Solved: Re: How to Config ASA 5505

Amir Eskandari · ‎03-26-2013

Hi there,

I am new in Firewall.

I have a test ASA 5505 at home.

The DHCP IP address in my real home firewall is 192.168.1.x and as you are aware the default ip address in ASA is the same.

I have searched a lot to learn how to configure the ASA.

In the link below there is an instruction, it seems it is working for everybody except me. I followed the instruction up and the only change was assigning the IP address, which I chose something other than 192.168.1.x

But after the step of creating NAT, I do not have access to the internet.

http://www.firewall.cx/forum/10-firewall-filtering-idsips-a-security/32041-howto-basic-asa-5505-configuration.html

Also I followed the link below, but the revision of the ASDM in the instruction does not match with mine, so I was not lucky to figure the device.

http://www.youtube.com/watch?v=vFnXd3ttRk8

Now my questions:

1- How can I configre the ASA 5505 with an IP address different than 192.168.1.x (at home = no incoming static IP address = DHCP on subnet 192.168.1.x for the incomming internet)

I have installed ASDM 6.3 on my laptop (From work) but when I connect to the ASA it wants to install ASDM 5.7.

I tried to connect to the device through ASDM 6.3 and input the IP address 192.168.1.1

It takes for ever and it does not connect to the device

2- How can I connect to the device by ASDM 6.3 or any ASDM with higher version than the original of the device?

Thank you in advance for your time

Istvan kelemen · ‎03-26-2013

you don't have any ftp server running on your laptop

i would recommend tftp server instead of fpt

check this out

command should be

ciscoasa(config-if)# copy tftp flash

but you have to download/setup tftpd32 first

Okey, i see, you have an install file for windows. You should install it to your laptop.

Or you can download a bin format ASDM to upload it to your ASA, your choice, but don't forget to enable http service on the ASA

View solution in original post

jocamare · ‎03-29-2013

Use the same method you used to upload the ASDM image to flash, then make sure you are going to use the new file.

"boot system flash:/"

This file also explains it:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml

View solution in original post

Istvan kelemen · ‎03-26-2013

Hi,

this guide helped me

http://alloytm.com/2012/01/03/install-cisco-asdm-on-cisco-asa/

it wants you to download the asdm 5.x because 5.x is uploaded on the asa, it doesn't know you have a newer version

you should setup your laptop's ip to be on the same subnet as asa

for ex asa management interface 192.168.99.1/24 and your laptop's ip should be given from 192.168.99.0/24 range (2-254)

then you should enable http service on your asa to access from browser via https

i don't know exactly but is should have a management port, maybe with a preconfigure ip address

i have a virtual one in gns3 which is 5520, i have to configure it to accept https access from terminal, so you should conect to the asa via console port or so

Amir Eskandari · ‎03-26-2013

Hi Istvan,

thank you so much for your reply.

I followed the instruction

ciscoasa(config-if)# copy ftp flash

Address or name of remote host [192.168.99.3]?

Source filename [\\Users\aeskandari\Downloads\asdm-603.msi]? C:\Users\aeskandari\Downlods\asdm-603.msi

Destination filename [C:\Users\aeskandari\Downloads\asdm-603.msi]?

Accessing ftp://192.168.99.3/C:\Users\aeskandari\Downloads\asdm-603.msi...
%Error reading ftp://192.168.99.3/C:\Users\aeskandari\Downloads\asdm-603.msi ( [Protocol error])

192.168.99.3 is the ip address of my laptop and i do not have the bin file.

Any idea?

Istvan kelemen · ‎03-26-2013

you don't have any ftp server running on your laptop

i would recommend tftp server instead of fpt

check this out

command should be

ciscoasa(config-if)# copy tftp flash

but you have to download/setup tftpd32 first

Okey, i see, you have an install file for windows. You should install it to your laptop.

Or you can download a bin format ASDM to upload it to your ASA, your choice, but don't forget to enable http service on the ASA

Amir Eskandari · ‎03-27-2013

Dear Istvan,

Thank you so much for the instruction. I downloaded tftp and followed the instruction. Also I downloaded astm-647.bin and in the below you can see the result

But when I try to connect to the device, it still wants to launch ASDM 5.2.

How can I upgrade ASDM to higher version?

Thank you in advance for your time

===========================================

17902288 bytes copied in 243.140 secs (73671 bytes/sec)
ciscoasa(config-if)# show flash
-#- --length-- -----date/time------ path
6 8515584 Jul 31 2008 17:58:30 asa724-k8.bin
7 4181246 Jul 31 2008 17:59:36 securedesktop-asa-3.2.1.103-k9.pkg
8 398305 Jul 31 2008 17:59:56 sslclient-win-1.1.0.154.pkg
9 6514852 Jul 31 2008 18:01:50 asdm-524.bin
12 0 Jul 31 2008 18:05:48 crypto_archive
13 14374812 Mar 27 2013 11:37:14 asdm-603.msi
14 17902288 Mar 27 2013 11:50:56 asdm-647.bin

75182080 bytes available (51929088 bytes used)

Istvan kelemen · ‎03-26-2013

I found some useful information about asa 5510

the management 0/0 ip address is 192.168.1.1 /24 with dhcp server and http service enabled

i think you should plung your cable into it and use the dhcp client to get an ip

jocamare · ‎03-27-2013

Is the ASDM image file installed in flash?

Run a "show flash | i .bin" to confirm, it should have the ASDM word in it.

Then, issue the "ASDM image flash:/"

Amir Eskandari · ‎03-27-2013

Hi,

Thank you for your reply

the show flash syntax in my device is:

ciscoasa# show flash
Initializing disk0: cache, please wait....Done.
-#- --length-- -----date/time------ path
6 8515584    Jul 31 2008 17:58:30 asa724-k8.bin
7 4181246    Jul 31 2008 17:59:36 securedesktop-asa-3.2.1.103-k9.pkg
8 398305     Jul 31 2008 17:59:56 sslclient-win-1.1.0.154.pkg
9 6514852    Jul 31 2008 18:01:50 asdm-524.bin
12 0          Jul 31 2008 18:05:48 crypto_archive

107462656 bytes available (19648512 bytes used)

ciscoasa# show flash | ?

begin    Begin with the line that matches
exclude Exclude lines that match
grep     Include/exclude lines that match
include Include lines that match
ciscoasa# show flash | i.bin
                        ^
ERROR: % Invalid input detected at '^' marker.

Istvan kelemen · ‎03-27-2013

you have ASDM.bin on your device, however you could update it to newer version

after you've configured interface and http service you'll be able to access it via ASDM

http://www.youtube.com/watch?v=Z8CuMhg480o

jocamare · ‎03-27-2013

Right now you have the 5.2(4) version of ASDM in flash, not good.

If you know how to upload a file to flash, i would recommend you to use the latest version of ASDM and at least 8.0 as OS code.

The current available ASDM images on Cisco.com are not compatible with the OS version your ASA is running.

Once you have that, remember to issue the "ASDM image flash:/" command.

jocamare · ‎03-27-2013

Make sure the "ASDM image flash:/asdm-647.bin" command is part of the config.

Then upgrade to 8.0 at least, these version of ASDM is not going to work with the current OS version you have.

Amir Eskandari · ‎03-27-2013

OK My friends,

Thank you so much for your replys

I followed your instructions and some help from the link below:

http://evilrouters.net/2012/02/15/how-to-upgrade-cisco-asa-software-and-asdm/

Now as you can find in the report below my ASDM is asdm-647.bin. But when I try to connect to the device I receive the message below

HTTP 404 Not Found

I already add the command http server enable

and I did not understand what do you mean with "Then upgrade to 8.0 at least, these version of ASDM is not going to work with the current OS version you have"

any idea?

====================

ciscoasa(config)# show run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.99.1 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.99.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside

username admin password S1xyD1w.ZbjUT1yX encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:61ba20116d52e5c1d81eab56e15fa8d6
: end

jocamare · ‎03-27-2013

Run this:

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5

Also, make sure you have the 3DES/AES feature enabled, a "show version" will tell you.

jocamare · ‎03-27-2013

Also, upgrade to 8.0.

Amir Eskandari · ‎03-27-2013

Did not work

ciscoasa(config)# show version

Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 6.4(7)

Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "disk0:/asa724-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 37 mins 34 secs

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0    : address is 0022.5538.f39f, irq 11
1: Ext: Ethernet0/0         : address is 0022.5538.f397, irq 255
2: Ext: Ethernet0/1         : address is 0022.5538.f398, irq 255
3: Ext: Ethernet0/2         : address is 0022.5538.f399, irq 255
4: Ext: Ethernet0/3         : address is 0022.5538.f39a, irq 255
5: Ext: Ethernet0/4         : address is 0022.5538.f39b, irq 255
6: Ext: Ethernet0/5         : address is 0022.5538.f39c, irq 255
7: Ext: Ethernet0/6         : address is 0022.5538.f39d, irq 255
8: Ext: Ethernet0/7         : address is 0022.5538.f39e, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 10
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
VPN Peers                   : 10
WebVPN Peers                : 2
Dual ISPs                   : Disabled
VLAN Trunk Ports            : 0

This platform has a Base license.

Serial Number: JMX1231Z29P
Running Activation Key: 0x32395773 0x08b66e5f 0x0800b52c 0xaccc60c8 0x022f9290
Configuration register is 0x1
Configuration last modified by admin at 13:11:21.274 UTC Wed Mar 27 2013

ciscoasa(config)# ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5

ciscoasa(config)# write mem

Building configuration...
Cryptochecksum: d5b73121 907db9ce 88c727ea 008e1975

2043 bytes copied in 1.420 secs (2043 bytes/sec)
[OK]