Solved: Cannot Access ASDM in CISCO ASA 5505

sudesh001 · ‎11-09-2015

Hi All,

I'm using CISCO ASA 5505 Firewall this is new one and I also new to this feald, my problem is cannot access ASDM using web browser please help me to fix this problem,

this the sh run command details,

ciscoasa# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b5984e4908d0c3a298dd7e04d8a6136d
: end

Thank you,

Andre Neethling · ‎11-09-2015

Can you please note the error you see? What happens when you browse to the asa address with your web browser?

View solution in original post

Akshay Rastogi · ‎11-09-2015

Hi Sudesh,

I have asked to check the 3DES license on ASA and the procedure to enable the same. It is becuase of the encryption technology.

Regards,

Akshay Rastogi

View solution in original post

Andre Neethling · ‎11-09-2015

I am assuming you have JAVA installed

Try the following:

Check if you can ping the inside interface IP
Go to your Java settings and under "temporary internet files" click on "Settings". Then uncheck the box that says "keep temporary files on my computer"
Then click "Delete Files" and make sure you select all check boxes then delete the files and try again.

HTH

sudesh001 · ‎11-09-2015

Thanks Andre Neethling I will check and let you know about

Andre Neethling · ‎11-09-2015

Can you please note the error you see? What happens when you browse to the asa address with your web browser?

sudesh001 · ‎11-09-2015

Hi Andre Neethling,

Thanks your reply I will check and let you know abouth in tomorrow,

if you have skype can i get it,

Thanks,

sudesh001 · ‎11-09-2015

Hi Andre

this the error message on web browser

Secure Connection Failed

The connection to the server was reset while the page was loading.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Thank you.

Dinesh Moudgil · ‎11-09-2015

Sudesh,

This message indicates that the client and ASA do not have any common SSL ciphers on which SSL can be nogitiated.

Please add this command and give it a try.
ssl encryption rc4-sha1 rc4-md5 des-sha1 3des-sha1 aes128-sha1 aes256-sha1 dhe-aes128-sha1 dhe-aes256-sha1 null-sha1

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Shivapramod M · ‎11-09-2015

Hi Sudesh,

Adding to the Dinesh's suggestion, if you are not able to run the command then you may not have the 3DES license enabled on the firewall. You can run the command " show activation-key" and check whether the 3DES license is disabled or enabled.

If it is disabled then you have add this key to the firewall. Akshay Rastogi has already provided the steps to get the 3DES license and you can refer those stpes.

Thanks,

Shivapramod M

sudesh001 · ‎11-09-2015

Hi Shivapramod

this is the "show activation-key" resalt

ciscoasa# show activation-key
Serial Number: JMX1821Z1EJ
Running Activation Key: 0x7f29d258 0xb08aada5 0xf0521508 0x91c830b8 0xc7362fa2

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Disabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled

This platform has a Base license.

The flash activation key is the SAME as the running key.

clarisel1510 · ‎12-25-2019

It worked for me...thanks

sudesh001 · ‎11-09-2015

Hi Dinesh

I have added this command "ssl encryption rc4-sha1 rc4-md5 des-sha1 3des-sha1 aes128-sha1 aes256-sha1 dhe-aes128-sha1 dhe-aes256-sha1 null-sha1" in putty command line after that getting this error.

ciscoasa# ssl encryption rc4-sha1 rc4-md5 des-sha1 3des-sha1 aes128-sha1 aes25$

ssl encryption rc4-sha1 rc4-md5 des-sha1 3des-sha1 aes128-sha1 aes256-sha1 dhe-a ^es128-sha1 dhe-aes256-sha1 null-sha1

ERROR: % Invalid input detected at '^' marker.

Dinesh Moudgil · ‎11-09-2015

This is a configuration mode command.

ciscoasa#configure terminal

ciscoasa(config)# ssl encryption rc4-sha1 rc4-md5 des-sha1 3des-sha1 aes128-sha1 aes256-sha1 dhe-aes128-sha1 dhe-aes256-sha1 null-sha1

Rather jumping back and forth with queries, you might want to take a moment and go through this ASDM troubleshooting link so that you have better understanding of the issues you see and if there are any concerns , you can always post your query and we will help you.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Andre Neethling · ‎11-09-2015

HI Dinesh. I don't think this command will work as the ASA does not have a "strong encryption license" for AES-3DES. This could be why he is seeing the error with that command. I think ASDM can work with a DES license.

sudesh001 · ‎11-09-2015

Hi Dear,

I think you is correct I have enter Dinesh Instruction but still getting erro like this

ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: n

In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".

Please remember to save your configuration.

ciscoasa(config)# ssl encryption rc4-sha1 rc4-md5 des-sha1 3des-sha1 aes128-sh$

ssl encryption rc4-sha1 rc4-md5 des-sha1 3des-sha1 aes128-sha1 aes256-sha1 dhe-a ^es128-sha1 dhe-aes256-sha1 null-sha1

ERROR: % Invalid input detected at '^' marker.

Please help me to fix this issue,

Thank you,

Andre Neethling · ‎11-09-2015

I would recommend you get a strong encryption license and then add the command as Dinesh has said. In the meantime you can try the following command

ciscoasa(config)# ssl encryption rc4-sha1 rc4-md5 des-sha1

But I would recommend you get the 3DES-AES license.