Cisco ASA ASDM Configuration


(Rene Molenaar) #1

This topic is to discuss the following lesson:


(Thomas K) #2

Rene,
Hi. I assume that it is just syntax on the ASA, but does the " http server enable" command enable http and https access or only https access?

Many thanks,
Thomas


(Rene Molenaar) #3

Hi Thomas,

It only enables HTTPS.

Rene


(sims) #4

Hi Rene,

<strong>"username ADMIN password PASSWORD"</strong>

Why " Admin " account does not require privilege 15

Thanks


(Rene Molenaar) #5

I’ll change this, it should be a privilege level 15 account.


(asi m) #6

Hi Rene,

I am pretty new to ASA world,Just wondering This would work to allow only two IPs(10&11) to access HTTPs

Http 192.168.10.10 255.255.255.254 like a wild card mask or will it be just one line for every IP to connect via http


(Rene Molenaar) #7

Hi Asi,

This should work but in this case, I think I would prefer two separate lines since it’s easier to read.

Rene


(asi m) #8

Thanks Rene,

I think i will be a pain,through the course, Apologise in advance -Some of might Q might be silly

 


(Rene Molenaar) #9

Hi Asi,

That’s no problem, let me know if you have difficulty understanding some of the topics.

Rene


(asi m) #10

Hi Rene,

My idea was to allow Mgmt Vlan only have access to HTTP and SSH

The moment I type in

configt

ssh 192.168.10.0 255.255.255.0 =>it logs back Inconsitent mask .

But when i apply

config t

ssh 192.168.10.1 255.255.255.255 ->asa like it

My undersatanding on using the subnet mask for defining the condition for various purpose on Access-list (like 0.0.0.255 where o-is have to be same and and 255 -can be any value and in routing protocol router rip network 192.168.10.1 0.0.0.0(Where 0.0.0.0 specify send/reciv hello/advrtz ntwrk from this interface only .

How is it possible to use 255.255.255.255 to indicate A single host IP can only access the ssh or http…

Please advice


(Rene Molenaar) #11

Hi Asi,

That is strange as it’s a valid network and subnet mask. You sure you didn’t make any typos? :slight_smile:

ASA(config)# ssh 192.168.1.0 255.255.255.0 INSIDE

This allows the entire 192.168.1.0/24 network to access the ASA on the inside, if you want a single host you can use this:

ASA(config)# ssh 192.168.1.1 255.255.255.255 INSIDE

The difference between the ASA and a Cisco IOS router is that the ASA uses subnet masks everywhere. On the Cisco IOS routers, we use wildcard bits for access-lists and for network statements in EIGRP/OSPF.

Rene


(ruby p) #12

i am asssuming this course on the firewall requires physicall access to a asa5505? i only have packet tracer and i think this will not work will it?


(Rene Molenaar) #13

Hi Ruby,

I did most of these examples on an ASA 5510 but a 5505 could also work.

I can recommend to give the virtual ASAv image a try, it works very well.

Rene


(PALANIAPPAN M) #14

Hi Rene

Here the ASDM is accessed using 192.168.1.254 but in the previous chapter I see that you have used 192.168.1.1 as the management IP.
Apologies if this two are not connected.

As always thanks,
Palani


(Rene Molenaar) #15

Hi Palani,

I usually try to use the same IP addresses. Sometimes I use 192.168.1.1 or 192.168.1.254 on the ASA.

Rene


(Joseph H) #16

Hi Rene,

I happen to have a 5510 they let me take home from work. Im following along with your instructions and everything seems ok to a point. However, not to my surprise I am having JAVA issues it seems.When I launch the asdm ( asdm-603.bin) I get message that java runtime is not on my PC and it kills the launch. I had older versions on it and they didnt work. I upgraded to the newest Java recommended jre1.8.0_101 and thats not working. Is there a trick to this?

PS. If I try to run it as a JAVA webstart (the other option) I dont have webstart and dont see where to get it on the Java site. I had a 5510 and this Java crap drove me crazy then too. Ugh…


(Joseph H) #17

Sorry, meant to say I had a 5505


(Rene Molenaar) #18

Hi Joseph,

ASDM and Java can be an issue.

First of all, ASDM 603 is ancient by now. I would start by upgrading it to the latest version, see what happens then.

Rene


(christopher w) #19

Hi,

I’ve got a cisco asa 5510 with asa917-12-k8.bin image and asdm-762-150.bin asdm version on the firewall. I wanted to lab this up physically and not thru gns. I followed the steps but wasn’t able to get thru. I tried chrome and edge browsers. I am consoled up to the asa from my pc. But I’m thinking that I need a layer 3 connection. Can you help steer me in the right direction. I went thru the forum and didn’t see my unique issue

Thanks in advance


(Lazaros Agapides) #20

Hello Christopher

When you say you weren’t able to “get thru” do you mean that you were unable to connect via a web GUI to the firewall? In order to use the ASDM to configure the ASA, you must have layer 3 access. The console connection will not allow you to work with ASDM. Take a look at this Cisco documentation on how to prep an ASA to function using ASDM 7.6.

I hope this has been helpful!

Laz