03-26-2013 06:29 PM - edited 03-11-2019 06:20 PM
Hi there,
I am new in Firewall.
I have a test ASA 5505 at home.
The DHCP IP address in my real home firewall is 192.168.1.x and as you are aware the default ip address in ASA is the same.
I have searched a lot to learn how to configure the ASA.
In the link below there is an instruction, it seems it is working for everybody except me. I followed the instruction up and the only change was assigning the IP address, which I chose something other than 192.168.1.x
But after the step of creating NAT, I do not have access to the internet.
Also I followed the link below, but the revision of the ASDM in the instruction does not match with mine, so I was not lucky to figure the device.
http://www.youtube.com/watch?v=vFnXd3ttRk8
Now my questions:
1- How can I configre the ASA 5505 with an IP address different than 192.168.1.x (at home = no incoming static IP address = DHCP on subnet 192.168.1.x for the incomming internet)
I have installed ASDM 6.3 on my laptop (From work) but when I connect to the ASA it wants to install ASDM 5.7.
I tried to connect to the device through ASDM 6.3 and input the IP address 192.168.1.1
It takes for ever and it does not connect to the device
2- How can I connect to the device by ASDM 6.3 or any ASDM with higher version than the original of the device?
Thank you in advance for your time
Solved! Go to Solution.
03-26-2013 07:53 PM
you don't have any ftp server running on your laptop
i would recommend tftp server instead of fpt
check this out
command should be
ciscoasa(config-if)# copy tftp flash
but you have to download/setup tftpd32 first
Okey, i see, you have an install file for windows. You should install it to your laptop.
Or you can download a bin format ASDM to upload it to your ASA, your choice, but don't forget to enable http service on the ASA
03-29-2013 10:09 AM
Use the same method you used to upload the ASDM image to flash, then make sure you are going to use the new file.
"boot system flash:/
This file also explains it:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml
03-26-2013 06:44 PM
Hi,
this guide helped me
http://alloytm.com/2012/01/03/install-cisco-asdm-on-cisco-asa/
it wants you to download the asdm 5.x because 5.x is uploaded on the asa, it doesn't know you have a newer version
you should setup your laptop's ip to be on the same subnet as asa
for ex asa management interface 192.168.99.1/24 and your laptop's ip should be given from 192.168.99.0/24 range (2-254)
then you should enable http service on your asa to access from browser via https
i don't know exactly but is should have a management port, maybe with a preconfigure ip address
i have a virtual one in gns3 which is 5520, i have to configure it to accept https access from terminal, so you should conect to the asa via console port or so
03-26-2013 07:36 PM
Hi Istvan,
thank you so much for your reply.
I followed the instruction
ciscoasa(config-if)# copy ftp flash
Address or name of remote host [192.168.99.3]?
Source filename [\\Users\aeskandari\Downloads\asdm-603.msi]? C:\Users\aeskandari\Downlods\asdm-603.msi
Destination filename [C:\Users\aeskandari\Downloads\asdm-603.msi]?
Accessing ftp://192.168.99.3/C:\Users\aeskandari\Downloads\asdm-603.msi...
%Error reading ftp://192.168.99.3/C:\Users\aeskandari\Downloads\asdm-603.msi ( [Protocol error])
192.168.99.3 is the ip address of my laptop and i do not have the bin file.
Any idea?
03-26-2013 07:53 PM
you don't have any ftp server running on your laptop
i would recommend tftp server instead of fpt
check this out
command should be
ciscoasa(config-if)# copy tftp flash
but you have to download/setup tftpd32 first
Okey, i see, you have an install file for windows. You should install it to your laptop.
Or you can download a bin format ASDM to upload it to your ASA, your choice, but don't forget to enable http service on the ASA
03-27-2013 05:24 PM
Dear Istvan,
Thank you so much for the instruction. I downloaded tftp and followed the instruction. Also I downloaded astm-647.bin and in the below you can see the result
But when I try to connect to the device, it still wants to launch ASDM 5.2.
How can I upgrade ASDM to higher version?
Thank you in advance for your time
===========================================
17902288 bytes copied in 243.140 secs (73671 bytes/sec)
ciscoasa(config-if)# show flash
-#- --length-- -----date/time------ path
6 8515584 Jul 31 2008 17:58:30 asa724-k8.bin
7 4181246 Jul 31 2008 17:59:36 securedesktop-asa-3.2.1.103-k9.pkg
8 398305 Jul 31 2008 17:59:56 sslclient-win-1.1.0.154.pkg
9 6514852 Jul 31 2008 18:01:50 asdm-524.bin
12 0 Jul 31 2008 18:05:48 crypto_archive
13 14374812 Mar 27 2013 11:37:14 asdm-603.msi
14 17902288 Mar 27 2013 11:50:56 asdm-647.bin
75182080 bytes available (51929088 bytes used)
03-26-2013 08:15 PM
I found some useful information about asa 5510
the management 0/0 ip address is 192.168.1.1 /24 with dhcp server and http service enabled
i think you should plung your cable into it and use the dhcp client to get an ip
03-27-2013 03:13 PM
Is the ASDM image file installed in flash?
Run a "show flash | i .bin" to confirm, it should have the ASDM word in it.
Then, issue the "ASDM image flash:/
03-27-2013 04:09 PM
Hi,
Thank you for your reply
the show flash syntax in my device is:
ciscoasa# show flash
Initializing disk0: cache, please wait....Done.
-#- --length-- -----date/time------ path
6 8515584 Jul 31 2008 17:58:30 asa724-k8.bin
7 4181246 Jul 31 2008 17:59:36 securedesktop-asa-3.2.1.103-k9.pkg
8 398305 Jul 31 2008 17:59:56 sslclient-win-1.1.0.154.pkg
9 6514852 Jul 31 2008 18:01:50 asdm-524.bin
12 0 Jul 31 2008 18:05:48 crypto_archive
107462656 bytes available (19648512 bytes used)
ciscoasa# show flash | ?
begin Begin with the line that matches
exclude Exclude lines that match
grep Include/exclude lines that match
include Include lines that match
ciscoasa# show flash | i.bin
^
ERROR: % Invalid input detected at '^' marker.
03-27-2013 04:15 PM
you have ASDM.bin on your device, however you could update it to newer version
after you've configured interface and http service you'll be able to access it via ASDM
03-27-2013 04:16 PM
Right now you have the 5.2(4) version of ASDM in flash, not good.
If you know how to upload a file to flash, i would recommend you to use the latest version of ASDM and at least 8.0 as OS code.
The current available ASDM images on Cisco.com are not compatible with the OS version your ASA is running.
Once you have that, remember to issue the "ASDM image flash:/
03-27-2013 05:34 PM
Make sure the "ASDM image flash:/asdm-647.bin" command is part of the config.
Then upgrade to 8.0 at least, these version of ASDM is not going to work with the current OS version you have.
03-27-2013 06:42 PM
OK My friends,
Thank you so much for your replys
I followed your instructions and some help from the link below:
http://evilrouters.net/2012/02/15/how-to-upgrade-cisco-asa-software-and-asdm/
Now as you can find in the report below my ASDM is asdm-647.bin. But when I try to connect to the device I receive the message below
HTTP 404 Not Found
I already add the command http server enable
and I did not understand what do you mean with "Then upgrade to 8.0 at least, these version of ASDM is not going to work with the current OS version you have"
any idea?
====================
ciscoasa(config)# show run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.99.1 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.99.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
username admin password S1xyD1w.ZbjUT1yX encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:61ba20116d52e5c1d81eab56e15fa8d6
: end
03-27-2013 06:48 PM
Run this:
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5
Also, make sure you have the 3DES/AES feature enabled, a "show version" will tell you.
03-27-2013 06:48 PM
Also, upgrade to 8.0.
03-27-2013 07:07 PM
Did not work
ciscoasa(config)# show version
Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 6.4(7)
Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "disk0:/asa724-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 37 mins 34 secs
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is 0022.5538.f39f, irq 11
1: Ext: Ethernet0/0 : address is 0022.5538.f397, irq 255
2: Ext: Ethernet0/1 : address is 0022.5538.f398, irq 255
3: Ext: Ethernet0/2 : address is 0022.5538.f399, irq 255
4: Ext: Ethernet0/3 : address is 0022.5538.f39a, irq 255
5: Ext: Ethernet0/4 : address is 0022.5538.f39b, irq 255
6: Ext: Ethernet0/5 : address is 0022.5538.f39c, irq 255
7: Ext: Ethernet0/6 : address is 0022.5538.f39d, irq 255
8: Ext: Ethernet0/7 : address is 0022.5538.f39e, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
Serial Number: JMX1231Z29P
Running Activation Key: 0x32395773 0x08b66e5f 0x0800b52c 0xaccc60c8 0x022f9290
Configuration register is 0x1
Configuration last modified by admin at 13:11:21.274 UTC Wed Mar 27 2013
ciscoasa(config)# ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5
ciscoasa(config)# write mem
Building configuration...
Cryptochecksum: d5b73121 907db9ce 88c727ea 008e1975
2043 bytes copied in 1.420 secs (2043 bytes/sec)
[OK]
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: