Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA5520 - Unit not accessable on network for initial configuration

We received an ASA5520-K8 through Cisco's Loan program so we could demo it as a replacement for our aging Cisco 3005 VPN appliances.  Given that we are a non Cisco shop (except for specific appliances like concentrators and wireless access points), I don't have a great deal of experience with Cisco gear.

I started to set to setup the appliance this morning but immediately ran into issues.  The 5520 doesnt seem to be acting as a DHCP server, and worse yet, I can't access the unit even if I hard code the IP on the PC being used for configuration.  I have to say that I feel kinda stupid having to post this, since I actually followed the documentation avaiable for this menial task and I fully expect the problem to be a simple one.  Namely, I am using two specific sources of info for connections:

1.  http://www.cisco.com/en/US/docs/security/asa/quick_start/5500/inst5500.html#wpxref77381

2.  Cisco ASA 5500 Series Getting Started Guide

I've tried a few things so far:

1. PC and 5520 Management Port on dedicated switch, Internet plugged into Ether0

2. PC connected directly to Management Port

3. PC plugged into Ether3, Internet plugged into Port0

4. Multiple cables and laptops to confirm non issue.

Am I missing something?  Please tell me so, point at me, then have a hearty laugh.

(FYI, unit did boot OS, confirmed with console connection)

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA5520 - Unit not accessable on network for initial configu

Hello Darrin.

I saw the issue on the previus shared configuration you provided.

Here is what you sent us:

ciscoasa# conf t

ciscoasa(config)# int gi0/1

ciscoasa(config-if)# no shut

ciscoasa(config-if)# ip add 192.168.0.1 255.255.255.0

ciscoasa(config-if)# security-level 100

ciscoasa(config-if)# exit

ciscoasa(config)# http server enable

Where is the nameif for the interface?

In order to get an interface up and running  on an ASAyou need:

1-Ip address

2-No shut

3-Nameif

4-Security level

So please add the following command

ciscoasa(config)# int gi0/1

ciscoasa(config-if)# nameif inside

ciscoasa(config-if)# exit

ciscoasa(config)# http 192.168.0.0 255.255.255.0 inside

that should do it.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
20 REPLIES

ASA5520 - Unit not accessable on network for initial configurati

Hello Darring,

Ok so when you connected to the managment port you did not get an ip address right via DHCP from the managment port?

By default you should get it, then you should be able to access the ASDM (https://192.168.1.1) or the CLI using the console port.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA5520 - Unit not accessable on network for initial configurati

No, I don't get an IP address, and attempting an DHCP renewal via ipconfig release/renew brings back an error stating the DHCP server is not available.  Hard-coding the IP doesnt seem to help either (no access to the ASDM).

CLI was available via console (I got to the ciscoasa prompt).

ASA5520 - Unit not accessable on network for initial configurati

Hello Darrin,

Is this a brand new unit??

Okay, so if you have access to the CLI promt I can help you.( As soon as you need to enter a password please add cisco or leave it on black)

Lets configure DHCP and check out if there is a ASDM image on your ASA.

Please follow the following steps;

Enable

config te

interface ethernet 0/1

nameif inside

ip address 192.168.2.1 255.255.255.0

no shut

exit

dhcpd address 192.168.2.1-192.168.2.254

dhcpd enable inside

Then connect the laptop to interface ethernet 0/1 and you should get the ip address.

then in order to check if you have a asdm image please provide us the output of the following output:

Show flash:

Please rate helpful posts,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA5520 - Unit not accessable on network for initial configurati

Hi Julio:

I solved the problem of getting the IP by using the config factory-default command.  Output follows:

ciscoasa(config)# config factory-default

Based on the management IP address and mask, the DHCP address

pool size is reduced to 253 from the platform limit 256

WARNING: The boot system configuration will be cleared.

The first image found in disk0:/ will be used to boot the

system on the next reload.

Verify there is a valid image on disk0:/ or the system will

not boot.

Begin to apply factory-default configuration:

Clear all configuration

Executing command: interface management0/0

Executing command: nameif management

INFO: Security level for "management" set to 0 by default.

Executing command: ip address 192.168.1.1 255.255.255.0

Executing command: security-level 100

Executing command: no shutdown

Executing command: exit

Executing command: http server enable

Executing command: http 192.168.1.0 255.255.255.0 management

Executing command: dhcpd address 192.168.1.2-192.168.1.254 management

Executing command: dhcpd enable management

Executing command: logging asdm informational

Factory-default configuration is completed

At this point, I can ping the 5520, but am not able to access the ADSM via either https://192.168.1.1 or https://192.168.1.1/admin.  Per your request, show flash results:

ciscoasa(config)# show flash

--#--  --length--  -----date/time------  path

   21  15390720    Nov 09 2011 16:39:22  asa825-k8.bin

   22  11862220    Nov 09 2011 16:31:50  asdm-625.bin

   23  4686889     Nov 09 2011 16:40:48  anyconnect-win-2.5.2019-k9.pkg

   24  12105313    Nov 09 2011 16:41:24  csd_3.5.841-k9.pkg

    2  2048        Nov 09 2011 16:51:20  log

   12  2048        Nov 09 2011 16:51:32  crypto_archive

   13  2048        Nov 09 2011 16:51:34  coredumpinfo

   14  43          Nov 09 2011 16:51:34  coredumpinfo/coredump.cfg

This unit is not a new unit, it was supplied to us by Cisco as a loaner for evaluation.

Thanks,

-Darrin

Re: ASA5520 - Unit not accessable on network for initial configu

Hello Darrin,

Ok, maybe it came with some configuration on  and that one did not have the DHCP service enable.

ASDM Issue:

You do have the asdm image on the flash, that is good.

Please add the following commands:

-asdm image flash:/asdm-625.bin

-http server enable

-http 0 0 managment

Please try it again ( You should be missing the HTTP service)

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA5520 - Unit not accessable on network for initial configurati

Hi Julio:

Thanks for all your help with this, but it doesnt appear solved at this point.  I tried your recommended commands and the device is still not serving the page.  Doing a bit more digging (and using a different browser), Chrome reports the following errror when attempting to access:

Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.

Some online have suggested that the following command might remedy the issue:

fw01(config)# ssl encryption aes256-sha1 aes128-sha1 3des-sha1

but I dont have the VPN-3DES-AES feature installed, and can't grab the license for it as I don't have a CCO login.

Any suggestions on how to proceed?

ASA5520 - Unit not accessable on network for initial configurati

Hello Darrin,

so you have the image on the ASA.

You have applied the command asdm image flash0: asdm-625.bin

you have the command http sever enable

you have the command http 0 0 managment

That is strange, What version of java have you installed in your Laptop.

Can you provide the following output

debug http

And then try to connect via asdm ( https://192.168.1.1

What if you provide an ip address to another interface lets say interface ethernet 0/1

ethernet 0/1

nameif inside

ip add 192.168.2.1 255.255.255.0

no shut

exit

http  0 0 inside

and then https://192.168.2.1

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA5520 - Unit not accessable on network for initial configurati

Looks like the default ssl encryption is set to des-sha1. Do a #sh run | i ssl encryption. des has been broken for ages now. Looks like chrome won't connect unless you use a good encryption. I did the following to resolve.

I was connecting my laptops ethernet port to the management port on the ASA.

My IP address settings were set to obtain. The ASA gave me an IP address.

I connected to the ASA with the console cable

#conf t

#ssl encryption aes128-sha1  (you can use higer if you want)

#wr mem

Now open chrome and go to https://192.168.1.1/admin

Hope that helps

New Member

ASA5520 - Unit not accessable on network for initial configurati

Darrin, here is a simple configuration to allow you access to the asdm:

First, configure your internal interface.  For instance, gi0/1...

ASA5520>en

ASA5520#conf t

ASA5520(config)#int gi0/1

ASA5520(config-if)#no shut

ASA5520(config-if)#ip add 192.168.0.1 255.255.255.0

ASA5520(config-if)#security-level 100

ASA5520(config-if)#exit

ASA5520(config)#http server enable

ASA5520(config)#http 192.168.0.10 inside  <---this will be the address of your PC

This will allow you to open your browser and access the firewall to download the ASDM to your PC.  Once the ASDM is downloaded, you can run the ASDM program to get access to the firewall gui.

Please let me know if I can be any more help.

New Member

Re: ASA5520 - Unit not accessable on network for initial configu

Julio and Adam:

Sorry for the delay in response, I am just returning to work after being out with the flu.

Julio: FYI I am running Java 6, Update 30.

Adam: All your commands worked except the last one, I suspect that will render the solution unviable.  Please see text below:

ciscoasa# conf t

ciscoasa(config)# int gi0/1

ciscoasa(config-if)# no shut

ciscoasa(config-if)# ip add 192.168.0.1 255.255.255.0

ciscoasa(config-if)# security-level 100

ciscoasa(config-if)# exit

ciscoasa(config)# http server enable

ciscoasa(config)# http 192.168.0.10

ERROR: % Incomplete command

ciscoasa(config)# http 192.168.0.10 inside

                                    ^

ERROR: % Invalid input detected at '^' marker.

Note that I did make the adjustment to the IP of the laptop (to 192.168.0.10) as listed above, switched the cabling from the managment port to gi0/1, and am now getting a site unavailable message, likely because that last statement didnt take.

Thanks again for the suggestions.

Re: ASA5520 - Unit not accessable on network for initial configu

Hello Darrin,

Please add the command and give it a try.

http 192.168.0.0 255.255.255.0 inside

Please do rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASA5520 - Unit not accessable on network for initial configu

Both the 'http 192.168.0.10 inside' and 'http 192.168.0.0 255.255.255.0 inside' commands yield the same invalid input error.  Should these be done at the config level or the interface level?  Neither seems to work.

Is it possible that something is mucked up in the existing config on the unit?  I've tried applying these settings on a fresh boot up and after a factory-default, neither seems to help.

Re: ASA5520 - Unit not accessable on network for initial configu

Hello Darrin.

I saw the issue on the previus shared configuration you provided.

Here is what you sent us:

ciscoasa# conf t

ciscoasa(config)# int gi0/1

ciscoasa(config-if)# no shut

ciscoasa(config-if)# ip add 192.168.0.1 255.255.255.0

ciscoasa(config-if)# security-level 100

ciscoasa(config-if)# exit

ciscoasa(config)# http server enable

Where is the nameif for the interface?

In order to get an interface up and running  on an ASAyou need:

1-Ip address

2-No shut

3-Nameif

4-Security level

So please add the following command

ciscoasa(config)# int gi0/1

ciscoasa(config-if)# nameif inside

ciscoasa(config-if)# exit

ciscoasa(config)# http 192.168.0.0 255.255.255.0 inside

that should do it.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASA5520 - Unit not accessable on network for initial configu

Hi Julio:

That did indeed provide access to that interface, but I am now where I was when attempting to access the 5520 via the managmentment port.  Per the 16 Dec 7:09pm post in this thread:

"Thanks for all your help with this, but it doesnt appear solved at  this point.  I tried your recommended commands and the device is still  not serving the page.  Doing a bit more digging (and using a different  browser), Chrome reports the following errror when attempting to access:

Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error."

The site appears to be serving the page, but there doesnt appear to be any common SSL encryption methods.  Any suggestions on how to proceed?  Is there anyway to disable the initial use of SSL for serving the ADSM client?

Re: ASA5520 - Unit not accessable on network for initial configu

Hello Darrin,

Please add the following command and let me know the result:

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASA5520 - Unit not accessable on network for initial configu

ciscoasa(config)# ssl encryption aes256-sha1 aes128-sha1 3des-sha1

The 3DES/AES algorithms require a VPN-3DES-AES activation key.

As I explained above, I don't appear to have a valid CCO login (given this is a loaner), so I can't grab the free license to activate this feature.  If you can provide me with the proper place to login, I can confirm that I can or can't crab the appropriate license.

New Member

Re: ASA5520 - Unit not accessable on network for initial configu

Solved.

FYI, I used the following procedure:

5520 Initial Commands - using gigabit port 0/1

enable

conf t

int gi0/1

no shut

ip add 192.168.0.1 255.255.255.0

security-level 100

exit

http server enable

int gi0/1

nameif inside

exit

http 192.168.0.0 255.255.255.0

Applied VPN-3DES key (obtained from Cisco TAC)

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

Not sure if this encryption issue is something unique to me or a common occurance in that I dont know if most the 5520s ship with the VPN-3DES key preinstalled, but that issue turned what should have been a 30 min install into an epic.  Thanks Julio and Adam for the help.

Re: ASA5520 - Unit not accessable on network for initial configu

Hello Darrin,

My pleasure, glad you found the problem.

Please mark the question as answered for future purposes.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA5520 - Unit not accessable on network for initial configurati

Bah,

Sorry I forgot the "nameif inside" command under the interface.

I'm not sure how the 3des encryption plays a part in the initial config, but that's interesting to say the least.  I may have to do a little bit of research on that just for my own personal knowledge.

New Member

ASA5520 - Unit not accessable on network for initial configurati

Adam said:

"I'm not sure how the 3des encryption plays a part in the initial config,  but that's interesting to say the least.  I may have to do a little bit  of research on that just for my own personal knowledge."

At least on my loaner 5520, the unit did not ship with the 3DES-AES key enabled.  As a result (as I understand it), there was no common SSL protocol between the 5520 and the browsers being used, therefore making the encrypted 5520 web page inaccessable.  IMO, there should be a way (if there isnt already) to turn off the SSL via CLI so this can be avoided.

Anyways, thanks again for the help

10713
Views
5
Helpful
20
Replies
CreatePlease to create content