09-14-2010 02:41 PM - edited 03-08-2019 06:36 PM
This document is meant to be interpreted with the aid of the official documentation from the configuration guide located here:
PIX: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1047288
ASA: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html
FWSM:http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/mgacc_f.html
Issue "sh ver" and make sure the unit has 3-des license.
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 64MB
Slot 1: ATA Compact Flash, 32MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
.
.
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
If 3DES is not enabled, it is easy and free to the activaton key to enable that. Please go to http://www.cisco.com/go/license
and loging with your CCO ID and
please click here for available licenses.
and then choose Cisco ASA 3DES/AES License
Fill out all the information including the serial number of the firewall and you should see a message that says you will receive the activation key via
e-mail within 1 hour.
Once you receive the activation key via e-mail please add it to the unit via CLI
ASA#conf t
ASA(config)#activation-key <copy and paste the 4-tuple or 5-tuple>
ASA(config)#wri mem
ASA(config)#exit
Make sure to issue "sh ver" and make sure 3DES shows enabled.
Issure "sh ver" and make sure asdm image is loaded.
ASA# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
If not make sure to tftp the appropriate bin fil to flash and configure "asdm image disk0:/asdm-621.bin".
Make sure you are running a matching asdm version for the ASA.
ASA code: http://tools.cisco.com/squish/10C815
ASDM image: http://tools.cisco.com/squish/a5338C
FWSM code: http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm
Issure "sh run http" and make sure http server is enabled.
http server enable
http 172.18.124.0 255.255.255.0 inside ------> all hosts in this subnet are allowed to asdm
http 10.10.10.10 255.255.255.255 dmz ----> only one host 10.10.10.10 is the subnet is allowed to asdm
Make sure that the "sh asp table socket" shows that the unit is listening on port 443 on the interface that you are trying to asdm to. This command is not supported on the FWSM.
ASA# sh asp table socket
Protocol Socket Local Address Foreign Address State
SSL 0000e5bf 172.18.124.254:443 0.0.0.0:* LISTEN
SSL 00019c6f 10.10.10.1:443 0.0.0.0:* LISTEN
If you do not see the unit listening on port 443 then try to remove the "http server enable" line and add it back to the config.
ASA#conf t
ASA(config)#no http server enable
ASA(config)#http server enable
Issue the command "sh run http" and make sure the IP address that you are trying to asdm from is allowed.
ASA# sh run http
http server enable
http 172.18.124.0 255.255.255.0 inside
http 10.2.180.32 255.255.255.248 inside
Issue the command "sh run webvpn" and see if it is enabled and has configuration section under webvpn, then change the port that asdm
listens to something else other than 443.
ASA#conf t
ASA(config)#http server enable 4443
Once done try to lauch asdm by going to https://10.10.10.1:4443 where 10.10.10.1 is the interface IP address of the firewall that is closer to the client.
Issue the command "sh run all ssl" and make sure you see the following line highlighted in red in the output. If not add it in the config.
ASA# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
Download the latest java available http://www.java.com/en/download/index.jsp and install it on the client and try to launch asdm.
If IE (Internet Explorer) doesn't work, try a different browser like Fire Fox, Safari or Chrome.
Enable logging with the following command if not already enabled and check the logs.
ASA#conf t
ASA(config)#logging on
ASA(config)#logging buffered debug
ASA(config)#end
ASA#sh logg | i x.x.x.x where x.x.x.x is the client's IP address from which you are trying to asdm.
If you are running ASA /PIX 7.2 or above code you can issue the "match" keyword in the capture. In the below command
capin - is the name of the capture
10.10.10.1 - is the IP address of the ASA that is listening on port 443
inside - is the name of the interface to which we are trying to asdm
cap capin int inside match tcp any host 10.10.10.1 eq 443
sh cap capin
Once done troubleshooting you can remove the cature by issuing "no cap capin". In case of FWSM the "match" keyword does not work please follow this link to configure captures on the FWSM: https://supportforums.cisco.com/docs/DOC-1222
Issue the command "sh run telnet" and make sure telnet is allowed. Bear in mind that you cannot telnet to the lowest security interface on the firewall.
ASA# sh run telnet
telnet 0.0.0.0 0.0.0.0 dmz1
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
Issue the command "sh asp table socket" and make sure the firewall is listening on tcp port 23. This command is not supported on the FWSM.
ASA# sh asp table socket
Protocol Socket Local Address Foreign Address State
TCP 00024a1f 172.18.124.254:23 0.0.0.0:* LISTEN
TCP 0002ea9f 10.10.10.1:23 0.0.0.0:* LISTEN
If you do not see it listening then, remove the telnet lines from the config and add them back in.
Enable logging with the following command if not already enabled and check the logs.
ASA#conf t
ASA(config)#logging on
ASA(config)#logging buffered debug
ASA(config)#end
ASA#sh logg | i x.x.x.x where x.x.x.x is the client's IP address from which you are trying to telnet
If you are running ASA /PIX 7.2 or above code you can issue the "match" keyword in the capture. In the below command
capin - is the name of the capture
10.10.10.1 - is the IP address of the ASA that is listening on port 23
inside - is the name of the interface to which we are trying to asdm
cap capin int inside match tcp any host 10.10.10.1 eq 23
sh cap capin
Once done troubleshooting you can remove the cature by issuing "no cap capin". In case of FWSM the "match" keyword does not work please follow this link to configure captures on the FWSM: https://supportforums.cisco.com/docs/DOC-1222
Issue the command "sh run ssh" and make sure ssh is enabled for the client IP or subnet. If not add the subnet or IP address that is allowed to ssh with the corresponding inteface.
ASA# sh run ssh
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 dmz1
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 60
Issue the command "sh cry key mypubkey rsa" and make sure the "Default-RSA-Key" is present. If not create the rsa key-pair with the command "cry key generate rsa modulus 1024"
ASA# sh cry key mypubkey rsa
Key pair was generated at: 22:52:03 CEDT Aug 22 2007
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00b41d91
.
.
effb9f5c 50a2ed60 290cdc4b ab1e0cc7 d334afdf e9850be4 c00faa18 47020301 0001
Key pair was generated at: 03:04:55 CEDT Sep 15 2010
Key name: <Default-RSA-Key>.server
Usage: Encryption Key
Modulus Size (bits): 768
Key Data:
307c300d 06092a86 4886f70d 01010105 00036b00 30680261 008eba15 2281909f
.
.
82db59d0 c3633648 6334ca6b ff531605 48ec82ce e9977506 97020301 0001
Issue the command "sh asp table socket" and make sure the firewall is listening on tcp 22. This command is not supported on the FWSM.
ASA# sh asp table socket
Protocol Socket Local Address Foreign Address State
TCP 0003dc4f 172.18.124.254:22 0.0.0.0:* LISTEN
TCP 00043c7f 10.10.10.1:22 0.0.0.0:* LISTEN
TCP 005de0a8 172.18.124.254:22 10.117.14.67:64892 ESTAB
Enable logging with the following command if not already enabled and check the logs.
ASA#conf t
ASA(config)#logging on
ASA(config)#logging buffered debug
ASA(config)#end
ASA#sh logg | i x.x.x.x where x.x.x.x is the client's IP address from which you are trying to ssh.
If you are running ASA /PIX 7.2 or above code you can issue the "match" keyword in the capture. In the below command
capin - is the name of the capture
10.10.10.1 - is the IP address of the ASA that is listening on port 22
inside - is the name of the interface to which we are trying to asdm
cap capin int inside match tcp any host 10.10.10.1 eq 22
sh cap capin
Once done troubleshooting you can remove the cature by issuing "no cap capin". In case of FWSM the "match" keyword does not work please follow this link to configure captures on the FWSM: https://supportforums.cisco.com/docs/DOC-1222
Thankyou Very Much Poonguzhali Sankar
It's a great post, Even I am beginner for FW and resolve the issue.
Thanks Again......
This was very helpful. I had to allow HTTP from the private IP range I was coming from to the Inside interface.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: