Wednesday, June 11, 2014

Cisco ASA-SM: ASDM won't load

So I'm in the process of trying to migrate from the Cisco PIX Series Firewalls to the ASA Series, configured in roughly the same format and style until we can re-migrate to the Zone-Based firewalls. Well, today, I ran into an interesting issue that I couldn't find much support on.

So, these were Cisco ASA-SM (Adaptive Security Appliance Service Modules) loaded into a 6500-E Series. After the device is configured for allowing the appropriate connections, I wanted to load up the ASDM to see the differences in how NAT translations were done (Bi-directional as opposed to Unidirectional).

Except that I couldn't get the ASDM to load. In fact, it wasn't even listening on tcp/443.

As it turns out, for the ASDM to load, you need some additional components. But first, for the uninitiated, how do we set up the ASDM?

You'll find a million posts from Cisco or Blogposts from other users showing you how this is done, so, this should be review. For a brief post on how to configure the ASDM, read here.

Since this is an ASA-SM, out of the box we can session into the blade and configure it from there. You could use telnet or SSH, but since I'm in the process of still building it, I haven't gotten that far yet.

YourRouter#session slot 6 processor 1

Since my routers are in a VSS pair, I use this command:

MyRouter#session switch 2 slot 6 processor 1

This command tells the router that we want to session into the blade, as if we were at the console (session), which switch in the VSS pair I want (switch #, optional due to your configuration), which slot the blade is loaded into (slot #), and which processor I want to use (processor #). 

After you connect to the device, go to the enable mode, and then configure mode.

This, of course, assumes that you have built an interface on the ASA-SM. If you haven't, you'll need to do that first. To configure the device to allow you to connect on http:

yourasa(config)# http server enable
yourasa(config)# http your_subnet_number your_subnet_mask interface

And that's all there is to it! Right?

Except what happens when it doesn't work? Here's where I was, tearing my hair out. 

Cisco has some available documentation on troubleshooting the ASDM:

And others. The first one gave me some good insight and commands, except for one that I couldn't run on the ASA:

show asp table socket

show asp table was present, but the socket option couldn't be found. When I ran an nmap scan against the device, it wasn't even listening on 443. So what gives?

As it turns out, for you to be able to access the ASDM, you have to download and install the free 3DES-AES key from Cisco, which just requires a Cisco user account. You can download it here:


Under Security Products, you'll find the options for Cisco ASA 3DES/AES License. Once you agree to the terms and conditions, they should send you an e-mail containing the license activation key. 

How can you confirm that you don't already have the 3DES-AES license? Run show version, and look for this:

yourasa# show version
[...]
Licensed features for this platform:
Maximum Interfaces                : 1024           perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
DES                               : Enabled        perpetual
3DES-AES                          : Disabled       perpetual
Security Contexts                 : 2              perpetual
yourasa#

Once you input the activation key, you should see this:

yourasa# show version
[...]
Licensed features for this platform:
Maximum Interfaces                : 1024           perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
DES                               : Enabled        perpetual
3DES-AES                          : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
Botnet Traffic Filter             : Disabled       perpetual

We had to do an additional command to confirm that it would use the 3DES-AES in the SSL configurations:

yourasa(config)# ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Once that command was placed in, the web page loaded right away, and allowed us to connect to the ASDM. 

So there you go, hopefully that helps you in your own configurations and troubleshooting for the ASDM and your ASA-SM. 

Sunday, June 1, 2014

Writing More!

So I've finally been given the opportunity to write more.

Well, not quite.

I've finally given myself enough reason and motivation to write more.

That's better. 

So, this is my continued attempt at a technical blog. Here, I write down things that I know, learn, and experience for the general-knowledge and well-being that I share with others. As I experience problems, I want to write them down.

So, what am I talking about today?

A colleague of mine and I were talking the other day, and he mentioned to me Windows Azure. So, let's back up a moment before we dive in.

The company that I own (Shameless link) has an Ubuntu 12.04 Linux box hosted by Rackspace so that we can do development. It hosted Web Services (Apache), E-mail Services (Postfix, Courier, SASL Authentication/Encryption, SpamAssassin), Database Services (MySQL, PostgreSQL), and a Mumble server. And all-in-all, it worked fine. We had a Team Foundation Server rented by another company, and added bandwidth, the two services was about $32 a month. We weren't using the TFS service as much as I wanted, so I had looked at killing it, but it wasn't until recently that Visual Studios had integration with Git that I felt that we could change hosting.

Back to the present day.

A colleague of mine and I were talking the other day, and he mentioned to me Windows Azure. In our conversations, he explained what he used it for, how much database and web page space he uses, and basically mentioned that it was for pennies on the dollar. So, in conversation, I learn that he obtained Microsoft Windows services for pennies on the dollar every month. So, I try to be a reasonable business man, let's take a look into it.

Boy, was I impressed. And it's even better than that.

The general notion behind 'cloud' services is that you can host web sites, databases, virtual machines, and more, in a virtual environment. But Microsoft, being the large proprietor of software that they are, made available their resources.

If you sign up for Windows Azure, what can you get?

Free: 

  • 10 Web Sites per region. 
  • 10 Mobile Services with a 20MB SQL Database with up to 500k API calls.
  • An implementation of Active Directory* for up to 500k objects. 
  • 100k Notification pushes to active devices 

*It's not a full Active Directory environment as you would see in a normal infrastructure, it's more of a user database, but you can't bind hosts to it. 

So wow, for free, that's pretty impressive, especially for developers. I'm trying to cut costs, and they can run virtual machines, let's see what I can get for $32 a month with respect to my environment:


  • I could get two 'Extra Small' Windows VMs, with 1Ghz CPU and 768MB of RAM for $26.79
  • Two 'Extra Small' Linux VMs, with the same specifications for the same price.

So, for the cost I'm already incurring, I could build two boxes at the same cost, regardless of Operating System, and have it hosted. At this point, I was feeling pretty confident in this move, because we get the free resources on top of the purchased resources. 

So I talked to my business partner, because when you're co-owned you don't make decisions like this by yourself, and he agreed once I laid out the details for him.

So, we signed up, and started spawning new virtual machines; they were ready in minutes. They had a public IP address, a public DNS name, a public firewall with port translations available, and the resources I had above.


Boy, was I impressed. Don't get me wrong, there's nothing wrong with Rackspace. In face, their management of DNS made it quite easy to get services going, and in general I had no problems with them. This was just better.

So where does it get even better than that?

Last year, the company applied to become a Microsoft BizSpark partner for software development. We have a few major applications that we want to write and sell, and it was difficult to do so because to create them, we needed licenses of things. And after explaining what we wanted to do, we were approved and joined the BizSpark community.

At first, BizSpark was great for us for licenses--Visual Studios, versions of Microsoft Windows for us to test our software on, and copies of different applications offered by Microsoft, which included but not limited to, Microsoft Exchange, SQL Server, Team Foundation Server, BizTalk Servers, and so much more. I estimated it was well over $500,000 in software licensing.

But we had no hosts to run these things on.

Now we do.

Because being a BizSpark partner, and joining Microsoft Azure, they give us $150 in credits a month.

A virtual machine was ~$13.

I can now cut my hosting costs down, spin up new virtual machines, and get all of my hosted needs met so that we can actually code...without having to worry about counting pennies on things. When you have a finite budget...that matters.

This is where it was even better than that.

Because now I can spin up several extra-small virtual servers, host an internal Active Directory, IIS deployment, Exchange, and TFS...without being charged.

We can finally code the way we want to, without having to worry about the costs of doing so. This is exactly what BizSpark was designed to do, and because of Windows Azure we can do it.

This is where it was even better than that. 

So my next few blog posts will be covering the state of things as I install and configure Windows Server 2012, and the related content from there.

Damn, I'm more excited by this than I should be.