« Managing the Cisco ASA Adaptive Security Appliance Boot Process | Main | CCNA Routing & Switching Standard Bundle »

Saturday, 15 November 2014

Preparing the Cisco ASA to Use Cisco ASDM

All Cisco Security Appliances ship with a factory built-in configuration that enables quick startup. This configuration contains an interface for management, which enables you to use Cisco ASDM to connect to the appliance. For the ASA 5505 Adaptive Security Appliance, the factory built-in configuration configures interfaces and NAT, so that the Security Appliance is immediately ready to use in your network. The HTTP Server is enabled in the factory built-in configurations for all security appliance models and is accessible to users on the 192.168.1.0 inside network. With the factory built-in configuration, you can connect to the default management address by entering https://192.168.1.1 in your browser. Alternatively, you can use the Cisco ASDM Launcher (if it is already installed on a PC) to connect to Cisco ASDM.

For ASA 5505 Adaptive Security Appliances, you can use any switch port to connect to the Cisco ASDM, except Ethernet 0/0, which is the Outside Interface. For ASA 5510 Adaptive Security Appliances and later models, use the Management 0/0 Interface to connect to the Cisco ASDM. The factory built-in configuration is available only for Routed Firewall mode and Single Context mode.

If you do not have a factory built-in configuration, you can use one of the following methods to configure the minimum parameters for accessing Cisco ASDM from an ASA 5510 Adaptive Security Appliance and higher:

  • Assign a name to the Management 0/0 Interface or assign a name and the management-only parameter to any interface
  • Run the Interactive Setup Dialog using the Setup command
  • Optionally, specify which Cisco ASDM image file to use. If you do not include this in your startup configuration, the Security Appliance uses the first Cisco ASDM image that it finds at startup

Configuring the Cisco ASA for Cisco ASDM Access

The following summarizes the configuration of the Cisco ASA Security Appliance for Cisco ASDM access from a PC on a management-only network. Access to the Cisco ASDM when a management-only network is not available will also be configured.

Assign a Name to an Interface

For Cisco ASA Software Version 8.4 and later, to use the Interactive Setup script, you must have an interface that is designated as "Management-only" and you must give a name to that interface.

To provide a name for an interface, use the nameif command in Interface Configuration mode. To remove the name, use the no form of this command. The interface name is used in all configuration commands on the appliance instead of the Interface type and ID (such as gigabitethernet0/1), and is therefore required before traffic can pass through the interface.

In this example, the name "Management" will be configured on the Management0/0 Interface.

Note : Cisco ASA Software Versions 8.2 and earlier did not require the use of a Management-only Interface for the Interactive Setup script. Earlier Cisco ASA Software versions used an interface named "inside" as the match criteria for the setup script.

Run Interactive Setup Dialog

When you assign a name to a Management-only Interface, you can access the Interactive Setup dialog by entering setup at the Global Configuration mode prompt. The dialog asks for several responses, including the management IP address, network mask, hostname, domain name, and Cisco ASDM host. The hostname and domain name are used to generate the default certificate for the SSL Connection. Pressing Enter instead of entering a value at the prompt accepts the default value within the brackets. You must fill in any fields that show no default values and change default values as necessary. After the configuration is written to Flash memory, the Security Appliance is ready to start Cisco ASDM.

Note : The clock must be set for Cisco ASDM to generate a valid certificate. Set the Security Appliance clock to Coordinated Universal Time (UTC) (also known as Greenwich Mean Time [GMT]).

You can use the configure factory-default command to restore the default configuration, which also gives you access to the Management0/0 Interface, but with the default 192.168.1.1 IP address.

Specify Which Cisco ASDM File to Use

If more than one Cisco ASDM image is stored in the Flash memory of your Security Appliance, you must specify the Cisco ASDM image to be used. You can use the asdm image filename command to specify the image that you want to use and its location in Flash memory. If you do not include this command in your startup configuration, the Security Appliance uses the first Cisco ASDM image that it finds at startup. It searches the root directory of Internal Flash memory and then External Flash memory. If it discovers an image, the Security Appliance inserts the asdm image command into the running configuration.

In this example, the Cisco ASA Security Appliance is configured to use the asdm-641.bin file to load Cisco ASDM.

To remove the image location, use the no form of the asdm image command.

CLI Commands

You can use individual commands to prepare the Security Appliance for configuration via Cisco ASDM. You need this configuration if you do not have a Management-only Network to use for the initial Cisco ASDM access.

To set the system clock on the Security Appliance, use the clock set Privileged EXEC mode command, followed by the actual time, month, day, and year. To assign the hostname to the appliance, use the hostname command. To assign the domain name, use the domain -name command. To configure the Privileged mode password, use the enable password command.

To configure an interface, enter the Interface Configuration mode. To assign a name to the interface, use the nameif command. If the inside name is assigned to the interface, security level 100 is automatically assigned to the interface. To set the IP Address on the interface, use the ip address command, followed by the IP address and network mask. To enable the interface, use the no shutdown command.

To enable Cisco ASDM access, you must enable the HTTP Server on the Security Appliance. Use the command http server enable in Global Configuration mode. To specify hosts that can access the Security Appliance via HTTP, use the http IP-address mask interface-name command, where interface-name is the interface through which those hosts are accessible. Either you can specify one host using the 255.255.255.255 mask or you can specify an entire network of hosts using the network ID and appropriate mask. For example, to allow HTTP access from the entire 10.0.1.0/24 inside subnet, you would enter the http 10.0.1.0 255.255.255.0 inside command.

Note : When you configure HTTP access on a Security Appliance, you actually configure HTTPS access. HTTP-only access to the Security Appliance is not possible.

Starting Cisco ASDM

When you first access Cisco ASDM, you must enter https://interface_IP_address into the browser URL field providing three options:

Starting Cisco ASDM from the Cisco ASDM Launcher
To run Cisco ASDM from the Cisco ASDM Launcher, click Install ASDM Launcher and Run ASDM. By installing the Cisco ASDM Launcher, you can start Cisco ASDM from a desktop shortcut rather than from a browser. The desktop shortcut enables you to connect to multiple Security Appliances via SSL. The Cisco ASDM Launcher, which is available only for Windows platforms, avoids double authentication and certificate dialog boxes, launches more quickly, and caches previously entered IP addresses and usernames.
Starting Cisco ASDM from a web browser
To run Cisco ASDM as a Java Web Start application, click Run ASDM. Java Web Start downloads Cisco ASDM from the Security Appliance with the IP address that you entered in the browser to your local machine and starts executing it.
Using Cisco ASDM in demo mode
Cisco ASDM also features a demo mode, which is a separately installed application that allows you to run Cisco ASDM without having a live device available. In demo mode, which you access from the Cisco ASDM launcher login window, you can do the following:
  • Demonstrate Cisco ASDM or Security Appliance features using the Cisco ASDM interface.
  • Perform configuration and monitoring tasks with the Cisco ASA 5500 Series Adaptive Security Appliances content Security and Control (CSC) Security Services Module (SSM).
  • Obtain simulated monitoring and logging data, including real-time system log messages. The data that is shown is randomly generated. However, the experience is identical to what you would see when you are connected to a real device.

When you start the Cisco ASDM launcher, you must know the IP address of the device you are managing and the login credentials for that device. In the example, the Cisco ASA Security Appliance IP Address is 10.0.1.1 and the login credential is the Configured Enable Password. If AAA is configured, you need a username and password combination, instead of only the Enable password.

Note : To use Cisco ASDM in demo mode, you must download the Cisco ASDM Demo Mode installer from http://www.cisco.com and install it. Then you run the Cisco ASDM launcher and check the Run in Demo Mode check box.

Certificates Used to Access Cisco ASDM

When you access the Cisco ASDM through the SSL connection, the Security Appliance creates a temporary self-signed identity certificate. You must trust this certificate on the management PC, but only when you access the Security Appliance over the secure network. The problems that can arise are as follows:

  • When you reload or power-cycle the Security Appliance, it creates a new self-signed certificate that you must trust again.
  • The subject name of the certificate is set to the IP address of the interface over which you access the Security Appliance. If you use the Domain Name System (DNS) in your network and you access the Cisco ASDM using the name of the Security Appliance, you will have a mismatch between a subject name in the certificate and the name in the browser URL field.

You should not trust the Cisco ASA Security Appliance certificate when you access the Cisco ASDM over an unsecured network because someone could impersonate the Cisco ASA Security Appliance and try to catch sensitive configuration information.

To overcome problems that you can encounter with the Cisco ASA Security Appliance identity certificate, you should follow these solutions:

  • Create a persistent self-signed identity certificate on a Cisco ASA Security Appliance. In this certificate, you can set the subject manually to the DNS name of the Security Appliance. The only problem that remains is to trust this certificate. However, you can transfer this certificate over a trusted network and trust the certificate once. Then, you can access the device over non-trusted networks because you already trust the certificate.
  • Enroll a Cisco ASA Security Appliance in an existing trusted Public Key Infrastructure (PKI) and obtain an identity certificate from a trusted Certificate Authority (CA). This is the safest solution.

Posted at 12:34 PM in CCNA Security |

| | | Pin It! |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)