To simplify the PIX firewall configuration, Cisco has provided Adaptive Security Device Manager (ASDM). ASDM provides a powerful, easy-to-use interface for the configuration of selected PIX firewalls (see Cisco's documentation or Website for the PIX models that support ADSM.)
Installing ASDM is normally a painless process; however, many of us buy equipment from failed ISPs, Hosting providers, or equipment that has been refurbished. It's cheaper; however, the lack of documentation and support is a big pain. With that said, this article covers some of the ASDM issues and workarounds as well as the actual installation of ASDM.
I am basing this article on PIX software version 7.0(2) and ASDM 5.0. You will likely need to upgrade your PIX to 7.0 before installing ASDM. Previous versions of the PIX software worked with Cisco's PDM such as PIX 6.2, & 6.3(4). Please note that if you are currently using a PIX 515 or 515e appliance you will need a memory upgrade to install PIX 7.0. You can issue the show version command from the CLI to check the software version and model of your PIX.
The PIX 515/515e series total memory should be 32MB. You will need 64MB for PIX 7.0 & ASDM. For reference, the Cisco part number for this upgrade, at the time of this writing, is PIX-515-MEM-32=.
Please refer to Cisco's documentation to upgrade the PIX. Downgrading the PIX after the installation of 7.0 is supported. You can downgrade back to 6.x; however, you will need to remove ASDM if this happens. ASDM is not supported on Cisco PIX 6.x software.
Please note also that upgrading a PIX appliance in a failover set from 6.x to 7.x is a major upgrade and cannot be done without downtime. Upgrading to 7.x in a failover set is documented by Cisco, and this documentation can be found on Cisco's Website.
After the upgrade to 7.x is complete, we can start the process of installing ASDM. Be sure to have your ASDM image from Cisco's Website. You can download it on the same page where you normally obtain Cisco's PIX software.
Let's get started. Below are the commands we need to issue and the steps to get ASDM going:
- Login to the PIX and go to enable mode: "pix> enable"
- Once in enable mode, enter the command "copy tftp flash" You will now be prompted for a few bits of information as listed below:
- "Address or name of remote host [x.x.x.x]? <tftp_server_ip>" Here you will need to enter the IP address of the TFTP server that holds the ASDM image. Press enter to continue.
- "Source file name [cdisk]? <filename>" Enter the filename of the ASDM image, for example: asdm502.bin for ASDM version 5.0(2) . Press enter to continue.
- "Destination file name [asdm502.bin]?" There's really nothing to do here unless you really want to rename the image you are transferring. So press enter here.
- We need to tell the PIX where ASDM is.so we will issue the following command in config mode. At the CLI type "conf t" or "configure terminal" if you prefer the long way. Once in config mode "pix(config)#" then type "asdm image flash:asdm502.bin" and press enter.
- Now that we have our PIX knowing where ASDM is, issue the "write mem" or "write memory" command to the PIX. You will see a message that it is building configuration and then it will return to the "pix(config)#". At this point we have asdm installed.
In order to access ASDM we need to do a few things; otherwise, the PIX will deny the traffic and tear down the connection. In order to allow the connection we need to issue the following commands from config mode:
http server enable: This command is issued first and enables the http/https server to start.
http 0 0 inside: This enables all traffic from any host/network configured on the inside interface of the PIX. If you wanted to allow only, say, your workstation, and its IP was 192.168.89.44, then it would look like "http 192.168.89.44 255.255.255.255 inside." You can allow a single subnet or multiple subnets to connect as well. If at any time you need to remove an entry, simply use the command "no http x.x.x.x z.z.z.z inside" where x is the ip and z is the subnet.
Now you can try and connect to ASDM using https://x.x.x.x/admin, where x.x.x.x is the IP address of the inside interface on the PIX.
Please note that ASDM can be accessed from the outside interface as well. You need to make sure that when you add the "http x.x.x.x z.z.z.z <interface>" command that you specify the interface as outside and that it is being accessed from a secure computer. This is not recommended, however, due to the power of ASDM; putting it on a publicly accessible network isn't the best idea.
ASDM should be complete and working. Log in with your PIX enable password and it's off to the races -- unless you have a problem. In the second half of this tip, we'll look at troubleshooting ASDM. I'll also provide sample output for your reference.