cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2508
Views
3
Helpful
23
Replies

New 5505 ASA First INSTALL

Zebardast2
Level 1
Level 1

I am trying to install a 5505 ASA Firewall on my home network.

Trying to install ISDM Launcher I am having hell with JAVA! I have even a disabled windows software Firewall but it still no good.

I have tried on Win 10Pro, Win7and  Vista, and just can't do it. I think somehow Java keeps getting blocked or something!

Can anyone help please?

2 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Make sure you have the 3DES-AES license installed.

show activation-key

...from the cli.

View solution in original post

I have never heard of an APK License.

Do you mean a PAK (Product Activation Key)?

In either case, an ASA 5505 should have any licenses purchased with it already installed.

The only exception is sometimes customers order or purchase the "K8" version and then need to get the free 3DES-AES license (included when you specify "K9") before they can use all of the security features (including the ASDM management utility itself).

If you purchase add-on licenses separate from the ASA, then they will come as PAKs. You redeem a PAK using the PAK number plus the ASA serial number in Cisco's licensing portal and then you get a code to use as an activation-key that will license the feature on your device.

View solution in original post

23 Replies 23

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hi 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Thank you Marvin & Dinesh


I shall try to give an idea of what goes on with my effort!


Using Windows 10 Pro (logged in as Admin):

1- I use the“Quick Start Guide” provided with the product.

3- Accordingly I connect to the firewall and using “Microsoft Edge” I log onto

“https://192.168.1.1/admin”.


It then loads the “Cisco ASDM 6.4(5)” page with the following options:
 
a:    “Install Cisco as a local application” [Install ASDN Launcher and Run ASDM]
 
b:     “Run Cisco ASDM as a Java Start application” [Install Java Web Start]

*** Most importantly at the top I have a warning that says: “Certificate error”

4- Then if ignoring the “Certificate error” msg I click and install the Launcher at the next step it asks a  User name and password which I leave blank.
5- Then it warns me that “Windows Smart Screen can't be reached right now” and I chose “Run anyway”and then the app: “dm-launcher (15).msi” loads and prompts me to enter the following:

a- Device IP Address/Name ( I use 192.168.1.1 in this box)
b- Username: (I dont know what to type here and anything I try it fails)
c- Password:  (I dont know what to type here and anything I try it fails)

I guess my main problem here is as Marvin said. Whats the most user friendly way of solving this issue? Have I just paid around $650 on an obsolete device? Should I have paid some more and get something else?

JAVA VERSION:
 
 I have installed BOTH:

     “jre-6u18-windows-i586.exe”and “jre-6u18-windows-x64.exe

Many thanks

hi,

could you post the show version output from your 5505?

also make sure you got the 3DES-AES license installed.

Encryption-3DES-AES               : Enabled        perpetual

Hi John and thanks for replying, here it is:

Marvin Rhoads
Hall of Fame
Hall of Fame

Make sure you have the 3DES-AES license installed.

show activation-key

...from the cli.

Hi Marvin

Sorry for exposing my inexperience with this but where would I find the License. The store manager where I purchased this  device told me that the10 user license that comes with it is on the CD and when I install the ISDM the license would be automatically loaded!

Best regards

The problem is that most modern browsers (and Java versions that use SSL/TLS under the covers) will not accept the older weak encryption algorithms that the ASA has without first adding the (free) 3DES-AES license.

First we check whether your ASA has that. Login via the command line using either telnet (plug your laptop into the management port and it should get a DHCP address automatically in 192.168.1.0/24 then telnet to the ASA at 192.168.1.1) or console (if you have a console cable and serial port).

Then run the command I asked and share the results.

Thank you Marvin,

This is the result:

ciscoasa# show activation-key
Serial Number:  JMX19404102
Running Activation Key: 0x3c06ce6b 0x001c9be3 0xd803d5cc 0x87b4e880 0x4a3e1998

The whole output is what I was looking for - not just the first two lines.

In any event, based on your reply below, you are getting the ASDM login prompt. That's good.

When the ASA is new out of the box, the username and password can be left blank at this point - just click "OK". That is documented in the quick start guide - see this link for example near the bottom of the guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5500X/5500x_quick_start.html

(It says 5500-X series but the guidance applies to 5505 as well.)

Hi Marvin,

Sorry for the Misunderstanding. By the way I do understand that when its a new device the username and password is blank but why doesn't allow me then to give it NEW username and pass?

You can create a new username and password in that section of the ASDM configuration menu.

You have to go into a another section to then explicitly tell the ASA to use that local database for authentication for ASDM ("http") and/or the cli ("ssh").

It's a bunch of clicking around to do the latter - I prefer to just use a few cli commands to accomplish it as follows:

aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL
aaa authorization http console LOCAL

Thank you Marvin,

You'd have to go step by step and be patient with me!

Before I go ahead with:

aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization http console LOCAL

Did you get a chance to look at the full output of "show activation-key" I posted? and going by that output would I need to make additional adjustment to address my: “Certificate error”?

Many thanks

Here's the whole output:

Hi Marvin

When I got my ASA5505 device, should an "APK License" have also been included in the package document?

Many Thanks

Review Cisco Networking for a $25 gift card