ASA-PIX/FWSM: Unable to manage the unit via ssh/telnet/asdm

Documentation

This document is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

PIX: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1047288

ASA: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html

FWSM:http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/mgacc_f.html

Unable to asdm

make sure vpn 3-des is enabled

Issue “sh ver” and make sure the unit has 3-des license.

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 64MB
Slot 1: ATA Compact Flash, 32MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

.

.

Failover                     : Active/Active
VPN-DES                  : Enabled
VPN-3DES-AES        : Enabled

If 3DES is not enabled, it is easy and free to the activaton key to enable that. Please go to http://www.cisco.com/go/license

and loging with your CCO ID and

please click  here for available licenses.

and then choose Cisco ASA 3DES/AES License

Fill out all the information including the serial number of the firewall and you should see a message that says you will receive the activation key via

e-mail within 1 hour.

Once you receive the activation key via e-mail please add it to the unit via CLI

ASA#conf t

ASA(config)#activation-key <copy and paste the 4-tuple or 5-tuple>

ASA(config)#wri mem

ASA(config)#exit

Make sure to issue “sh ver” and make sure 3DES shows enabled.

make sure asdm image is loaded

Issure “sh ver” and make sure asdm image is loaded.

ASA# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

If not make sure to tftp the appropriate bin fil to flash and configure “asdm image disk0:/asdm-621.bin”.

Make sure you are running a matching asdm version for the ASA.

ASA code: http://tools.cisco.com/squish/10C815

ASDM image: http://tools.cisco.com/squish/a5338C

FWSM code: http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm

http server is enabled

Issure “sh run http” and make sure http server is enabled.

http server enable
http 172.18.124.0 255.255.255.0 inside ——> all hosts in this subnet are allowed to asdm
http 10.10.10.10 255.255.255.255 dmz —-> only one host 10.10.10.10 is the subnet is allowed to asdm

sh asp table socket

Make sure that the “sh asp table socket” shows that the unit is listening on port 443 on the interface that you are trying to asdm to. This command is not supported on the FWSM.

ASA# sh asp table socket

Protocol  Socket    Local Address               Foreign Address         State
SSL       0000e5bf  172.18.124.254:443          0.0.0.0:*               LISTEN
SSL       00019c6f  10.10.10.1:443              0.0.0.0:*               LISTEN

If you do not see the unit listening on port 443 then try to remove the “http server enable” line and add it back to the config.

ASA#conf t

ASA(config)#no http server enable

ASA(config)#http server enable

http access is allowed

Issue the command “sh run http” and make sure the IP address that you are trying to asdm from is allowed.

ASA# sh run http

http server enable
http 172.18.124.0 255.255.255.0 inside
http 10.2.180.32 255.255.255.248 inside

webvpn enabled on the port 443

Issue the command “sh run webvpn” and see if it is enabled and has configuration section under webvpn, then change the port that asdm

listens to something else other than 443.

ASA#conf t

ASA(config)#http server enable 4443

Once done try to lauch asdm by going to https://10.10.10.1:4443 where 10.10.10.1 is the interface IP address of the firewall that is closer to the client.

sh run all ssl

Issue the command “sh run all ssl” and make sure you see the following line highlighted in red in the output. If not add it in the config.

ASA# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

make sure to run the latest java

Download the latest java available http://www.java.com/en/download/index.jsp and install it on the client and try to launch asdm.

check the logs

Enable logging with the following command if not already enabled and check the logs.

ASA#conf t

ASA(config)#logging on

ASA(config)#logging buffered debug

ASA(config)#end

ASA#sh logg | i x.x.x.x where x.x.x.x is the client’s IP address from which you are trying to asdm.

collect captures

If you are running ASA /PIX 7.2 or above code you can issue the “match” keyword in the capture. In the below command

capin – is the name of the capture

10.10.10.1 – is the IP address of the ASA that is listening on port 443

inside – is the name of the interface to which we are trying to asdm

cap capin int inside match tcp any host 10.10.10.1 eq 443

sh cap capin

Once done troubleshooting you can remove the cature by issuing “no cap capin”. In case of FWSM the “match” keyword does not work please follow this link to configure captures on the FWSM: https://supportforums.cisco.com/docs/DOC-1222

Unable to telnet

make sure telnet is allowed

Issue the command “sh run telnet” and make sure telnet is allowed. Bear in mind that you cannot telnet to the lowest security interface on the firewall.

ASA# sh run telnet
telnet 0.0.0.0 0.0.0.0 dmz1
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5

sh asp table socket

Issue the command “sh asp table socket” and make sure the firewall is listening on tcp port 23. This command is not supported on the FWSM.

ASA# sh asp table socket

Protocol  Socket    Local Address               Foreign Address         State
TCP       00024a1f  172.18.124.254:23           0.0.0.0:*               LISTEN
TCP       0002ea9f  10.10.10.1:23               0.0.0.0:*               LISTEN

If you do not see it listening then, remove the telnet lines from the config and add them back in.

check the logs

Enable logging with the following command if not already enabled and check the logs.

ASA#conf t

ASA(config)#logging on

ASA(config)#logging buffered debug

ASA(config)#end

ASA#sh logg | i x.x.x.x where x.x.x.x is the client’s IP address from which you are trying to telnet

collect captures

If you are running ASA /PIX 7.2 or above code you can issue the “match” keyword in the capture. In the below command

capin – is the name of the capture

10.10.10.1 – is the IP address of the ASA that is listening on port 23

inside – is the name of the interface to which we are trying to asdm

cap capin int inside match tcp any host 10.10.10.1 eq 23

sh cap capin

Once done troubleshooting you can remove the cature by issuing “no cap capin”. In case of FWSM the “match” keyword does not work please follow this link to configure captures on the FWSM: https://supportforums.cisco.com/docs/DOC-1222

Unable to ssh

make sure ssh is enabled and allowed

Issue the command “sh run ssh” and make sure ssh is enabled for the client IP or subnet. If not add the subnet or IP address that is allowed to ssh with the corresponding inteface.

ASA# sh run ssh
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 dmz1
ssh 10.10.10.0 255.255.255.0 inside

ssh timeout 60

Is there an rsa key-pair

Issue the command “sh cry key mypubkey rsa” and make sure the “Default-RSA-Key” is present. If not create the rsa key-pair with the command “cry key generate rsa modulus 1024”

ASA# sh cry key mypubkey rsa
Key pair was generated at: 22:52:03 CEDT Aug 22 2007
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:

  30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00b41d91
.

.

effb9f5c 50a2ed60 290cdc4b ab1e0cc7 d334afdf e9850be4 c00faa18 47020301 0001
Key pair was generated at: 03:04:55 CEDT Sep 15 2010
Key name: <Default-RSA-Key>.server
Usage: Encryption Key
Modulus Size (bits): 768
Key Data:

  307c300d 06092a86 4886f70d 01010105 00036b00 30680261 008eba15 2281909f
.

.
82db59d0 c3633648 6334ca6b ff531605 48ec82ce e9977506 97020301 0001

sh asp table socket

Issue the command “sh asp table socket” and make sure the firewall is listening on tcp 22. This command is not supported on the FWSM.

ASA# sh asp table socket
Protocol  Socket    Local Address               Foreign Address         State
TCP       0003dc4f  172.18.124.254:22           0.0.0.0:*               LISTEN
TCP       00043c7f  10.10.10.1:22               0.0.0.0:*               LISTEN
TCP       005de0a8  172.18.124.254:22           10.117.14.67:64892      ESTAB

check the logs

Enable logging with the following command if not already enabled and check the logs.

ASA#conf t

ASA(config)#logging on

ASA(config)#logging buffered debug

ASA(config)#end

ASA#sh logg | i x.x.x.x where x.x.x.x is the client’s IP address from which you are trying to ssh.

collect captures

If you are running ASA /PIX 7.2 or above code you can issue the “match” keyword in the capture. In the below command

capin – is the name of the capture

10.10.10.1 – is the IP address of the ASA that is listening on port 22

inside – is the name of the interface to which we are trying to asdm

cap capin int inside match tcp any host 10.10.10.1 eq 22

sh cap capin

Once done troubleshooting you can remove the cature by issuing “no cap capin”. In case of FWSM the “match” keyword does not work please follow this link to configure captures on the FWSM: https://supportforums.cisco.com/docs/DOC-1222