Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1285
Views
0
Helpful
8
Replies

Cisco ASA 5505 help please

superpwny
Level 1
Level 1

‎02-04-2014 12:00 PM - edited ‎03-11-2019 08:40 PM

I am a complete newb to this firewall and boy do I need help. I'm trying to configure the 5505 from factory default and I am having issues accessing adsm thru IE https://192.168.1.1/. I noticed, from following guides and videos, that I am getting different command lines than the guides after setting factory defaults. I will highlight what I've found to be different.

Labels:
0 Helpful
8 Replies 8

superpwny
Level 1
Level 1

‎02-05-2014 07:43 AM

CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00  01  00   1022   2080  Host Bridge
00  01  02   1022   2082  Chipset En/Decrypt 11
00  0C  00   1148   4320  Ethernet           11
00  0D  00   177D   0003  Network En/Decrypt 10
00  0F  00   1022   2090  ISA Bridge
00  0F  02   1022   2092  IDE Controller
00  0F  03   1022   2093  Audio              10
00  0F  04   1022   2094  Serial Bus         9
00  0F  05   1022   2095  Serial Bus         9

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008

Platform ASA5505

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.

Launching BootLoader...
Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa724-k8.bin... Booting...
##########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################
256MB RAM

Total SSMs found: 0

Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 0024.c4c4.98d8
88E6095 rev 2 Ethernet @ index 07 MAC: 0024.c4c4.98d7
88E6095 rev 2 Ethernet @ index 06 MAC: 0024.c4c4.98d6
88E6095 rev 2 Ethernet @ index 05 MAC: 0024.c4c4.98d5
88E6095 rev 2 Ethernet @ index 04 MAC: 0024.c4c4.98d4
88E6095 rev 2 Ethernet @ index 03 MAC: 0024.c4c4.98d3
88E6095 rev 2 Ethernet @ index 02 MAC: 0024.c4c4.98d2
88E6095 rev 2 Ethernet @ index 01 MAC: 0024.c4c4.98d1
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 0024.c4c4.98d9

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                       : 20, DMZ Unrestricted
Inside Hosts                : Unlimited
Failover                    : Active/Standby
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
VPN Peers                   : 25
WebVPN Peers                : 2
Dual ISPs                   : Enabled
VLAN Trunk Ports            : 8

This platform has an ASA 5505 Security Plus license.

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

Cisco Adaptive Security Appliance Software Version 7.2(4)

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************

Copyright (c) 1996-2008 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706


Cryptochecksum (unchanged): dbc58793 66e89cbd 8980d776 cba9990d
Type help or '?' for a list of available commands.
ciscoasa> en
Password:
ciscoasa# wr er
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa# show startup-config
No Configuration
ciscoasa# reload noconfirm
ciscoasa#


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down File system

***
*** --- SHUTDOWN NOW ---

Rebooting....


CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00  01  00   1022   2080  Host Bridge
00  01  02   1022   2082  Chipset En/Decrypt 11
00  0C  00   1148   4320  Ethernet           11
00  0D  00   177D   0003  Network En/Decrypt 10
00  0F  00   1022   2090  ISA Bridge
00  0F  02   1022   2092  IDE Controller
00  0F  03   1022   2093  Audio              10
00  0F  04   1022   2094  Serial Bus         9
00  0F  05   1022   2095  Serial Bus         9

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008

Platform ASA5505

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.

Launching BootLoader...
Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa724-k8.bin... Booting...
##########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################
256MB RAM

Total SSMs found: 0

Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 0024.c4c4.98d8
88E6095 rev 2 Ethernet @ index 07 MAC: 0024.c4c4.98d7
88E6095 rev 2 Ethernet @ index 06 MAC: 0024.c4c4.98d6
88E6095 rev 2 Ethernet @ index 05 MAC: 0024.c4c4.98d5
88E6095 rev 2 Ethernet @ index 04 MAC: 0024.c4c4.98d4
88E6095 rev 2 Ethernet @ index 03 MAC: 0024.c4c4.98d3
88E6095 rev 2 Ethernet @ index 02 MAC: 0024.c4c4.98d2
88E6095 rev 2 Ethernet @ index 01 MAC: 0024.c4c4.98d1
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 0024.c4c4.98d9

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                       : 20, DMZ Unrestricted
Inside Hosts                : Unlimited
Failover                    : Active/Standby
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
VPN Peers                   : 25
WebVPN Peers                : 2
Dual ISPs                   : Enabled
VLAN Trunk Ports            : 8

This platform has an ASA 5505 Security Plus license.

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

Cisco Adaptive Security Appliance Software Version 7.2(4)

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************

Copyright (c) 1996-2008 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Configuration has non-ASCII characters and will be ignored.

Cryptochecksum (changed): d41d8cd9 8f00b204 e9800998 ecf8427e
Pre-configure Firewall now through interactive prompts [yes]? n


Type help or '?' for a list of available commands.
ciscoasa> en
Password:
ciscoasa#
ciscoasa# show start
No Configuration
ciscoasa# conf t
ciscoasa(config)# conf f
ciscoasa(config)# conf factory-default
Based on the inside IP address and mask, the DHCP address
pool size is reduced to 253 from the platform limit 256

WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.

Begin to apply factory-default configuration:
Clear all configuration
Executing command: interface Ethernet 0/0
Executing command: switchport access vlan 2
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/1
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/2
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/3
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/4
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/5
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/6
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/7
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface vlan2
Executing command: nameif outside
INFO: Security level for "outside" set to 0 by default.
Executing command: no shutdown
Executing command: ip address dhcp setroute
Executing command: exit
Executing command: interface vlan1
Executing command: nameif inside
INFO: Security level for "inside" set to 100 by default.
Executing command: ip address 192.168.1.1 255.255.255.0
Executing command: security-level 100
Executing command: no shutdown
Executing command: exit
Executing command: global (outside) 1 interface
INFO: outside interface address added to PAT pool
Executing command: nat (inside) 1 0 0
Executing command: http server enable
Executing command: http 192.168.1.0 255.255.255.0 inside
Executing command: dhcpd address 192.168.1.2-192.168.1.254 inside
Executing command: dhcpd auto_config outside
Executing command: dhcpd enable inside
Executing command: logging asdm informational
Factory-default configuration is completed
ciscoasa(config)# wr
Building configuration...
Cryptochecksum: dbc58793 66e89cbd 8980d776 cba9990d

2036 bytes copied in 1.520 secs (2036 bytes/sec)
[OK]
ciscoasa(config)#

                 

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to superpwny

‎02-05-2014 08:37 AM

Hi,

I don't see anything special in the above highlighted output.

It basically first informations that the DHCP Pool range has been decreased as the network is /24 then you naturally cant allocate 256 IP addresses as 1 address is network address, 1 address is broadcast address and 1 address is needed for the ASA interface and therefore 253 is the maximum DHCP pool size for this network. To my understanding the 256 is max for even larger networks.

The second highlighted output seems to configure Dynamic PAT for the LAN users so they can access Internet. It also configures DHCP for the LAN users.

You mentioned that the ASDM access is your main problem? Have you made sure that there is an ASDM image file on the ASA Flash memory?

You can check the output of

dir flash:

- Jouni

0 Helpful

superpwny
Level 1
Level 1
In response to Jouni Forss

‎02-05-2014 08:48 AM

ciscoasa(config)# dir flash:

Directory of disk0:/

4      -rw-  8515584     05:09:06 Apr 08 2009  asa724-k8.bin
2083   -rw-  4181246     05:10:08 Apr 08 2009  securedesktop-asa-3.2.1.103-k9.pkg
3104   -rw-  398305      05:10:24 Apr 08 2009  sslclient-win-1.1.0.154.pkg
3202   -rw-  6514852     05:12:14 Apr 08 2009  asdm-524.bin
4794   drw-  0           05:13:06 Apr 08 2009  crypto_archive

127111168 bytes total (107462656 bytes free)
ciscoasa(config)#

Thank you very very much for all help

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to superpwny

‎02-05-2014 08:52 AM

Hi,

Seems to me you have an old ASDM image there which should work for you.

You could naturally try to issue the command

asdm image flash:/asdm-524.bin

Even though to my understanding even if it was not configured the user should be able to connect to the ASA with ASDM.

Have you tried other browsers to connect and have you confirmed that nothing in the browser settings is blocking the connection? Can you see the warning the browser should give when you connect with HTTPS? If you see it have you decided to ignore it (which you should) to connect to the ASA?

I have not really had that many problems with the ASDM though its not in that much of a use for me as I mostly use the CLI to configure the ASA.

- Jouni

0 Helpful

superpwny
Level 1
Level 1
In response to Jouni Forss

‎02-05-2014 09:21 AM

I guess I should try to use the CLI to configure rather than the ADSM. I have tried using both Chrome and IE with no luck. Should I reset the Dynamic PAT, along with the DCHP address pool, to its default? If so how?

0 Helpful

Marius Gunnerud
VIP
VIP
In response to superpwny

‎02-05-2014 10:37 AM

You can still use ASDM. What exaclty happens when you try to connect to the ASDM? how are you trying to connect to the ASDM, what IP are you using? Which interface are you connecting to?  Also, If you issue the show run command from the CLI do you see the following commands:

http server enable

http 192.168.1.0 255.255.255.0 inside

username admin password

asdm image asdm-524.bin

The IP of the ASA should be 192.168.1.1 so try connecting to that IP using https://192.168.1.1  If that does not work then try https://192.168.1.1/admin

It is also possible, however unlikely, that since you are using an older version of ASDM you might be running into a Java issue.  You might want to try down grading your java version, but only do this once we have exhausted all other options.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

superpwny
Level 1
Level 1
In response to Marius Gunnerud

‎02-05-2014 10:55 AM

When I try to connect to ASDM I get a notice that Internet Explorer cannot display the webpage. My laptop IP is 192.168.1.20. I am connected to the ASA via Int0/0

ciscoasa(config)# show run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!

username admin password 914D55DkqTJ7ADKa encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dbc5879366e89cbd8980d776cba9990d
: end

0 Helpful

Marius Gunnerud
VIP
VIP
In response to superpwny

‎02-05-2014 11:56 AM 

My laptop IP is 192.168.1.20. I am connected to the ASA via Int0/0

This is your problem. did you set your IP staticly?  The interface Eth0/0 is your outside interface.  you will not be able to connect to your ASDM or SSH for that matter on this interface for two reasons.  First reason is that this interface has a security level of 0 and second reason is that you do not have an IP on this interface as it is set to receive an IP from a DHCP server.

connect to any of the other ports Eth0/1 - 7 and you should be good to go

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card