Re: Cleared config now wont connect to PDM

m-jankowski · ‎07-21-2009

I cleared the config on my pix 515e and 525 and it now comes up with this error in firefox:

ssl error no cipher overlap

I think I did something with the SSL key so now it wont load the PDM.

Any suggestions?

Collin Clark · ‎07-22-2009

You need to enable http, an IP that can connect to http and you have to tell the firewall where the ASDM image is.

http server enable

http server idle-timeout 10

http 10.1.2.17 255.255.255.255 inside

asdm image disk0:/asdm-621.bin

To recreate your SSH Keys-

https://packetpros.com/cisco_kb/ASA_SSH.html

Hope that helps.

m-jankowski · ‎07-22-2009

I'm trying this now.

m-jankowski · ‎07-22-2009

Didn't work.. same message when trying to access PDM from correct IP address.

Collin Clark · ‎07-23-2009

What does IE say?

CSCO11167812 · ‎07-23-2009

Hi,

Probably you have a certificate problem.

Did you try to remove the certificate in Firefox.

HtH

Michel

m-jankowski · ‎07-24-2009

IE gives a page cannot be displayed error.

It isn't a problem with the browser.. I'm using three different machines. None work.

Richard Burts · ‎07-25-2009

Michael

I am guessing that there is some issue with what you put into the config of the PIXes. Can you post the config?

HTH

Rick

HTH

Rick

m-jankowski · ‎07-26-2009

I'll get it posted in a bit however they are all default settings with only the HTTP server enabled for 192.168.1.0 for access.

I can get as far as waiting for the PDM to load if I disable SSL3 but it still hangs.

Yes I have an earlier version of Java not update 14.

m-jankowski · ‎07-26-2009

: Saved

: Written by enable_15 at 19:46:14.673 UTC Sun Jul 26 2009

PIX Version 6.3(4)

interface ethernet0 auto shutdown

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password NuLKvvWGg.x9HEKO encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pix

domain-name network.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

no ip address outside

ip address inside 192.168.1.1 255.255.255.0

no ip address intf2

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.10-192.168.1.20 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Cryptochecksum:f470fb4cd139237cac907debf736a86d

Richard Burts · ‎07-26-2009

Michael

Thanks for posting the config. I believe that if you take a close look at the fourth octet of your permit for http that you will see what your problem is:

http 192.168.1.0 255.255.255.255 inside

your permit is for a host specific address (and there is almost certainly not a host in the network with address 192.168.1.0). If you change the mask to 255.255.255.0 then I believe that your access via PDM will work.

HTH

Rick

HTH

Rick

m-jankowski · ‎07-26-2009

Changed it. Still nothing. Keeps giving me the cypher overlap problem.

m-jankowski · ‎08-01-2009

Surely someone here knows what the issue is?

If not do they still sell support for the PIX line? If so, where can I purchase a contract?

m-jankowski · ‎08-05-2009

Anyone? I'm getting very very worried.

davy.timmermans · ‎08-05-2009

I never worked with a PIX or similar product but I found this on the web:

hen you attempt to access PDM, the message "the page cannot be displayed" appears in Internet Explorer or the message "network connection was refused by the server" appears in Netscape Communicator.

1. Check that you are using "https" in your connection to "https://pix_inside_interface_

ip_address" and not "http." The connection cannot be made using "http," it must be "https."

2. If you cannot connect, enter the show version command to check that you have the proper activation key to use DES or 3DES. If you do not, obtain an activation key that supports this requirement before continuing. If, after confirming that your activation key supports using DES or 3DES

http://www.cisco.com/en/US/docs/security/pix/pix63/pdm30/installation/guide/pdm30CH5.html