL trust-points configured

Certificate authentication is not enabled

pixfirewall# show flash

Directory of flash:/

5 -rw- 7649280 16:05:24 Feb 06 2012 pix804.bin

6 -rw- 6889764 14:12:28 May 19 2012 asdm-602.bin

When I try to go to the PIX via web browser, I get:

Secure Connection Failed

An error occurred during a connection to 10.0.20.1.

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

Julio Carvajal · ‎05-21-2012

Hello,

Yes I know what the problem is

the Cipher used by the web browser is not the same than the one the ASA uses.

You will need to get the des/aes license and then change the SSL cipher

Unfortunatelly I do not have the link with me, but as soon as I has it ( tomorrow morning as maximum) I will give it to you

100 % sure this will solve your problem.

EDIT: Here is the link to get the license you need ( it will be for free)

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139

After installing the license please add the following command:

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

Finally test it one more time! That should do it

DO rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC