Re: How do I download ASDM without a contract - Page 2

rmiller · ‎11-14-2017

My understanding is that ASDM is available free without a current contract but when I try to download the program I am advised I need a contract. Is there any way to get the current ASDM without a current license?

rmiller · ‎11-15-2017

@Georg Pauwen wrote:

Hello,

on which interface do you have 10.10.1.1 configured ?

Without seeing your running configuration it is just guesswork. Which ASA version are you running ? I'll try and find a sample configuration.

Post the output of 'show version'...

: Saved
: Written by enable_15 at 04:45:52.498 AZ Mon May 19 2003
!
ASA Version 8.0(3)6
!
hostname XXXX
domain-name xxxxxxx
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
names
name xx.xx.xx.xx RTS description RTS SERVER
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.224
!
interface GigabitEthernet0/1
duplex full
nameif inside
security-level 100
ip address 10.25.62.1 255.0.0.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.25.99.1 255.255.255.0
!
ftp mode passive
clock timezone AZ -7
dns server-group DefaultDNS
domain-name xxxxxxxxxx
access-list outside_cryptomap_dyn_40 extended permit ip any 10.25.62.0 255.255.255.0
access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.200.0 255.255.255.0
access-list split extended permit ip 10.25.62.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list split extended permit ip 10.25.62.0 255.255.255.0 10.25.10.0 255.255.255.0
access-list inbound extended permit tcp any host RTS
access-list inside_nat0_outbound extended permit ip any 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 208.177.51.0 255.255.255.0 10.25.62.90 255.255.255.254
access-list inside_nat0_outbound extended permit ip 10.25.62.0 255.255.255.0 10.25.62.90 255.255.255.254
access-list Outside_nat0_outbound extended permit ip 208.177.51.0 255.255.255.0 10.25.62.90 255.255.255.254
access-list VPN_splitTunnelAcl standard permit 208.177.51.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 10.25.62.0 255.255.255.0
access-list RA_splitTunnel standard permit 10.0.0.0 255.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn1 10.25.62.90-10.25.62.91 mask 255.255.255.0
ip local pool VPN 192.168.200.1-192.168.200.254 mask 255.255.255.0
ip verify reverse-path interface Outside
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Outside) 0 access-list Outside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,Outside) RTS 10.25.62.232 netmask 255.255.255.255 dns
access-group inbound in interface Outside
route Outside 0.0.0.0 0.0.0.0 208.177.51.193 1
route inside 208.177.51.0 255.255.255.0 10.25.62.1 1
route Outside xx.xx.xx.xx 255.255.255.224 208.177.51.195 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPN protocol radius
eou clientless username berge
eou clientless password blueford1
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 10.10.0.0 255.255.255.0 inside
http 10.25.62.254 255.255.255.255 inside
http 10.25.62.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable Outside
crypto isakmp enable inside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
client-update enable
no vpn-addr-assign aaa
vpn-addr-assign local reuse-delay 1
telnet 0.0.0.0 255.0.0.0 inside
telnet 10.25.62.0 255.255.255.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh xx.xx.xx.xx 255.255.255.224 Outside
ssh 0.0.0.0 0.0.0.0 Outside
ssh 10.25.62.0 255.255.255.0 inside
ssh timeout 5
console timeout 5
management-access inside
dhcpd auto_config inside
!
dhcpd option 3 ip 10.25.62.254 interface Outside
!
dhcpd address 10.25.62.90-10.25.62.91 inside
dhcpd dns 65.106.1.196 65.106.7.196 interface inside
dhcpd lease 1800 interface inside
dhcpd domain xxxxxxxxxx interface inside
dhcpd auto_config Outside vpnclient-wins-override interface inside
dhcpd option 3 ip 10.25.62.254 interface inside
dhcpd enable inside
!
vpn load-balancing
interface lbpublic Outside
threat-detection basic-threat
threat-detection statistics

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:73347462ad5b989d5631d4243973f3a4
: end

rmiller · ‎11-15-2017

@Georg Pauwen wrote:

Hello,

sorry for the late response. I am in the Central European Time Zone...

Either way, copy the file you downloaded to disk0 with TFTP.

Once the file is on disk 0, add the command:

asdm image dosk0:/asdm782-151.bin

Make sure you have, as previously mentioned:

http server enable 443
http 10.10.0.0 255.255.255.0 inside

configured.

You should then be able to access ASDM by typing https://10.10.1.1

IP addressing is of course up to you, you might be using different addresses...

What would the command be if I wanted to access through https on my management VLAN (99)? I tried http 10.25.99.0 255.255.255.0 inside but I get a warning that says there's a configuration mismatch.

Georg Pauwen · ‎11-15-2017

Hello,

here is an excerpt from the 8.x configuration guide:

Enabling HTTPS Access

To configure ASDM access, follow these steps:

Step 1 To identify the IP addresses from which the security appliance accepts HTTPS connections, enter the
following command for each address or subnet:
hostname(config)# http source_IP_address mask source_interface

Step 2 To enable the HTTPS server, enter the following command:
hostname(config)# http server enable [port]
By default, the port is 443. If you change the port number, be sure to include the new port in the ASDM
access URL. For example, if you change it to port 444, enter:
https://10.1.1.1:444

Step 3 To specify the location of the ASDM image, enter the following command:
hostname(config)# asdm image disk0:/asdmfile
For example, to enable the HTTPS server and let a host on the inside interface with an address of
192.168.1.2 access ASDM, enter the following commands:
hostname(config)# crypto key generate rsa modulus 1024
hostname(config)# write mem
hostname(config)# http server enable
hostname(config)# http 192.168.1.2 255.255.255.255 inside
To allow all users on the 192.168.3.0 network to access ASDM on the inside interface, enter the
following command:
hostname(config)# http 192.168.3.0 255.255.255.0 inside

Accessing ASDM from Your PC

From a supported web browser on the security appliance network, enter the following URL:
https://interface_ip_address[:port]
In transparent firewall mode, enter the management IP address.

Georg Pauwen · ‎11-15-2017

Hello,

your management interface is in the 10.25.99.0/24 range, so you need to add this:

http 10.25.99.0 255.255.255.0 inside

rmiller · ‎11-15-2017

@Georg Pauwen wrote:

Hello,

your management interface is in the 10.25.99.0/24 range, so you need to add this:

http 10.25.99.0 255.255.255.0 inside

So do I need to connect through the console port or something? I still get nothing through the browser from my laptop.

rmiller · ‎11-15-2017

I can access this interface but the page that appears is for the VPN service. The one that's labeled management is the console port.
interface GigabitEthernet0/1
duplex full
nameif inside
security-level 100
ip address 10.25.62.1 255.0.0.0

Georg Pauwen · ‎11-15-2017

Hello,

is the firewall in transparent mode ? If not, change the mode:

firewall transparent

ASA5520(config)# firewall transparent

rmiller · ‎11-24-2017

Okay, so I see that the ASA is in Router mode, but if I change it to transparent my understanding is that it will lose all of its configurations, right?

Georg Pauwen · ‎11-24-2017

Hello,

that is correct, the 'firewall transparent' command clears the running config. Make sure you save it before applying that command. It is (obviously) a good idea to do that after hours with scheduled downtime...

rmiller · ‎11-24-2017

So after you change it to transparent mode you just reload the config from the saved file?

Georg Pauwen · ‎11-24-2017

Hello,

transparent mode is only so that you can access ASDM by entering the management interface. The original problem was that you couldn't access ASDM, right ?

rmiller · ‎11-24-2017

Right -- I'd like to be able to manage the firewall using the GUI.

erp.shs10 · ‎11-27-2019

how to convert jpeg to bin

kaushalparab · ‎01-22-2021

after rename to .bin still shows file type as a jpg.

elvishassan21 · ‎05-12-2022

I am having a hard time renaming this file. I dont know which program to use. Can you help?