Cisco ASA ASDM Configuration


(sims) #4

Hi Rene,

<strong>"username ADMIN password PASSWORD"</strong>

Why " Admin " account does not require privilege 15

Thanks


(Rene Molenaar) #5

I’ll change this, it should be a privilege level 15 account.


(asi m) #6

Hi Rene,

I am pretty new to ASA world,Just wondering This would work to allow only two IPs(10&11) to access HTTPs

Http 192.168.10.10 255.255.255.254 like a wild card mask or will it be just one line for every IP to connect via http


(Rene Molenaar) #7

Hi Asi,

This should work but in this case, I think I would prefer two separate lines since it’s easier to read.

Rene


(asi m) #8

Thanks Rene,

I think i will be a pain,through the course, Apologise in advance -Some of might Q might be silly

 


(Rene Molenaar) #9

Hi Asi,

That’s no problem, let me know if you have difficulty understanding some of the topics.

Rene


(asi m) #10

Hi Rene,

My idea was to allow Mgmt Vlan only have access to HTTP and SSH

The moment I type in

configt

ssh 192.168.10.0 255.255.255.0 =>it logs back Inconsitent mask .

But when i apply

config t

ssh 192.168.10.1 255.255.255.255 ->asa like it

My undersatanding on using the subnet mask for defining the condition for various purpose on Access-list (like 0.0.0.255 where o-is have to be same and and 255 -can be any value and in routing protocol router rip network 192.168.10.1 0.0.0.0(Where 0.0.0.0 specify send/reciv hello/advrtz ntwrk from this interface only .

How is it possible to use 255.255.255.255 to indicate A single host IP can only access the ssh or http…

Please advice


(Rene Molenaar) #11

Hi Asi,

That is strange as it’s a valid network and subnet mask. You sure you didn’t make any typos? :slight_smile:

ASA(config)# ssh 192.168.1.0 255.255.255.0 INSIDE

This allows the entire 192.168.1.0/24 network to access the ASA on the inside, if you want a single host you can use this:

ASA(config)# ssh 192.168.1.1 255.255.255.255 INSIDE

The difference between the ASA and a Cisco IOS router is that the ASA uses subnet masks everywhere. On the Cisco IOS routers, we use wildcard bits for access-lists and for network statements in EIGRP/OSPF.

Rene


(ruby p) #12

i am asssuming this course on the firewall requires physicall access to a asa5505? i only have packet tracer and i think this will not work will it?


(Rene Molenaar) #13

Hi Ruby,

I did most of these examples on an ASA 5510 but a 5505 could also work.

I can recommend to give the virtual ASAv image a try, it works very well.

Rene


(PALANIAPPAN M) #14

Hi Rene

Here the ASDM is accessed using 192.168.1.254 but in the previous chapter I see that you have used 192.168.1.1 as the management IP.
Apologies if this two are not connected.

As always thanks,
Palani


(Rene Molenaar) #15

Hi Palani,

I usually try to use the same IP addresses. Sometimes I use 192.168.1.1 or 192.168.1.254 on the ASA.

Rene


(Joseph H) #16

Hi Rene,

I happen to have a 5510 they let me take home from work. Im following along with your instructions and everything seems ok to a point. However, not to my surprise I am having JAVA issues it seems.When I launch the asdm ( asdm-603.bin) I get message that java runtime is not on my PC and it kills the launch. I had older versions on it and they didnt work. I upgraded to the newest Java recommended jre1.8.0_101 and thats not working. Is there a trick to this?

PS. If I try to run it as a JAVA webstart (the other option) I dont have webstart and dont see where to get it on the Java site. I had a 5510 and this Java crap drove me crazy then too. Ugh…


(Joseph H) #17

Sorry, meant to say I had a 5505


(Rene Molenaar) #18

Hi Joseph,

ASDM and Java can be an issue.

First of all, ASDM 603 is ancient by now. I would start by upgrading it to the latest version, see what happens then.

Rene


(christopher w) #19

Hi,

I’ve got a cisco asa 5510 with asa917-12-k8.bin image and asdm-762-150.bin asdm version on the firewall. I wanted to lab this up physically and not thru gns. I followed the steps but wasn’t able to get thru. I tried chrome and edge browsers. I am consoled up to the asa from my pc. But I’m thinking that I need a layer 3 connection. Can you help steer me in the right direction. I went thru the forum and didn’t see my unique issue

Thanks in advance


(Lazaros Agapides) #20

Hello Christopher

When you say you weren’t able to “get thru” do you mean that you were unable to connect via a web GUI to the firewall? In order to use the ASDM to configure the ASA, you must have layer 3 access. The console connection will not allow you to work with ASDM. Take a look at this Cisco documentation on how to prep an ASA to function using ASDM 7.6.

I hope this has been helpful!

Laz


(christopher w) #21

HI,
Thank you for the link. Im still kind of stuck and wondered if you can point me in the right direction please. I have a cisco 2821 router with a gig0/0 interface plugged into the cisco asa 5510 ethernet 0/0 port. I have pasted in the asa config in hopes that you might see what might be wrong. i cannot ping from the router to the asa. both are in the 192.168.2.0 subnet. i tried both straight and cross over after hearing that asa interfaces dont have the auto sensing mdix stuff. could you let me know what my issue is please.

ciscoasa# sh running-config
: Saved
:
: Serial Number: xxxxx
: Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
:
ASA Version 9.1(7)12
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 no nameif
 security-level 100
 ip address 192.168.2.2 255.255.255.0
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
pager lines 24
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username ADMIN password WpmDdjXRzvy3bJoo encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:20f9079b68e70577a4883cc406ee836d
: end
ciscoasa#

(Lazaros Agapides) #22

Hello Christopher

I’m not sure why you are unable to ping. However, you can turn debugging on on the ASA and see if the ping actually reaches the device, and if so why it doesn’t respond. If there is no debug output, the ping doesn’t actually reach the device. If it does, it will tell you why/if it doesn’t respond.

As far as MDIX support, the ASA supports both crossover and straight-through cables.

Let us know your results. I hope this helps.

Laz


(Muhammad W) #23

As far as i can seein your configuration, you have enabled http server for 192.168.1.0 but in the description you said both subnets are in 192.168.2.0.