Solved: Re: ASDM not accessible with ASA5510

Anvar Mohammed · ‎12-26-2011

hi,

i have ASA 5510 with firmware version 8.4.2 and ASDM firmware 6.4.5 , it is a new system and there is no configuration other than inside network and HTTP server enable , allow my ip address to access http server.

am able to ping the firewall but no access throguh ASDM, can anybody please help me to sort out the problems.

please find belwo show version output and attached running configuration.

thanks,

Anvar

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders

System image file is "disk0:/asa821-k8.bin"

Config file at boot was "startup-config"

ASA up 5 mins 16 secs

Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: Ethernet0/0 : address is c47d.4f98.d16c, irq 9

1: Ext: Ethernet0/1 : address is c47d.4f98.d16d, irq 9

2: Ext: Ethernet0/2 : address is c47d.4f98.d16e, irq 9

3: Ext: Ethernet0/3 : address is c47d.4f98.d16f, irq 9

4: Ext: Management0/0 : address is c47d.4f98.d170, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11

6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 50

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Disabled

Security Contexts : 0

GTP/GPRS : Disabled

SSL VPN Peers : 2

Total VPN Peers : 250

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled

This platform has a Base license.

Serial Number: JMX1417L41M

Running Activation Key: 0x4810dc57 0x14b43bad 0x908101a8 0x98bccc6c 0xc9153395

Configuration register is 0x1

Configuration has not been modified since last system restart.

ASA# %ASA-7-111009: User 'enable_15' executed cmd: show version

Julio Carvajal · ‎12-28-2011

Hello Anvar,

You do need that license it is a free license that you can get here:

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet

After you get the license install into your ASA can you add the following command and give it a try

-ssl encryption aes256-sha1 aes128-sha1 3des-sha1

Regards,

Do rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-27-2011

Hello Anvar,

1-So you are trying to connect to the ASDM via the pc 172.16.0.1 right? because that is the only one set allow to do it on your configuration?

2-You said you are running 8.4.2 and ASDM firmware 6.4.5 but your show version shows that you are running 8.2(1) and 6.2(1) as the ASDM image.Please check that and provide the right information

3- Please provide the show run asdm?

4- Do a debug HTTP and try to connect to the ASDM, provide the output you get.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Anvar Mohammed · ‎12-28-2011

Hi Julio,

i corrected image related issues .please find answers below :-

no outputs with debug http .,

will this VPN-3DES-AES : Disabled perpetual can make problems with asdm ???

1) sh ver

CISCOASA(config)# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(2)

Device Manager Version 6.4(5)206

Compiled on Wed 15-Jun-11 18:17 by builders

System image file is "disk0:/asa842-k8.bin"

Config file at boot was "startup-config"

CISCOASA up 1 hour 44 mins

Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06

Number of accelerators: 1

0: Ext: Ethernet0/0 : address is c47d.4f98.d16c, irq 9

1: Ext: Ethernet0/1 : address is c47d.4f98.d16d, irq 9

2: Ext: Ethernet0/2 : address is c47d.4f98.d16e, irq 9

3: Ext: Ethernet0/3 : address is c47d.4f98.d16f, irq 9

4: Ext: Management0/0 : address is c47d.4f98.d170, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11

6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 50 perpetual

Inside Hosts : Unlimited perpetual

Failover : Disabled perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Disabled perpetual

Security Contexts : 0 perpetual

GTP/GPRS : Disabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 250 perpetual

Total VPN Peers : 250 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has a Base license.

Serial Number: JMX1417L41M

Running Permanent Activation Key: 0x4810dc57 0x14b43bad 0x908101a8 0x98bccc6c 0xc9153395

Configuration register is 0x1

Configuration last modified by enable_15 at 07:48:26.919 UTC Wed Dec 28 2011

CISCOASA(config)#

2) -------------------------------------------------

CISCOASA(config)# sh run

: Saved

:

ASA Version 8.4(2)

!

hostname CISCOASA

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

no ip address

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.16.0.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

boot system disk0:/asa842-k8.bin

ftp mode passive

pager lines 24

logging enable

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:60848d3b50cb81f67a56162f40b54074

: end

3)------------------------------------------------------------------------------------

ISCOASA(config)# debug http 1

debug http enabled at level 1.

CISCOASA(config)#

CISCOASA(config)# sh run asdm

asdm image disk0:/asdm-645-206.bin

no asdm history enable

CISCOASA(config)# ping 172.16.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

CISCOASA(config)#

thanks,

Anvar

Julio Carvajal · ‎12-28-2011

Hello Anvar,

You do need that license it is a free license that you can get here:

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet

After you get the license install into your ASA can you add the following command and give it a try

-ssl encryption aes256-sha1 aes128-sha1 3des-sha1

Regards,

Do rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Anvar Mohammed · ‎12-31-2011

Dear Julio,

yeh it is fixed now ..i did not get the license from above link but i got a demo license from cisco to enable VPN-3DES-AES

and i use the command as u said so its worked.

agian many thanks for your kind support.

thanks,

Anvar

Julio Carvajal · ‎12-31-2011

Hello Anvar,

My pleasure! Hope you have a happy new year.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Azeem Dawood · ‎07-31-2019

Hello Juvial,

Yes my asdm worked after adding the -ssl encryption aes256-sha1 aes128-sha1 3des-sha1.

Thank You,

Azeem