Solved: Hi Sudesh, - Page 3

sudesh001 · ‎11-09-2015

Hi All,

I'm using CISCO ASA 5505 Firewall this is new one and I also new to this feald, my problem is cannot access ASDM using web browser please help me to fix this problem,

this the sh run command details,

ciscoasa# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b5984e4908d0c3a298dd7e04d8a6136d
: end

Thank you,

Dinesh Moudgil · ‎11-09-2015

That is right Andre,

It should work with DES. Albeit the 3DES license can be generated as stated by Akshay and should address the issue.

Regards,
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Akshay Rastogi · ‎11-09-2015

Hi Sudesh,

I have asked to check the 3DES license on ASA and the procedure to enable the same. It is becuase of the encryption technology.

Regards,

Akshay Rastogi

Akshay Rastogi · ‎11-09-2015

Hi Sudesh,

Please check if '3des' license is enable. Check the same from the output of 'show activation-key'. If it is disable, then you can generate the same from cisco.com. It is a free license. Please use the procedure below :

Use SN : (it is in ur 'show version' output for the generating 3des license key. It is a free key which you could be generated from cisco.com/go/license. Use the link below :

As soon as you activate this key, you would have many option to add for ssl encryption. Add all the available option.

Here are the steps to follow in order to generate the activation-key:

www.cisco.com/go/license

- Click on "Product License Registration" Tab on the Right.

- Click on Get Other Licenses dropdown menu on the Right and select "IPS, Crypto, Other..." link

- Select "Security Product" from the Product family and Select Cisco ASA "3DES/AES License".

- Enter the Serial Number of the ASA.

- Next and then Select the “I Agree” check box and Type your “Email Address” and Click Submit.

- Activate the License Key on ASA with the "activation-key" command in Configuration Terminal Mode. Do not reload the ASA and check the license once again with 'show activation-key'.

now add all the encryptions with 'conf t)#ssl encryption ?

now add all the encryption one after the other with space and hit enter.

Hope it helps.

Regards,

Akshay Rastogi

sudesh001 · ‎11-09-2015

Thanks Akshay Rastogi i will check and let you know about.

Akshay Rastogi · ‎11-09-2015

Hi Sudesh,

Also check the Java version on PC. If 3DES license is fine then check the java version. Installed java 6 or Java 7 update 45.Other option would be to have latest asdm version asdm-751-90.bin

Regards,

Akshay Rastogi

sudesh001 · ‎11-09-2015

I'm trying to downloard asdm-751-90.bin latest but cannot downloard it getting error. Please let me know can I block P2P net work downlording using this Firewall.

Thanks.

Akshay Rastogi · ‎11-09-2015

Hi Sudesh,

What error are you getting? have you checked the 3des license on ASA? when you say blocking p2p net downloading what you are actually looking? are you asking about blocking access or QoS on the network?

Regards,

Akshay Rastogi

sudesh001 · ‎11-09-2015

Hi Akshay Rastogi,

my main requairment is blocking to torrent downloding and bandwith monitoring, I'm still not checking 3des license reson is I'm now at home. I will check tomorrow and let you know about.

if you have skype can i get it,

Thanks,

Akshay Rastogi · ‎11-09-2015

Hi Sudesh,

Torrent downloading specifically is not possible to block through this ASA alone. Through IPS or latest source would be able to block it though. It is not possible as torrent use different servers and methods to perform downloading. However you could perform bandwidth control (policing or shapping ) on this ASA. Use the link below to have understanding of QoS on this ASA :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html

Hope it helps.

Regards,

Akshay Rastogi

Mark the answer as correct if it answers your query or rate the helpful posts.

sudesh001 · ‎11-09-2015

Hi Akshay Rastogi,

This is the "show version" Details.

Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 55 mins 54 secs

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Int: Internal-Data0/0 : address is 88f0.3154.6f4a, irq 11
1: Ext: Ethernet0/0 : address is 88f0.3154.6f42, irq 255
2: Ext: Ethernet0/1 : address is 88f0.3154.6f43, irq 255
3: Ext: Ethernet0/2 : address is 88f0.3154.6f44, irq 255
4: Ext: Ethernet0/3 : address is 88f0.3154.6f45, irq 255
5: Ext: Ethernet0/4 : address is 88f0.3154.6f46, irq 255
6: Ext: Ethernet0/5 : address is 88f0.3154.6f47, irq 255
7: Ext: Ethernet0/6 : address is 88f0.3154.6f48, irq 255
8: Ext: Ethernet0/7 : address is 88f0.3154.6f49, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Disabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled

This platform has a Base license.

Serial Number: JMX1821Z1EJ
Running Activation Key: 0x7f29d258 0xb08aada5 0xf0521508 0x91c830b8 0xc7362fa2
Configuration register is 0x1
Configuration has not been modified since last system restart.

Shivapramod M · ‎11-09-2015

Hi Sudesh,

You can see that the 3DES license is disabled. VPN-3DES-AES : Disabled

Please generate the keys and add it to the device. After this you can run the command "ssl encryption rc4-sha1 rc4-md5 des-sha1 3des-sha1 aes128-sha1 aes256-sha1 dhe-aes128-sha1 dhe-aes256-sha1 null-sha1" which will enable the all the cipher suites on the ASA so that there will not be any mismtach in the cipher suites during the SSL handshake.

You can refer the above post from Akshay to get the key.

Thanks,

Shiavpramod M

sudesh001 · ‎11-09-2015

Hi Shivapramod

I'm new to this feald, Can you tell me how to genarated new license and add to my asa 5505 firewall, please help me to fix this issue.

any one can to help me steup by steup please send me,

Thank you,

Cannot Access ASDM in CISCO ASA 5505