In the first part of this tip, we discussed installation of Adaptive Security Device Manager (ASDM) to simplify...
Cisco PIX firewall configuration. Now, let's take a look at some common problems that arise with ASDM installation.
The most common issue I've run into is when ASDM doesn't work/won't start. If it works, it works, and if it doesn't -- well, then we end up reading this part of the article. Here's what to do when ASDM won't start: (See the sample output at the end of this article for references).
- The first thing we need to check is to see if ASDM is installed correctly. To do this, issue the "show flash:" command. This will display the contents of the PIX's flash memory. Look for the ASDM image that we pointed to with the "asdm image" command earlier.
- Next, type "show ru" to display the running configuration. Look for a line that says "asdm image flash: xxxx.bin".
- Does the image name in running config match the image name in flash? If not, use the "asdm image flash: <imagename>" command again with the correct filename from the "show flash:" command. Then issue the command "write mem" to write the config.
- Now, what if you don't even see the "asdm image flash:" line in running configuration? Did you issue the "write mem" command after installing ASDM? If not, that's one reason why you would not see it in the running configuration output.
- Issue the "write mem" command and then "show ru" to see if the line "asdm image flash: xxxx.bin" is there. If all else fails here, try issuing the "reload" command -- but keep in mind that this command will restart your PIX.
After all of the above steps are taken for troubleshooting, try to access ADSM once more at https://x.x.x.x/admin.
My ASDM configuration is correct so far, but still a no-go on ASDM working. This can be for a number of reasons. Here are more reasons and workarounds:
I've done all of the above and ASDM still will not load. Okay, let's try these things:
pixconfig)# ca zeroise
pix(config)# crypto key gen rsa modulus 1024
WARNING: You already have RSA keys defined named <Default-RSA-Key>.
Do you really want to replace them? [yes/no]: yes
If that still doesn't work, check out the DES notes below.
- Navigate to https://www.cisco.com/public/sw-center/sw-ciscosecure.shtml
- Click on "Cisco PIX Firewall License Registration"
- Find the 56-bit DES license (You may need a CCO login to continue, register for one if needed. The license is free.)
- Follow the steps listed on Cisco's Website. You will need your serial number to register the PIX for a DES license. This can be found by issuing the "show version" command at the CLI.
- You will receive an e-mail with the license key. Copy the license key and paste it into the terminal window with the command "activation-key xxxxxxxxxxxx" followed by the DES license.
- Issue the "write mem" command and try to access ASDM at https://x.x.x.x/admin . ASDM should load, if not, look at the troubleshooting steps above once more to double check everything. If all fails, you may need to contact Cisco.
PIX Version 7.0(2) <- PIX Software version names ! interface Ethernet0 #Ignore this interface. shutdown nameif outside security-level 0 no ip address ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall boot system flash:/image.bin <- PIX Software image location ftp mode passive pager lines 24 mtu inside 1500 mtu outside 1500 no failover monitor-interface inside monitor-interface outside -> asdm image flash:/asdm-502.bin <- ASDM image location asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute -> http server enable <- HTTP Server is enabled. -> http 0.0.0.0 0.0.0.0 inside <- We allow all hosts from all subnets connected to the interface "inside" no snmp-server location no snmp-server contact snmp-server enable traps snmp telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global Cryptochecksum:e60c275dedddfde831eb68c72656d46c : end Flash Contents: pix(config)# show flash: Directory of flash:/ 4 -rw- 1483 14:35:45 Oct 05 2005 downgrade.cfg 7 -rw- 5107768 14:36:49 Oct 05 2005 image.bin 11 -rw- 5967052 14:39:06 Oct 05 2005 asdm-502.bin <- ASDM as it appears in flash. This should match the ASDM location in running config. 16128000 bytes total (5044224 bytes free) Interface States: pix(config)# show int Interface Ethernet0 "outside", is administratively down, line protocol is down #Ignore this interface Hardware is i82559, BW 100 Mbps Auto-Duplex, Auto-Speed MAC address 0004.dd7c.17f8, MTU 1500 IP address unassigned 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) Received 0 VLAN untagged packets, 0 bytes Transmitted 0 VLAN untagged packets, 0 bytes Dropped 0 VLAN untagged packets Interface Ethernet1 "inside", is up, line protocol is up #Interface is up and configured properly. Hardware is i82559, BW 100 Mbps Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) MAC address 0004.dd7c.17f9, MTU 1500 IP address 192.168.0.1, subnet mask 255.255.255.0 557 packets input, 59130 bytes, 0 no buffer Received 421 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 79 packets output, 5096 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/1) output queue (curr/max blocks): hardware (0/1) software (0/1) Received 557 VLAN untagged packets, 50900 bytes Transmitted 79 VLAN untagged packets, 3348 bytes Dropped 434 VLAN untagged packets Zeroize the CA: pix(config)# ca zeroise piX(config)# crypto key gen rsa modulus 1024 WARNING: You already have RSA keys defined named
. Do you really want to replace them? [yes/no]: yes #After this I had the same result with ASDM. HTTP Server & Server Access List: pix(config)# show run http http server enable #HTTP Server is Enabled http 0.0.0.0 0.0.0.0 inside #Basic access list allowing any IP from any subnet to the 'inside' interface Ethernet 1.