Introduction
I’ll keep this short but sweet and hopefully this will save somebody a lot of head scratching out there. I unwrapped a couple of brand new ASA5512X firewalls but found the ASDM inaccessible.
ASDM inaccessible
All the standard stuff was in there, entered in global configuration mode:
1 2 3 4 |
ASA(config)#http server enable ASA(config)#http 192.168.1.10 255.255.255.255 management ASA(config)#aaa authentication http console LOCAL ASA(config)#username mrsecurity password prfsxXRRbLqiz7yj encrypted privilege 15 |
I had enabled the http server and told the ASA which host address to accept connections from. I had enabled local authentication and a user name. When I connected, I got a “This webpage is not available” message.
After some sniffing around, I found a line of config that is critical:
1 |
ssl encryption des-sha1 |
This is the default on the two ASA devices I received. A security device. That has DES encryption as the default setting. Not very good Cisco. Not only is it weak encryption, but it stops my Chrome connecting to ASDM. Funnily enough, IE8, which was another browser on the jump box I was using allows the connection but I missed this until after I fixed it due to being a convert to Chrome for quite some time. So one option is to use an older, less secure browser. Or…
Resolution
The right fix would be to change the default ssl encryption as below:
1 |
ASA(config)#ssl encryption aes128-sha1 |
This now allows more recent (and secure) browsers to connect to ASDM. The command above is shown in the default config in version 9.1(1). In older versions, you would need to type:
1 |
ASA#sh run all | include ssl encryption |
I also believe the default in older versions would be to enable pretty much all levels of SSL encryption:
1 |
ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1 |
Summary
The key point to remember here is, when you use a new version of software that you have become familiar with, try and find out what the differences are! I’ve not checked at which point this change was made and whilst it’s not a show stopper it is annoying.
By the way, you may have noticed I set the encryption at AES128 and some of you may be aware that AES256 is an option. The reason I currently choose AES128 over the 192 or 256 bit versions is I’ve read about vulnerabilities (albeit non-critical) with those key lengths. I’d be interested in anybody else’s take on this.
Till the next time.
Thank you!
Darren,
Thought you might want to learn about our new single fiber X2 transceiver. Might be of interest to your readers.
Let me know what you think: http://www.championone.net/products/transceivers/x2/single-fiber/
Thanks,
Lindsay
Hahah, I literally just got caught by this! I usually ‘wr er’ a new ASA and set it up fresh and in this case the customer “primed” the unit for me and kept the factory config. Couldn’t figure out why the ASDM wouldn’t load. This was the issue. Thanks again!
Yay, my first “this solved my problem” comment! 😉
Thanks Bob