cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
69309
Views
38
Helpful
17
Comments
Kureli Sankar
Cisco Employee
Cisco Employee

 

 

Documentation


This document is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

PIX: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1047288

ASA: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html

FWSM:http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/mgacc_f.html

 

Unable to asdm

make sure vpn 3-des is enabled

Issue "sh ver" and make sure the unit has 3-des license.

 

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 64MB
Slot 1: ATA Compact Flash, 32MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

.

.

Failover                     : Active/Active
VPN-DES                  : Enabled  
VPN-3DES-AES        : Enabled

 

If 3DES is not enabled, it is easy and free to the activaton key to enable that. Please go to http://www.cisco.com/go/license

and loging with your CCO ID and

 

please click  here for available licenses.

and then choose Cisco ASA 3DES/AES License

Fill out all the information including the serial number of the firewall and you should see a message that says you will receive the activation key via

e-mail within 1 hour.

 

Once you receive the activation key via e-mail please add it to the unit via CLI

 

ASA#conf t

ASA(config)#activation-key <copy and paste the 4-tuple or 5-tuple>

ASA(config)#wri mem

ASA(config)#exit

 

Make sure to issue "sh ver" and make sure 3DES shows enabled.

make sure asdm image is loaded

Issure "sh ver" and make sure asdm image is loaded.

 

ASA# sh ver                        

 

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

 

If not make sure to tftp the appropriate bin fil to flash and configure "asdm image disk0:/asdm-621.bin".

Make sure you are running a matching asdm version for the ASA.

 

ASA code: http://tools.cisco.com/squish/10C815

ASDM image: http://tools.cisco.com/squish/a5338C

 

FWSM code: http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm

http server is enabled

Issure "sh run http" and make sure http server is enabled.

 

http server enable
http 172.18.124.0 255.255.255.0 inside ------> all hosts in this subnet are allowed to asdm
http 10.10.10.10 255.255.255.255 dmz ----> only one host 10.10.10.10 is the subnet is allowed to asdm

sh asp table socket

Make sure that the "sh asp table socket" shows that the unit is listening on port 443 on the interface that you are trying to asdm to. This command is not supported on the FWSM.

 

ASA# sh asp table socket

 

Protocol  Socket    Local Address               Foreign Address         State
SSL       0000e5bf  172.18.124.254:443          0.0.0.0:*               LISTEN
SSL       00019c6f  10.10.10.1:443              0.0.0.0:*               LISTEN

 

If you do not see the unit listening on port 443 then try to remove the "http server enable" line and add it back to the config.

 

ASA#conf t

ASA(config)#no http server enable

ASA(config)#http server enable

http access is allowed

Issue the command "sh run http" and make sure the IP address that you are trying to asdm from is allowed.

 

ASA# sh run http

http server enable
http 172.18.124.0 255.255.255.0 inside
http 10.2.180.32 255.255.255.248 inside

 

webvpn enabled on the port 443

Issue the command "sh run webvpn" and see if it is enabled and has configuration section under webvpn, then change the port that asdm

listens to something else other than 443.

 

ASA#conf t

ASA(config)#http server enable 4443

 

Once done try to lauch asdm by going to https://10.10.10.1:4443 where 10.10.10.1 is the interface IP address of the firewall that is closer to the client.

sh run all ssl

Issue the command "sh run all ssl" and make sure you see the following line highlighted in red in the output. If not add it in the config.

 

ASA# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

 

make sure to run the latest java

Download the latest java available http://www.java.com/en/download/index.jsp and install it on the client and try to launch asdm.

 

try another browser

If IE (Internet Explorer) doesn't work, try a different browser like Fire Fox, Safari or Chrome.

check the logs

Enable logging with the following command if not already enabled and check the logs.

 

ASA#conf t

ASA(config)#logging on

ASA(config)#logging buffered debug

ASA(config)#end

 

ASA#sh logg | i x.x.x.x where x.x.x.x is the client's IP address from which you are trying to asdm.

collect captures

If you are running ASA /PIX 7.2 or above code you can issue the "match" keyword in the capture. In the below command

capin - is the name of the capture

10.10.10.1 - is the IP address of the ASA that is listening on port 443

inside - is the name of the interface to which we are trying to asdm

 

cap capin int inside match tcp any host 10.10.10.1 eq 443

sh cap capin

 

Once done troubleshooting you can remove the cature by issuing "no cap capin". In case of FWSM the "match" keyword does not work please follow this link to configure captures on the FWSM: https://supportforums.cisco.com/docs/DOC-1222

Unable to telnet

make sure telnet is allowed

Issue the command "sh run telnet" and make sure telnet is allowed. Bear in mind that you cannot telnet to the lowest security interface on the firewall.

 

ASA# sh run telnet
telnet 0.0.0.0 0.0.0.0 dmz1
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5

sh asp table socket

Issue the command "sh asp table socket" and make sure the firewall is listening on tcp port 23. This command is not supported on the FWSM.

 

ASA# sh asp table socket

 

Protocol  Socket    Local Address               Foreign Address         State
TCP       00024a1f  172.18.124.254:23           0.0.0.0:*               LISTEN
TCP       0002ea9f  10.10.10.1:23               0.0.0.0:*               LISTEN

 

If you do not see it listening then, remove the telnet lines from the config and add them back in.

check the logs

Enable logging with the following command if not already enabled and check the logs.

 

ASA#conf t

ASA(config)#logging on

ASA(config)#logging buffered debug

ASA(config)#end

 

ASA#sh logg | i x.x.x.x where x.x.x.x is the client's IP address from which you are trying to telnet

collect captures

If you are running ASA /PIX 7.2 or above code you can issue the "match" keyword in the capture. In the below command

capin - is the name of the capture

10.10.10.1 - is the IP address of the ASA that is listening on port 23

inside - is the name of the interface to which we are trying to asdm

 

cap capin int inside match tcp any host 10.10.10.1 eq 23

sh cap capin

 

Once done troubleshooting you can remove the cature by issuing "no cap capin". In case of FWSM the "match" keyword does not work please follow this link to configure captures on the FWSM: https://supportforums.cisco.com/docs/DOC-1222

Unable to ssh

make sure ssh is enabled and allowed

Issue the command "sh run ssh" and make sure ssh is enabled for the client IP or subnet. If not add the subnet or IP address that is allowed to ssh with the corresponding inteface.

 

ASA# sh run ssh
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 dmz1
ssh 10.10.10.0 255.255.255.0 inside

ssh timeout 60

Is there an rsa key-pair

Issue the command "sh cry key mypubkey rsa" and make sure the "Default-RSA-Key" is present. If not create the rsa key-pair with the command "cry key generate rsa modulus 1024"

 

ASA# sh cry key mypubkey rsa
Key pair was generated at: 22:52:03 CEDT Aug 22 2007
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:

 

  30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00b41d91
  .

  .

  effb9f5c 50a2ed60 290cdc4b ab1e0cc7 d334afdf e9850be4 c00faa18 47020301 0001
Key pair was generated at: 03:04:55 CEDT Sep 15 2010
Key name: <Default-RSA-Key>.server
Usage: Encryption Key
Modulus Size (bits): 768
Key Data:

 

  307c300d 06092a86 4886f70d 01010105 00036b00 30680261 008eba15 2281909f
.

.
  82db59d0 c3633648 6334ca6b ff531605 48ec82ce e9977506 97020301 0001

 

sh asp table socket

Issue the command "sh asp table socket" and make sure the firewall is listening on tcp 22. This command is not supported on the FWSM.

ASA# sh asp table socket


Protocol  Socket    Local Address               Foreign Address         State
TCP       0003dc4f  172.18.124.254:22           0.0.0.0:*               LISTEN
TCP       00043c7f  10.10.10.1:22               0.0.0.0:*               LISTEN
TCP       005de0a8  172.18.124.254:22           10.117.14.67:64892      ESTAB

check the logs

Enable logging with the following command if not already enabled and check the logs.

 

ASA#conf t

ASA(config)#logging on

ASA(config)#logging buffered debug

ASA(config)#end

 

ASA#sh logg | i x.x.x.x where x.x.x.x is the client's IP address from which you are trying to ssh.

collect captures

If you are running ASA /PIX 7.2 or above code you can issue the "match" keyword in the capture. In the below command

capin - is the name of the capture

10.10.10.1 - is the IP address of the ASA that is listening on port 22

inside - is the name of the interface to which we are trying to asdm

 

cap capin int inside match tcp any host 10.10.10.1 eq 22

sh cap capin

 

Once done troubleshooting you can remove the cature by issuing "no cap capin". In case of FWSM the "match" keyword does not work please follow this link to configure captures on the FWSM: https://supportforums.cisco.com/docs/DOC-1222

 

Known Issues with Management connections

Known issues with SSH on the ASA

Comments
emmanuel777
Level 1
Level 1

Great Stuff and very good advices.

Thanks

Kureli Sankar
Cisco Employee
Cisco Employee

Thanks.  You can write a great document and share with the community too.

Listen to http://cisco-podcast.streamguys.net/cdc/security/tac/TACSecurityShow_episode_17.mp3

-Kureli

vbuendia
Level 1
Level 1

Great document. Thanks for posting this. I had the same issue and the command "

ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1" fixed it for me.

Kureli Sankar
Cisco Employee
Cisco Employee

vduendia,

very glad to hear.

-Kureli

shamax_1983
Level 3
Level 3

Awesome article. Thanks so much for this. I had this issue with new 5515x v9.1.1 

"ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1"  Worked for me as well.

Appreciate you taking time for this.

shabeebmohammed
Level 1
Level 1

@Poonguzhali Sankar

YOU ARE AMAZING..

I expend some hours trying to figure it out why my new ASA5505 could not connect to ASDM or https://IP/admin. I found that this line was mising after typying the command "sh run all ssl":

ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

After try to enter it, I got a licensing error...  I realize my brand new device with Security Plus License (from a Cisco Reseller) has 3DES/AES license disable. Finally I found this tutorial how to upgrade/enable your license for FREE. THIS SOLVED ALL MY PROBLEMS... hopefully yours too:

--------------------------

Your existing license has 3DES/AES disabled. Normal on replacement/new units. You can get the 3DES/AES activation-key from following link (for free):

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139

Just put the serial# and your name/email address in next page and that it it.

You will get an email with a five tupple activation-key to your email box. Install the same as follows:

ASA(config)# activation-key 'key_received_in_email'                                          - without quotes

Make sure you check your spam/junk folder in case you don't receive it in few minutes.

-----------------------

Hi.. I was wondering if we can use ASDM access using DES encryption ??

tamyotte
Level 1
Level 1

Excellent.  I needed the "sh run all ssl" command to see my problem

ssl server-version any

ssl client-version any

ssl encryption des-sha1

No good.  Made the change and all is well with the world.   This does not show up on "show run"....so thanks again!

dfatetAMZ
Community Member

Hi,

Great to find this stuff,

I recently purchased a 5505-50-Bun-K8, didn't noticed it but 3DES wasn't enabled...

When I follow your link to get the licence for 3DES, I enter the serial number of the 5505 but I'm not sure it's free, its not in the "demo" part of the Product licence registration.

It brings me in a ASA5500-ENCR-K9 request .....I still prefer managing this ASA in cli rather than to be charged for the 3DES licence.

Do you know if the 5505-50-Bun-K8 can be upgraded with 3DES licence for free ?

many thanks for help!

Reynaldo Silva
Level 1
Level 1

Sankar, you are just amazing!
thank you so much!

Kyujin Choi
Level 1
Level 1

 

 great article. Thanks. 

Great Stuff...

Thanks Alot.

mat000001
Level 1
Level 1

Thanks for this article. I have a brand new ASA 5505 that out of the box wont allow me to connect via HTTPS nor Telnet. I was able to get in through the console cable and show ver does show VPN-3DES-AES as disabled. I tried using your links to get the activation key in order to enable it but after going through the process it claims that my request has been denied and it gives the criteria of which i was denied which none of them apply to me. Any thoughts as to what to do from here? I have never had an issue with a Cisco device like this right out of the box.

eisenberg
Level 1
Level 1

Great post that everyone should bookmark.

 

I couldn't get the ASDM to run - your step that asks to verify SSL "sh run all ssl" got me going - thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: