ASDM-IDM Launcher Password Issue

Answered Question
Dec 28th, 2010

Hello All,

Recently I have determined that one of my neighbors teenagers has decided to refine his hacking skills on my home network. So I thought it might be a good time to make an investment into a Cisco ASA 5505 Appliance.

Here is my issue, when I entering the management IP Address (https://192.168.1.1/admin) a webpage appears asking to "continue to the website" so I select this option. The Cisco ASDM 6.2(1) appears. There are three options to select, Install ASDM Launcher and Run ASDM, Run ASDM and, Run Startup wizard. If I select "Install ASDM Launcher " I receive an error when entering the password. Eventually I'll cancel after several attempts and get an "Authorization error" from ie. I am receiving the same response for the other two options. I have set the firewall the the factory default. I am running Java version 6 update 23 (build 1.6.0_23-b05) 32 & 64 bit for ie browers since I have both versions.

What am I doing wrong? I have been at this all day. I need the expertises of someone who obviously understands this better than I do. I have already had one bad experience by purchasing a used PIX 501. never got it to work. This Time I decided to purchase something new with more features.

I have this problem too.
0 votes
Correct Answer by Poonguzhali Sankar about 3 years 3 months ago

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

That is all you need for internet access from the inside in additon to permision and route. You said you already added the route. Mak sure you do not have any typos. No permission is needed to go from high sec to low sec.

1. Ping the router upstream from thas ASA and make sure it works.

2. What DNS servers are you using?

3. Do you get name resolution?

4. Can u load pages using IP address on the browser? http://74.125.39.99 work?

5. can u ping the asa's inside interface from the PC?

If layer 3 doesn't work then we have to fall back to layer 2 and issue "debug arp" and see what is going on.

The thread should also be marked as solved as the original problem is resolved.

-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
mrwithrow@comca... Tue, 12/28/2010 - 19:04

Thank you for your response. I have already tried that.

I am wondering if I may need to reset the config-registry. Question if I

were to do this will I loose my licensing for the appliance.

mrwithrow@comca... Tue, 12/28/2010 - 19:14

I can access the ASA from the console but would prefer to setup the ASA using the ASDM. Here is the current config

ciscoasa# sh run
: Saved
:
ASA Version 8.2(1)
!

hostname ciscoasa

enable password TGC9Z8acq7BhAjhu encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100

ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0

ip address dhcp setroute
!
interface Ethernet0/0

switchport access vlan 2
!
interface Ethernet0/1

!
interface Ethernet0/2
<--- More --->
             
!
<--- More --->
             
interface Ethernet0/3
!

interface Ethernet0/4
!
interface Ethernet0/5

!
interface Ethernet0/6
!

interface Ethernet0/7
!
ftp mode passive

pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1
no asdm history enable

arp timeout 14400

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
<--- More --->
             
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location

no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5

ssh timeout 5

console timeout 0
dhcpd auto_config outside

!
dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

webvpn
!
<--- More --->
             
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512

policy-map global_policy
class inspection_default
  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh
  inspect rtsp
  inspect esmtp

  inspect sqlnet
  inspect skinny 
  inspect sunrpc

  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
<--- More --->
             
service-policy global_policy global
prompt hostname context
Cryptochecksum:94d7c2efc42635bd6d9037afeba1cc88
: end

ciscoasa#

Poonguzhali Sankar Tue, 12/28/2010 - 20:44

Add the following commands via console and see if you can login via asdm using the ID cisco and password cisco123 when you go to https://192.168.1.1 on the browser. No need for "admin" after the IP address.

conf t

username cisco password cisco123 priv 15

aaa authentication http console LOCAL

-KS

mrwithrow@comca... Wed, 12/29/2010 - 11:20

One other quick question, trying to access the internet through the firewall. Not working.

I added a default route statement hoping that would resolve my routing issue. Any ideas based on the configuration I sent you.

Thanks

Correct Answer
Poonguzhali Sankar Wed, 12/29/2010 - 11:46

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

That is all you need for internet access from the inside in additon to permision and route. You said you already added the route. Mak sure you do not have any typos. No permission is needed to go from high sec to low sec.

1. Ping the router upstream from thas ASA and make sure it works.

2. What DNS servers are you using?

3. Do you get name resolution?

4. Can u load pages using IP address on the browser? http://74.125.39.99 work?

5. can u ping the asa's inside interface from the PC?

If layer 3 doesn't work then we have to fall back to layer 2 and issue "debug arp" and see what is going on.

The thread should also be marked as solved as the original problem is resolved.

-KS

mrwithrow@comca... Wed, 12/29/2010 - 13:17

That is all you need for internet access from the inside in additon to permision and route. You said you already added the route. Mak sure you do not have any typos. No permission is needed to go from high sec to low sec.

1. Ping the router upstream from thas ASA and make sure it works. Able to Ping Router (Internal 192.168.1.1). ASDM does not show an IP for the outgoing e0/0 interface.

2. What DNS servers are you using? Comcast

3. Do you get name resolution? Yes

4. Can u load pages using IP address on the browser? http://74.125.39.99 work? No

5. can u ping the asa's inside interface from the PC? Yes

If layer 3 doesn't work then we have to fall back to layer 2 and issue "debug arp" and see what is going on.

The thread should also be marked as solved as the original problem is resolved. Do I need to open another thread for this issue?

-KS

Poonguzhali Sankar Wed, 12/29/2010 - 16:56

If you could spin up a new thread that would be great.  This is simply for the benefit of our other readers. They will seach on asdm lauching issue and find this thread and choose to read the response that is marked as solved the issue.

If we start troubleshooting nat, route and dhcp issues in this thread that will just confuse the readers.

Get on CLI (console) and do the following:

1. sh ip (make sure the outside interface shows and IP address)

2. enable  logging

conf t

logging enable

logging buffered 7

exit

sh logg | i x.x.x.x where x.x.x.x is your client IP address when it tried to go out to the interface.

3. from the ASA ping the upstread ISP router

Let me know the results in another thread if you decide to spin one up. It is very easy to do.

-KS

Actions

Login or Register to take actions

This Discussion

Posted December 28, 2010 at 5:58 PM
Stats:
Replies:10 Avg. Rating:5
Views:4876 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446