Access to my ASDM ASA5505

Unanswered Question
Oct 4th, 2013
User Badges:

Hi I have been using a few days the firewall ASA5505 they've completely put new, the ASA Version 8.4 (2) have been playing and the ASDM version 6.4 (9). I have the Basic Config loaded with the command "conf t" and "Facorty default-config."



Now I want to connect to this firewall, but this is not because he always says he unable to connect to the firewall. The IP settings I have the following: IP address 192.168.1.6 Subnet: 255.255.255.0 Gateway: 192.168.1.1. How can I connect to or what I'm doing wrong?



Executing command: interface Ethernet 0/0

Executing command: switchport access vlan 2

Executing command: no shutdown

Executing command: exit

Executing command: interface Ethernet 0/1

Executing command: switchport access vlan 1

Executing command: no shutdown

Executing command: exit

Executing command: interface Ethernet 0/2

Executing command: switchport access vlan 1

Executing command: no shutdown

Executing command: exit

Executing command: interface Ethernet 0/3

Executing command: switchport access vlan 1

Executing command: no shutdown

Executing command: exit

Executing command: interface Ethernet 0/4

Executing command: switchport access vlan 1

Executing command: no shutdown

Executing command: exit

Executing command: interface Ethernet 0/5

Executing command: switchport access vlan 1

Executing command: no shutdown

Executing command: exit

Executing command: interface Ethernet 0/6

Executing command: switchport access vlan 1

Executing command: no shutdown

Executing command: exit

Executing command: interface Ethernet 0/7

Executing command: switchport access vlan 1

Executing command: no shutdown

Executing command: exit

Executing command: interface vlan2

Executing command: nameif outside

INFO: Security level for "outside" set to 0 by default.

Executing command: no shutdown

Executing command: ip address dhcp setroute

Executing command: exit

Executing command: interface vlan1

Executing command: nameif inside

INFO: Security level for "inside" set to 100 by default.

Executing command: ip address 192.168.1.1 255.255.255.0

Executing command: security-level 100

Executing command: allow-ssc-mgmt

ERROR: SSC card is not available

Executing command: no shutdown

Executing command: exit

Executing command: object network obj_any

Executing command: subnet 0.0.0.0 0.0.0.0

Executing command: nat (inside,outside) dynamic interface

Executing command: exit

Executing command: http server enable

Executing command: http 192.168.1.0 255.255.255.0 inside

Executing command: dhcpd address 192.168.1.5-192.168.1.36 inside

Executing command: dhcpd auto_config outside

Executing command: dhcpd enable inside

Executing command: logging asdm informational

Factory-default configuration is completed

ciscoasa(config)#  wr

Building configuration...

Cryptochecksum: ee2b2e47 c2886bf3 b45f3afb bccbfb1e

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marvin Rhoads Fri, 10/04/2013 - 07:55
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Please provide output of "show ssl". You may need to add strong cipher support.


Reference.

Marvin Rhoads Fri, 10/04/2013 - 14:29
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Newer browsers do not allow you to connect to SSL servers running weak encyption algorithms (e.g. des).


Last year Cisco started turning off the strong algorithms (aes and 3des) by default on ASAs.


You can check using the command I suggested above.

When I run that I get the following.

ciscoasa# show ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: des-sha1

Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1

No SSL trust-points configured

Certificate authentication is not enabled


What should I change?


Thanks.

Marvin Rhoads Fri, 10/04/2013 - 14:50
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Yep - note the section that says the only enabled cipher is des-sha1.


Fix it by:


conf t
     ssl encryption aes128-sha1 aes256-sha1 3des-sha1
     exit
wr mem

Then re-check ASDM.

Marvin Rhoads Fri, 10/04/2013 - 14:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Ah yes, as you note the (free) 3DES-AES license needs to be active to use strong encryption.

Actions

This Discussion