Cisco ASA ASDM Configuration

HI,
Thank you for the link. Im still kind of stuck and wondered if you can point me in the right direction please. I have a cisco 2821 router with a gig0/0 interface plugged into the cisco asa 5510 ethernet 0/0 port. I have pasted in the asa config in hopes that you might see what might be wrong. i cannot ping from the router to the asa. both are in the 192.168.2.0 subnet. i tried both straight and cross over after hearing that asa interfaces dont have the auto sensing mdix stuff. could you let me know what my issue is please.

ciscoasa# sh running-config
: Saved
:
: Serial Number: xxxxx
: Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
:
ASA Version 9.1(7)12
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 no nameif
 security-level 100
 ip address 192.168.2.2 255.255.255.0
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
pager lines 24
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username ADMIN password WpmDdjXRzvy3bJoo encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:20f9079b68e70577a4883cc406ee836d
: end
ciscoasa#

Hello Christopher

I’m not sure why you are unable to ping. However, you can turn debugging on on the ASA and see if the ping actually reaches the device, and if so why it doesn’t respond. If there is no debug output, the ping doesn’t actually reach the device. If it does, it will tell you why/if it doesn’t respond.

As far as MDIX support, the ASA supports both crossover and straight-through cables.

Let us know your results. I hope this helps.

Laz

As far as i can seein your configuration, you have enabled http server for 192.168.1.0 but in the description you said both subnets are in 192.168.2.0.

If you are using an older version of asa and have errors regarding
“Inside interface not recognized on Cisco ASA-5505” Refer to the reference below. Here are the commands:

ciscoasa# conf t
ciscoasa(config)# interface vlan X
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# security-level Y
ciscoasa(config-if)# ip address Z 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# end

Reference: https://networkengineering.stackexchange.com/questions/10461/inside-interface-not-recognized-on-cisco-asa-5505

Hello,
Scenario: I have a PC (10.29.229.38/25) and an ASA 5505 (10.29.229.124/25) they are connected via Switch and I can ping from the PC to the ASA.
I want to use ASDM but I am getting the following error message: “Unable to launch device manager from 10.29.229.124” in the logs (from Java’s ASA Launcher) I see the following exception: “ValidatorException: Extended key usage does not permit use for TLS server authentication”
Any explanation?
Thank you

Hello Fadi

This looks like a certificate issue. Take a look at this link that deals with the specific issue.

I hope this has been helpful!

Laz

hi, Rene, thank you for your help, I would like to work with GUI (ASDM), IS possible to get full asdm lesson like what we have done command line.
thanks, Rene.
Ilyas nur

Hello Ilays

In general, whatever can be configured with the command line on the ASA, can be configured using ASDM. If you know how to do it using the command line, it is usually easy to be able to figure it out using ASDM. The fundamental understanding of these features is much more clearly taught in the lessons using the CLI, and this is the reason why we focus so much on that. Once you understand how to implement it there, it is quite easy to open up the ASDM and understand intuitively how to implement the same things.

However, if you have difficulty in finding out how to implement specific features, you can always access Cisco documentation to help you along the way.

I hope this has been helpful!

Laz

Hi Rene and staff,
It is hard for me to start working with ASDM. I dont understand very well how works this software with Java …i dont like java …
Well, this is my lab

Configuration management interface

ASDM. bin was uploaded in flash

HTTP is enable on management0/0
DHCP is enable on management0/0
Config in ASA

Now, client

Client received a lease from DHCP: OK

Java installation

It seems OK

Let’s go with firefox

Not working as i expected !

• i dont receive request for root authentication
• it seems that the java installation is not OK on the clien ?; i cannot download the asdm launcher from the ASA

Could you help me and clarify how asdm works with Java for those who have “zero” knowledge with Java ? (and hate Java )
Regards

Hello Dominique

If you notice in the lesson, for a Windows-based device, you are given two options: to run ASDM as a local application, which would mean to install it on your computer and run it independently from a web browser, or to run it using Java Web Start application, which means you can run it directly from inside the web browser.

In your case, you are trying to run ASDM on a Linux-based client. I haven’t done this before, but I did a bit of research and found out the following:

For Linux-based devices, you only have the option of running it in the browser via Java. Over the years I have found that such implementations of Cisco java-based interfaces (not only for ASDM, but particularly for Call Manager VoIP solutions) are very buggy. They usually require a particular java version, and you may need to downgrade to get it to work.

You’ve configured things correctly from the look of things, having installed the run time environment. It seems that it can’t detect that it has indeed been installed.

There are a couple of things I can suggest. For ASDM, the release notes linked below, state that you need Java JRE 8.0 or OpenJRE 1.8.x. You may want to try to install one of these to ensure that you are completely compliant.

Secondly, because of the bugginess of Java/Cisco interaction, you still might not be able to get it to work. Doing some searching, I have found that you may need to force the Index.html to execute without checking if the JRE is installed. This is done by modifying a display attribute within the html file which causes the page to be displayed as if the browser recognized that JRE is installed on the system. Then you will have the Run ASDM button to run it normally. If you want to find out more info about this, you can search for “How to run Cisco ASDM as a Java Web Start application” in your favorite search engine.

This is by no means a good solution, but it is a solution. Keep in mind that CIsco documentation linked above does say that: ASDM is not tested on Linux.

I hope this has been helpful!

Laz

Hi Laz,
thank you for your reply
Using GNS3, it is not easy to install and launch ASDM on a windows client, but i succeed using windows 10 as a qemu device

image1058×856 239 KB

image1070×866 91.3 KB

The easy way to start with ASDM in GNS3 is using the docker container build by BERNHARD EHLERS, thank you to him

https://www.b-ehlers.de/blog/posts/2017-10-23-gns3-configure-asa-asdm/

The docker image (ehlers/web_java) is pulled on your GNS3 server in a few seconds and you can use ASDM easily

image992×710 73.1 KB

image968×704 43.6 KB

That is a easy way to play with ASDM, but struggling with the install on a windows client is a way to learn more things about how it works
Regards

Hello Dominique

Thanks for sharing your experience with us! This is useful stuff for everyone on the forum and for us as well!

Laz

Hello Rene,

I thought you are enabling HTTP (80) for ASDM on the CLI, why are you accessing the application via HTTPs (443)?

Hi @ravko19 ,

I understand the confusion. On the ASA however, the http server command enables HTTPS.

You can verify this by looking at the listening ports:

ASA1# show asp table socket

Protocol   Socket    State      Local Address                                Foreign Address
SSL        0001a388  LISTEN     10.65.190.1:443                              0.0.0.0:*  

Hi Rene.
Could you kindly advice the easiest way to download and install ASDM with CML2.
I’m having difficulty getting it to work with CML2.
I have downloaded the image of ASDM but can’t get to upload and use with CML2.
Would appreciate if you can share the steps, Or is there any simulator out there to practice with?
Thanks

Hello Ade

Take a look at these threads from the Cisco Community. They will aid you in the necessary process.

https://learningnetwork.cisco.com/s/article/how-to-configure-asav-for-asdm-connectivity

Also, there are quite a few ready-made tutorials that show you how to achieve this using step by step instructions, including videos. If you do a search you should be able to readily find several such resources.

As you get along, if you get stuck anywhere, let us know and we’ll do our best to help out!

I hope this has been helpful!

Laz

Hi Rene ,

I need your help , we have ASDM for pretty long time , but suddenly it has stopped working … it says "ASDM Read time out ".

I have checked configs , everything looks great. CLI works without any interruption , only ASDM is not .

asdm-error693×387 32.3 KB

Hello Pooja

Some others have faced similar problems, but there is no definitive cause for this behavior. Some of the most common solutions to this include:

1. Sometimes it’s as simple as a reboot of the ASA.
2. Sometimes it’s an issue that has to do with the java version that’s running on your web browser
3. Updating the ASDM version
4. Reinstall ASDM on the PC

More info can be found here:

Let us know how you get along.

I hope this has been helpful!

Laz

Hi,I have some problem about ASDM in Cisco 5505.
I used to use IE to access it but now in Microsoft Edge show up that don’t support TLS1.0.
Is there any other way to access ASDM?

Hello TE-EN LIN

You should be able to reenable TLS1.0 on the Microsoft Edge browser. Take a look at this Microsoft post that shows you how to do this:

Now I’m not sure if this will resolve your particular problem with this solution, but try it out and let us know your results.

I hope this has been helpful!

Laz