Cisco ASA ASDM Configuration

Hi Asi,

That’s no problem, let me know if you have difficulty understanding some of the topics.

Rene

Hi Rene,

My idea was to allow Mgmt Vlan only have access to HTTP and SSH

The moment I type in

configt

ssh 192.168.10.0 255.255.255.0 =>it logs back Inconsitent mask .

But when i apply

config t

ssh 192.168.10.1 255.255.255.255 ->asa like it

My undersatanding on using the subnet mask for defining the condition for various purpose on Access-list (like 0.0.0.255 where o-is have to be same and and 255 -can be any value and in routing protocol router rip network 192.168.10.1 0.0.0.0(Where 0.0.0.0 specify send/reciv hello/advrtz ntwrk from this interface only .

How is it possible to use 255.255.255.255 to indicate A single host IP can only access the ssh or http…

Please advice

Hi Asi,

That is strange as it’s a valid network and subnet mask. You sure you didn’t make any typos? :slight_smile:

ASA(config)# ssh 192.168.1.0 255.255.255.0 INSIDE

This allows the entire 192.168.1.0/24 network to access the ASA on the inside, if you want a single host you can use this:

ASA(config)# ssh 192.168.1.1 255.255.255.255 INSIDE

The difference between the ASA and a Cisco IOS router is that the ASA uses subnet masks everywhere. On the Cisco IOS routers, we use wildcard bits for access-lists and for network statements in EIGRP/OSPF.

Rene

i am asssuming this course on the firewall requires physicall access to a asa5505? i only have packet tracer and i think this will not work will it?

Hi Ruby,

I did most of these examples on an ASA 5510 but a 5505 could also work.

I can recommend to give the virtual ASAv image a try, it works very well.

Rene

Hi Rene

Here the ASDM is accessed using 192.168.1.254 but in the previous chapter I see that you have used 192.168.1.1 as the management IP.
Apologies if this two are not connected.

As always thanks,
Palani

Hi Palani,

I usually try to use the same IP addresses. Sometimes I use 192.168.1.1 or 192.168.1.254 on the ASA.

Rene

Hi Rene,

I happen to have a 5510 they let me take home from work. Im following along with your instructions and everything seems ok to a point. However, not to my surprise I am having JAVA issues it seems.When I launch the asdm ( asdm-603.bin) I get message that java runtime is not on my PC and it kills the launch. I had older versions on it and they didnt work. I upgraded to the newest Java recommended jre1.8.0_101 and thats not working. Is there a trick to this?

PS. If I try to run it as a JAVA webstart (the other option) I dont have webstart and dont see where to get it on the Java site. I had a 5510 and this Java crap drove me crazy then too. Ugh…

Sorry, meant to say I had a 5505

Hi Joseph,

ASDM and Java can be an issue.

First of all, ASDM 603 is ancient by now. I would start by upgrading it to the latest version, see what happens then.

Rene

Hi,

I’ve got a cisco asa 5510 with asa917-12-k8.bin image and asdm-762-150.bin asdm version on the firewall. I wanted to lab this up physically and not thru gns. I followed the steps but wasn’t able to get thru. I tried chrome and edge browsers. I am consoled up to the asa from my pc. But I’m thinking that I need a layer 3 connection. Can you help steer me in the right direction. I went thru the forum and didn’t see my unique issue

Thanks in advance

Hello Christopher

When you say you weren’t able to “get thru” do you mean that you were unable to connect via a web GUI to the firewall? In order to use the ASDM to configure the ASA, you must have layer 3 access. The console connection will not allow you to work with ASDM. Take a look at this Cisco documentation on how to prep an ASA to function using ASDM 7.6.

I hope this has been helpful!

Laz

HI,
Thank you for the link. Im still kind of stuck and wondered if you can point me in the right direction please. I have a cisco 2821 router with a gig0/0 interface plugged into the cisco asa 5510 ethernet 0/0 port. I have pasted in the asa config in hopes that you might see what might be wrong. i cannot ping from the router to the asa. both are in the 192.168.2.0 subnet. i tried both straight and cross over after hearing that asa interfaces dont have the auto sensing mdix stuff. could you let me know what my issue is please.

ciscoasa# sh running-config
: Saved
:
: Serial Number: xxxxx
: Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
:
ASA Version 9.1(7)12
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 no nameif
 security-level 100
 ip address 192.168.2.2 255.255.255.0
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
pager lines 24
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username ADMIN password WpmDdjXRzvy3bJoo encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:20f9079b68e70577a4883cc406ee836d
: end
ciscoasa#

Hello Christopher

I’m not sure why you are unable to ping. However, you can turn debugging on on the ASA and see if the ping actually reaches the device, and if so why it doesn’t respond. If there is no debug output, the ping doesn’t actually reach the device. If it does, it will tell you why/if it doesn’t respond.

As far as MDIX support, the ASA supports both crossover and straight-through cables.

Let us know your results. I hope this helps.

Laz

1 Like

As far as i can seein your configuration, you have enabled http server for 192.168.1.0 but in the description you said both subnets are in 192.168.2.0.

If you are using an older version of asa and have errors regarding
“Inside interface not recognized on Cisco ASA-5505” Refer to the reference below. Here are the commands:

ciscoasa# conf t
ciscoasa(config)# interface vlan X
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# security-level Y
ciscoasa(config-if)# ip address Z 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# end

Reference: https://networkengineering.stackexchange.com/questions/10461/inside-interface-not-recognized-on-cisco-asa-5505

1 Like

Hello,
Scenario: I have a PC (10.29.229.38/25) and an ASA 5505 (10.29.229.124/25) they are connected via Switch and I can ping from the PC to the ASA.
I want to use ASDM but I am getting the following error message: “Unable to launch device manager from 10.29.229.124” in the logs (from Java’s ASA Launcher) I see the following exception: “ValidatorException: Extended key usage does not permit use for TLS server authentication”
Any explanation?
Thank you :slight_smile:

Hello Fadi

This looks like a certificate issue. Take a look at this link that deals with the specific issue.

I hope this has been helpful!

Laz

hi, Rene, thank you for your help, I would like to work with GUI (ASDM), IS possible to get full asdm lesson like what we have done command line.
thanks, Rene.
Ilyas nur

Hello Ilays

In general, whatever can be configured with the command line on the ASA, can be configured using ASDM. If you know how to do it using the command line, it is usually easy to be able to figure it out using ASDM. The fundamental understanding of these features is much more clearly taught in the lessons using the CLI, and this is the reason why we focus so much on that. Once you understand how to implement it there, it is quite easy to open up the ASDM and understand intuitively how to implement the same things.

However, if you have difficulty in finding out how to implement specific features, you can always access Cisco documentation to help you along the way.

I hope this has been helpful!

Laz