Cisco ASA ASDM Configuration

Hi Ruby,

I did most of these examples on an ASA 5510 but a 5505 could also work.

I can recommend to give the virtual ASAv image a try, it works very well.

Rene

Hi Rene

Here the ASDM is accessed using 192.168.1.254 but in the previous chapter I see that you have used 192.168.1.1 as the management IP.
Apologies if this two are not connected.

As always thanks,
Palani

Hi Palani,

I usually try to use the same IP addresses. Sometimes I use 192.168.1.1 or 192.168.1.254 on the ASA.

Rene

Hi Rene,

I happen to have a 5510 they let me take home from work. Im following along with your instructions and everything seems ok to a point. However, not to my surprise I am having JAVA issues it seems.When I launch the asdm ( asdm-603.bin) I get message that java runtime is not on my PC and it kills the launch. I had older versions on it and they didnt work. I upgraded to the newest Java recommended jre1.8.0_101 and thats not working. Is there a trick to this?

PS. If I try to run it as a JAVA webstart (the other option) I dont have webstart and dont see where to get it on the Java site. I had a 5510 and this Java crap drove me crazy then too. Ugh…

Sorry, meant to say I had a 5505

Hi Joseph,

ASDM and Java can be an issue.

First of all, ASDM 603 is ancient by now. I would start by upgrading it to the latest version, see what happens then.

Rene

Hi,

I’ve got a cisco asa 5510 with asa917-12-k8.bin image and asdm-762-150.bin asdm version on the firewall. I wanted to lab this up physically and not thru gns. I followed the steps but wasn’t able to get thru. I tried chrome and edge browsers. I am consoled up to the asa from my pc. But I’m thinking that I need a layer 3 connection. Can you help steer me in the right direction. I went thru the forum and didn’t see my unique issue

Thanks in advance

Hello Christopher

When you say you weren’t able to “get thru” do you mean that you were unable to connect via a web GUI to the firewall? In order to use the ASDM to configure the ASA, you must have layer 3 access. The console connection will not allow you to work with ASDM. Take a look at this Cisco documentation on how to prep an ASA to function using ASDM 7.6.

I hope this has been helpful!

Laz

HI,
Thank you for the link. Im still kind of stuck and wondered if you can point me in the right direction please. I have a cisco 2821 router with a gig0/0 interface plugged into the cisco asa 5510 ethernet 0/0 port. I have pasted in the asa config in hopes that you might see what might be wrong. i cannot ping from the router to the asa. both are in the 192.168.2.0 subnet. i tried both straight and cross over after hearing that asa interfaces dont have the auto sensing mdix stuff. could you let me know what my issue is please.

ciscoasa# sh running-config
: Saved
:
: Serial Number: xxxxx
: Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
:
ASA Version 9.1(7)12
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 no nameif
 security-level 100
 ip address 192.168.2.2 255.255.255.0
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
pager lines 24
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username ADMIN password WpmDdjXRzvy3bJoo encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:20f9079b68e70577a4883cc406ee836d
: end
ciscoasa#

Hello Christopher

I’m not sure why you are unable to ping. However, you can turn debugging on on the ASA and see if the ping actually reaches the device, and if so why it doesn’t respond. If there is no debug output, the ping doesn’t actually reach the device. If it does, it will tell you why/if it doesn’t respond.

As far as MDIX support, the ASA supports both crossover and straight-through cables.

Let us know your results. I hope this helps.

Laz

1 Like

As far as i can seein your configuration, you have enabled http server for 192.168.1.0 but in the description you said both subnets are in 192.168.2.0.

If you are using an older version of asa and have errors regarding
“Inside interface not recognized on Cisco ASA-5505” Refer to the reference below. Here are the commands:

ciscoasa# conf t
ciscoasa(config)# interface vlan X
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# security-level Y
ciscoasa(config-if)# ip address Z 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# end

Reference: https://networkengineering.stackexchange.com/questions/10461/inside-interface-not-recognized-on-cisco-asa-5505

1 Like

Hello,
Scenario: I have a PC (10.29.229.38/25) and an ASA 5505 (10.29.229.124/25) they are connected via Switch and I can ping from the PC to the ASA.
I want to use ASDM but I am getting the following error message: “Unable to launch device manager from 10.29.229.124” in the logs (from Java’s ASA Launcher) I see the following exception: “ValidatorException: Extended key usage does not permit use for TLS server authentication”
Any explanation?
Thank you :slight_smile:

Hello Fadi

This looks like a certificate issue. Take a look at this link that deals with the specific issue.

I hope this has been helpful!

Laz

hi, Rene, thank you for your help, I would like to work with GUI (ASDM), IS possible to get full asdm lesson like what we have done command line.
thanks, Rene.
Ilyas nur

Hello Ilays

In general, whatever can be configured with the command line on the ASA, can be configured using ASDM. If you know how to do it using the command line, it is usually easy to be able to figure it out using ASDM. The fundamental understanding of these features is much more clearly taught in the lessons using the CLI, and this is the reason why we focus so much on that. Once you understand how to implement it there, it is quite easy to open up the ASDM and understand intuitively how to implement the same things.

However, if you have difficulty in finding out how to implement specific features, you can always access Cisco documentation to help you along the way.

I hope this has been helpful!

Laz

Hi Rene and staff,
It is hard for me to start working with ASDM. I dont understand very well how works this software with Java …i dont like java …
Well, this is my lab
image
Configuration management interface
image

ASDM. bin was uploaded in flash
image

HTTP is enable on management0/0
DHCP is enable on management0/0
Config in ASA
image

Now, client
image
Client received a lease from DHCP: OK

Java installation
image

It seems OK

Let’s go with firefox
image
Not working as i expected !

  • i dont receive request for root authentication
  • it seems that the java installation is not OK on the clien ?; i cannot download the asdm launcher from the ASA

Could you help me and clarify how asdm works with Java for those who have “zero” knowledge with Java ? (and hate Java :slight_smile: )
Regards

Hello Dominique

If you notice in the lesson, for a Windows-based device, you are given two options: to run ASDM as a local application, which would mean to install it on your computer and run it independently from a web browser, or to run it using Java Web Start application, which means you can run it directly from inside the web browser.

In your case, you are trying to run ASDM on a Linux-based client. I haven’t done this before, but I did a bit of research and found out the following:

For Linux-based devices, you only have the option of running it in the browser via Java. Over the years I have found that such implementations of Cisco java-based interfaces (not only for ASDM, but particularly for Call Manager VoIP solutions) are very buggy. They usually require a particular java version, and you may need to downgrade to get it to work.

You’ve configured things correctly from the look of things, having installed the run time environment. It seems that it can’t detect that it has indeed been installed.

There are a couple of things I can suggest. For ASDM, the release notes linked below, state that you need Java JRE 8.0 or OpenJRE 1.8.x. You may want to try to install one of these to ensure that you are completely compliant.

Secondly, because of the bugginess of Java/Cisco interaction, you still might not be able to get it to work. Doing some searching, I have found that you may need to force the Index.html to execute without checking if the JRE is installed. This is done by modifying a display attribute within the html file which causes the page to be displayed as if the browser recognized that JRE is installed on the system. Then you will have the Run ASDM button to run it normally. If you want to find out more info about this, you can search for “How to run Cisco ASDM as a Java Web Start application” in your favorite search engine.

This is by no means a good solution, but it is a solution. Keep in mind that CIsco documentation linked above does say that: ASDM is not tested on Linux.

I hope this has been helpful!

Laz

Hi Laz,
thank you for your reply
Using GNS3, it is not easy to install and launch ASDM on a windows client, but i succeed using windows 10 as a qemu device

The easy way to start with ASDM in GNS3 is using the docker container build by BERNHARD EHLERS, thank you to him

https://www.b-ehlers.de/blog/posts/2017-10-23-gns3-configure-asa-asdm/

The docker image (ehlers/web_java) is pulled on your GNS3 server in a few seconds and you can use ASDM easily

That is a easy way to play with ASDM, but struggling with the install on a windows client is a way to learn more things about how it works
Regards

Hello Dominique

Thanks for sharing your experience with us! This is useful stuff for everyone on the forum and for us as well!

Laz