Friday, May 17, 2013

Working with Cisco Adaptive Security Device Manager (ASDM)

The Cisco ASDM is a graphical user interface (GUI) that a networking professional can use to configure and monitor an ASA firewall. It uses HTTPS protocol (TCP port 443) to communicate with the ASA device.

You'll need an initial configuration to make ASDM work using the following steps:

Step 1: Copy an ASDM image file into ASA flash memory.

Use TFTP to copy an ASDM image file from your PC to the ASA's flash memory. You can verify that the ASDM image was copied by using the dir disk0:/ command to display the flash file system contents.

ciscoasa# dir disk0:/

Directory of disk0:/

136    -rwx  27260928     13:53:20 Nov 24 2012  asa901-k8.bin
137    -rwx  4181246      07:32:20 Jun 05 2010  securedesktop-asa-3.2.1.103-k9.pkg
138    -rwx  398305       07:32:38 Jun 05 2010  sslclient-win-1.1.0.154.pkg
139    -rwx  17449432     13:23:38 Nov 24 2012  asdm-701.bin
140    -rwx  14240396     15:53:48 Mar 11 2010  asdm-631.bin
17     drwx  4096         07:36:28 Jun 05 2010  crypto_archive
10     drwx  4096         22:12:48 Dec 04 2010  log
107    -rwx  1530         03:37:59 May 16 2013  7_2_4_0_startup_cfg.sav
18     drwx  4096         22:13:20 Dec 04 2010  coredumpinfo
142    -rwx  4096         03:00:06 Apr 14 2013  ._asa901-k8.bin
143    -rwx  4096         03:00:10 Apr 14 2013  ._asdm-701.bin
144    drwx  4096         12:01:08 Apr 14 2013  .fseventsd
145    -rwx  4096         23:38:12 Dec 04 2010  ._.Trashes
146    drwx  4096         23:38:12 Dec 04 2010  .Trashes
147    drwx  4096         23:38:14 Dec 04 2010  .Spotlight-V100
148    -rwx  15943680     15:51:14 Mar 11 2010  asa831-k8.bin
149    -rwx  28119320     13:23:52 Nov 24 2012  asdm-demo-701.msi
150    -rwx  4096         03:00:16 Apr 14 2013  ._asdm-demo-701.msi

127111168 bytes total (17145856 bytes free)


Step 2: Specify the ASDM image file to use.

Use the asdm image command to specify which ASDM image file to use. The IOS and ASDM images must be compatible before ASDM can be used.

You can use the show asdm image command to display the file location and name.

ciscoasa# show asdm ?

  history       Show contents of Device Manager history buffer
  image         Show current Device Manager image file
  log_sessions  Show current Device Manager logging sessions
  sessions      Show current Device Manager sessions
ciscoasa# show asdm image
Device Manager image file not set

ciscoasa# configure terminal
ciscoasa(config)# asdm ?

configure mode commands/options:
  group     Associate object group names with interfaces.  Warning: This option
            is designed for use solely by ASDM.  Do not manually configure this
            option.
  history   Enable/Disable Device Manager data sampling
  image     Specify Device Manager image file path
  location  Associate an external network object with an interface.  Warning:
            This option is designed for use solely by ASDM.  Do not manually
            configure this option.

exec mode commands/options:
  disconnect  Specify ASDM session id to be disconnected after this keyword
ciscoasa(config)# asdm image ?

configure mode commands/options:
  disk0:  Device Manager image file path
  flash:  Device Manager image file path
ciscoasa(config)# asdm image disk0:/asdm-701.bin
ciscoasa(config)# show asdm image
Device Manager image file, disk0:/asdm-701.bin


Step 3: Enable the HTTP server process.

Both HTTP and HTTPS are supported, although ASDM uses only HTTPS.

ciscoasa(config)# http ?

configure mode commands/options:
  Hostname or A.B.C.D         The IP address of the host and/or network
                              authorized to access the HTTP server
  X:X:X:X::X/<0-128>          IPv6 address/prefix authorized to access the HTTP
                              server
  authentication-certificate  Request a certificate from the HTTPS client when
                              a management connection is being established
  redirect                    Redirect HTTP connections to the security gateway
                              to use HTTPS
  server                      Enable the http server required to run Device
                              Manager
ciscoasa(config)# http server ?

configure mode commands/options:
  enable           Enable the http server required to run Device Manager
  idle-timeout     Idle timeout in minutes (single routed mode only)
  session-timeout  Session timeout in minutes (single routed mode only)
ciscoasa(config)# http server enable


Step 4: Specify the IP addresses to allow access the ASDM.

In the example, we permit clients on the 192.168.1.0/24 subnet on the "inside" interface.

ciscoasa(config)# http 192.168.1.0 ?

configure mode commands/options:
  A.B.C.D  The IP netmask to apply to the IP address
ciscoasa(config)# http 192.168.1.0 255.255.255.0 ?

configure mode commands/options:
Current available interface(s):
  inside   Name of interface Vlan1
  outside  Name of interface Vlan2
ciscoasa(config)# http 192.168.1.0 255.255.255.0 inside






2 comments:

  1. Hi John,
    May i know how you simulated ASA in gns3? How to get the free license too? Many thanks.

    ReplyDelete
    Replies
    1. I use ASAv. You don't need to license the ASAv and it has "limited" features which you just need for a lab.
      https://ccnpsecuritywannabe.blogspot.com/2018/04/asav-in-gns3-20.html

      Delete