Wednesday, June 11, 2014

Cisco ASA-SM: ASDM won't load

So I'm in the process of trying to migrate from the Cisco PIX Series Firewalls to the ASA Series, configured in roughly the same format and style until we can re-migrate to the Zone-Based firewalls. Well, today, I ran into an interesting issue that I couldn't find much support on.

So, these were Cisco ASA-SM (Adaptive Security Appliance Service Modules) loaded into a 6500-E Series. After the device is configured for allowing the appropriate connections, I wanted to load up the ASDM to see the differences in how NAT translations were done (Bi-directional as opposed to Unidirectional).

Except that I couldn't get the ASDM to load. In fact, it wasn't even listening on tcp/443.

As it turns out, for the ASDM to load, you need some additional components. But first, for the uninitiated, how do we set up the ASDM?

You'll find a million posts from Cisco or Blogposts from other users showing you how this is done, so, this should be review. For a brief post on how to configure the ASDM, read here.

Since this is an ASA-SM, out of the box we can session into the blade and configure it from there. You could use telnet or SSH, but since I'm in the process of still building it, I haven't gotten that far yet.

YourRouter#session slot 6 processor 1

Since my routers are in a VSS pair, I use this command:

MyRouter#session switch 2 slot 6 processor 1

This command tells the router that we want to session into the blade, as if we were at the console (session), which switch in the VSS pair I want (switch #, optional due to your configuration), which slot the blade is loaded into (slot #), and which processor I want to use (processor #). 

After you connect to the device, go to the enable mode, and then configure mode.

This, of course, assumes that you have built an interface on the ASA-SM. If you haven't, you'll need to do that first. To configure the device to allow you to connect on http:

yourasa(config)# http server enable
yourasa(config)# http your_subnet_number your_subnet_mask interface

And that's all there is to it! Right?

Except what happens when it doesn't work? Here's where I was, tearing my hair out. 

Cisco has some available documentation on troubleshooting the ASDM:

And others. The first one gave me some good insight and commands, except for one that I couldn't run on the ASA:

show asp table socket

show asp table was present, but the socket option couldn't be found. When I ran an nmap scan against the device, it wasn't even listening on 443. So what gives?

As it turns out, for you to be able to access the ASDM, you have to download and install the free 3DES-AES key from Cisco, which just requires a Cisco user account. You can download it here:


Under Security Products, you'll find the options for Cisco ASA 3DES/AES License. Once you agree to the terms and conditions, they should send you an e-mail containing the license activation key. 

How can you confirm that you don't already have the 3DES-AES license? Run show version, and look for this:

yourasa# show version
[...]
Licensed features for this platform:
Maximum Interfaces                : 1024           perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
DES                               : Enabled        perpetual
3DES-AES                          : Disabled       perpetual
Security Contexts                 : 2              perpetual
yourasa#

Once you input the activation key, you should see this:

yourasa# show version
[...]
Licensed features for this platform:
Maximum Interfaces                : 1024           perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
DES                               : Enabled        perpetual
3DES-AES                          : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
Botnet Traffic Filter             : Disabled       perpetual

We had to do an additional command to confirm that it would use the 3DES-AES in the SSL configurations:

yourasa(config)# ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Once that command was placed in, the web page loaded right away, and allowed us to connect to the ASDM. 

So there you go, hopefully that helps you in your own configurations and troubleshooting for the ASDM and your ASA-SM. 

No comments: