cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3583
Views
0
Helpful
7
Replies

ASDM without 3DES

itdept0011111
Level 1
Level 1

I have an ASA 5505 purchased and installed in China running asa8215-k8.bin code. No 3DES due to export controls and I can't legally install it.


ASDM does not launch and from what I've read, the ssl encryption level is the issue.


I can't set ssl encryption to AES or 3DES because those aren't supported on this unit. Does that mean the ASDM, AnyConnect and other features are permanently disabled or is there a way around this?

 

Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(9)

Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"

fw-01 up 6 days 7 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

 0: Int: Internal-Data0/0    : address is 7c0e.ce3c.f9a5, irq 11
 1: Ext: Ethernet0/0         : address is 7c0e.ce3c.f99d, irq 255
 2: Ext: Ethernet0/1         : address is 7c0e.ce3c.f99e, irq 255
 3: Ext: Ethernet0/2         : address is 7c0e.ce3c.f99f, irq 255
 4: Ext: Ethernet0/3         : address is 7c0e.ce3c.f9a0, irq 255
 5: Ext: Ethernet0/4         : address is 7c0e.ce3c.f9a1, irq 255
 6: Ext: Ethernet0/5         : address is 7c0e.ce3c.f9a2, irq 255
 7: Ext: Ethernet0/6         : address is 7c0e.ce3c.f9a3, irq 255
 8: Ext: Ethernet0/7         : address is 7c0e.ce3c.f9a4, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 10
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Enabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

 

 

 
 

7 Replies 7

Akshay Rastogi
Cisco Employee
Cisco Employee

Hi,

You could generate 3DES license free of cost from cisco.com website and activate the same on ASA.

Please follow the below link to generate the key :
 
www.cisco.com/go/license 
 
-   Click on "Product License Registration" Tab on the Right.
 
-   Click on Get Other Licenses dropdown menu on the Right and select "IPS, Crypto, Other..." link
 
-   Select "Security Product" from the Product family and Select Cisco ASA "3DES/AES License".
 
-   Enter the Serial Number of the ASA (New ASA).
 
-   Next and then Select the “I Agree” check box and Type your “Email Address” and Click Submit.
 
-   Activate the License Key on ASA with the "activation-key" command in Configuration Terminal Mode. Do not reload the ASA and check the license once again with ‘show activation-key’ command.

 

 

Also check if ssl encryption is enabled.

conf t )#ssl encryption ? (now it would display all the available encryption sets. Select everything in a single line with a space.

 

Let me know if you have any query on this.

Regards,

Akshay Rastogi 

I could generate and install a 3DES license, but since I'd rather stay out of federal prison for exporting cryptography to a country on the government export control list, I won't ;-)

 

My question again is if there is a way you can use ASDM without 3DES. Does Cisco restrict that functionality for devices in Russia, China and other countries who we can't use 3DES and AES?  Am I stuck with telnet for management?

 

Hi,

I did some research on this and here i could find :

ASDM requires an SSL connection from the browser to the adaptive
   security appliance. By default, Firefox does not support base
   encryption (DES) for SSL and therefore requires the adaptive
   security appliance to have a strong encryption (3DES/AES) license.
   As a workaround, you can enable the security .ssl3.dhe_dss_des_sha
   setting in Firefox. See  http://kb.mozillazine.org/About:config
   to learn how to change hidden configuration preferences.
1.      Open Firefox web browser and follow instruction from above
   link to open about:config
2.      Add the new preference security .ssl3.dhe_dss_des_sha
   (Boolean  with value true)
3.      Reload Firefox web browser

Please verify bellow setting and configuration:
1.      The ASDM runs using Java so make sure that Java is installed
   on the PC
2.      Be sure that ASA is configured correctly:
-        the ASDM is enabled with "http server enabled"
-        the IP address or subnet  you accessing from is allowed
   (follow example  "http 192.168.1.1 255.255.255.255 inside")
-        there is the rule pointing the ASDM file asdm image
   disk0:/<name of the asdm bin file>
-        the asdm file exist on the flash: (check with the command
   "show flash")
-        the user is configured (check with the command "show run user
   ")
-        ssl setting in your case should use DES (check with the
   command "show run all ssl" -> "ssl encryption des-sha1")

 

For IE :

You need to have Java version 6.

Please try the same and let me know if this works for you.

 

Regards,

Akshay Rastogi

Thanks very much for pursing a solution.  Unfortunately, that didn't seem to work. 

All of the needed settings are present and the ASDM file exists. I've checked and double-checked settings. 

I added the preference to Firefox (see attached jpg) as you suggested but any connection attempt still fails.

itdept001111,

What source tells you China is on the embargoed list? As far as I know, strong encryption export is only restricted to the embargoed countries list that currently includes only Cuba, Iran, North Korea, Sudan, and Syria.

Reference. Note the reference document I cited is specifically called out as applicable to the ASA in this document.

Do not appear the capcha information, only a black space without any info when we try.


Tested with two diferents computers and internet accesses, with diferents browsers.

 

How to fix it?

@Celso Domingues please start a new thread and explain your issue in more detail.

Review Cisco Networking for a $25 gift card