Can you install ASDM on Windows 11? yes, but as usual there’s some pre requisites. Someone asked this question on EE today, so I thought I’d check.
ASDM on Windows 11 Solution
ASDM requires Java, theres an open Java version, but to be honest, most people (and certainly most older firewalls) are using the Oracle JRE so make sure you have that installed before you do anything.
Note: Some older versions of ASDM may require older versions of Java, I like to keep my ASDM images up to date, so this never trips me up. Consider updating your firewalls OS and ASDM images (I’ll put instructions at the bottom of the page – if you unsure how to do that).
Browse to the interface on the firewall you have ASDM working on, and add /admin to the end of the URL, i.e. https://192.168.1.1/admin or https://10.1.1.1:444/admin (if you have ASDM on a non standard port). From there select Install ASDM Launcher.
Note: If you DON’T know how to enable ADSM then read this article.
The installer (.msi) will open and load to your default browsers download directory.
Run the installer.
Accept all the defaults.
Open the shortcut
Note: At this point if you get an error that says “This app can’t run on your PC” then see this article.
All being well, your ASDM will open.
Related Articles, References, Credits, or External Links
If you connect to to a client via RDP then try and run the AnyConnect client, you will see one of these errors;
VPN establishment capability for a remote user is disabled. A VPN connection will not be established
VPN establishment capability from a Remote Desktop is disabled. A VPN connection will not be established
This, behaviour is default, and despite me trawling the internet to find a solution (most posts quote changing the local AnyConnectProfile.tmpl file, this file does not exist using Version 3 (I was using v 3.0.4235).
Update: With Early versions of AnyConnect version 4 it does not tell you what’s wrong, the VPN appears to connect and then disconnect quickly. If you have debugging on the firewall you will see the following;
Profile settings do not allow VPN initiation from a remote desktop.
Note: This is fixed in version 4.8 and you will se the error at the top of the page.
Solution
To solve this problem we need to create an AnyConnect profile, load the profile into the firewall, then associate that profile with your AnyConnect group policy. With modern versions of AnyConnect you can do that in the ASDM. With older versions you need to use the stand alone profile editor (see below)
Edit AnyConnect Profile With ASDM
Connect to the ADSM > Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Client Profile.
Give the profile a name > Select a group policy to apply it to > OK.
AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.
SingleLocalLogon: Allows multiple remote logons but only one local logon.
OR (older versions)
Apply the changes, and then save to the running configuration.
Edit AnyConnect Profile With Stand-Alone Profile Editor
1. First download the AnyConnect Profile Editor from Cisco. (Note: You will need a valid CCO account and a registered support agreement/SmartNet).
Update: The AnyConnect Profile Editor is now built into the ADSM, it becomes available once you have enabled any AnyConnect image. Once you have a profile created you can skip straight to step 3, and skip all the other steps.
If you cannot download the software here’s a profile (I’ve already created) you can use. If you are going to use this, jump to step 5.
2. Once you have installed the profile editor, launch the “VPN Profile Editor”.
3. The setting we want is listed under Windows VPN Establishment, and needs setting to “AllowRemoteUsers”, In addition I’m going to set Windows Logon Enforcement to “SingleLocalLogon”.
AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.
SingleLocalLogon: Allows multiple remote logons but only one local logon.
4. Save the profile somewhere you can locate it quickly.
6. Browse your local PC for the profile you created earlier > Hit the “Right Arrow” to upload it > This can take a few minutes, depending on your proximity to the firewall.
7. Make sure the file uploads correctly > Close.
8. To associate this profile with your AnyConnect//SSL Group Policy, click Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Locate the policy in use for your AnyConnect clients > Edit > Advanced > SSL VPN Client > Locate the “Client Profile to Download” section and uncheck the inherit button.
9. Click New > Browse Flash > Locate the profile you uploaded earlier.
10. OK > OK > Apply > Save the changes by clicking File > Save running configuration to flash.
11. Then reconnect with your AnyConnect Mobility Client software.
Related Articles, References, Credits, or External Links
When trying to connect to a Firepower 1010 ASDM I was met with this;
“Cisco ASDM-IDM.app” cannot be opened because the developer cannot be verified.
macOS cannot verify that this ap is free from malware
Solution
If you’ve spent much time using macOS then this is quite common, Open System Preferences > Security and Privacy > General tab > You will see a warning about the Cisco ASDM-IDM > Click ‘Open Anyway‘.
If you are prompted again simply click ‘Open‘.
Related Articles, References, Credits, or External Links
I recently did a post on adding extra licences to AnyConnect, (with the current surge of people working from home). I exclusively work at command line, so when I was asked how to do the same in the ASDM I had to go and check 🙂
Solution
Connect to your firewalls ASDM console, then navigate to > Configuration > Device Management > Licensing > Activation Key > Enter you new Activation Key > Update Activation Key.
Before I’m asked: Your activation key lives on the flash memory within you firewall so you should not need to save the config, (unless you have made other changes), or are prompted to do so by the ASDM, (which will know if theres any pending changes).
Related Articles, References, Credits, or External Links
Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.
Note2: If your firewall is running a version older than 8.3 you will need to scroll down the page.
Port forwarding on Cisco firewalls can be a little difficult to get your head around, to better understand what is going on remember in the “World of Cisco” you need to remember two things…..
1. NAT Means translate MANY addresses to FEW Addresses
2. PAT Means translate MANY addresses to ONE Address.
Why is that important you ask? Well most networking types assume NAT is translating one address to many, BUT on a Cisco device this is PAT, and it uses (as the name implies) port numbers to track everything. e.g. the first connection outbound might be seen on the firewall as 123.123.123.123:1026 and the second connection outbound might be seen as 123.123.123.123:2049 so when the traffic comes back the firewall knows where to send it.
Fair enough but what has that got to do with Port Forwarding? Well you can use the exact same system to lock a port to an IP address – so if only one port can go to one IP address then that’s going to give you port forwarding 🙂
To make matters more confusing (sorry) you configure PAT in the NAT settings, for this very reason it confuses the hell out of a lot of people, and the GUI is not intuitive for configuring port forwarding, (the ADSM is better than the old PIX PDM) but most people, (me included,) prefer to use command line to do port forwarding.
Note: This option uses ASDM Version 7.9(2) If yours is older see below;
Connect to the ASDM, Configuration > Firewall > NAT Rules > Right Click ‘Network Object Nat Rules’ > Add ‘Network Object’ Nat Rule.
Name = “Give the internal server/host a sensible name” > Type = Host > IP Address = The internal / private IP address > Type = Static > Translated address = Outside > Advanced > Source Interface = Inside > Destination Interface = Outside > Protocol = TCP > Real port = http > Mapped Port = http > Ok > OK > Apply.
Note: This assumes your Outside interface is called outside, Inside interface is called inside and you want to port TCP port 80 (http).
Interface = Outside > Action = Permit > Source = Any > Destination {Browse} > Locate the object you created earlier > Add to Destination > OK.
Service {Browse} > Select the Port you require (i.e. http) > OK.
OK > Apply > When you have tested it works, save the changes.
Using Older ASDM (PIX V7 and ASA5500) 1 Port to 1 IP Address
1. As above you will need to know the port and the IP to forward it to, Launch the ASDM, Select Configuration > Security Policy > Then either Rule Add, or right click the incoming rules and select “Add Access Rule.”
2. Interface = Outside > Direction = Incoming > Action = Permit > Source = Any > Destination, Type = Interface IP, Interface = Outside > Protocol = TCP > Destination Port Source = smtp (for example) > OK > Apply.
3. Back at the main screen select Configuration > NAT > Add, or Right Click an Existing mapping and click “Add Static NAT Rule.”
4. Real Address Interface = Inside > IP Address = 10.254.254.1 > Netmask = 255.255.255.255 > Static Translation Interface = outside > IP Address = (Interface IP) > Tick “Enable Port Translation (PAT) > Protocol = TCP > Original Port = smtp > Translated Port = smtp (for example) > OK > Apply.
5. File > “Save Running Configuration to Flash.”
Option 2 Use the Command Line to Port Forward (Post Version 8.3)
Note: Port forwarding changed on PIX/ASA devices running OS 8.3 and above, in regards to port forwarding. There is no longer a global command, for a full run-down of the changes click here.
If you issue a global command after version 8.3 you will see this error,
ERROR: This syntax of nat command has been deprecated.
Please refer to “help nat” command for more details.
1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example We will assume I’ve got a server at 10.254.254.5 and it’s a mail server so I want to Forward all TCP Port 80 traffic (HTTP) to it. Connect to the Firewall via Console/Telnet or SSH.
[box]
Warning Notice
User Access Verification#
Password:********
Type help or '?' for a list of available commands.
Petes-ASA>
[/box]
2. Enter enable mode, and enter the enable mode password.
[box]
Petes-ASA> enable
Password:********
Petes-ASA#
[/box]
3. Now we need to go to configuration mode.
[box]
Petes-ASA# configure terminal
Petes-ASA(config)#
[/box]
4. Create an object for the web server that the traffic is going to be forwarded to.
6. Now you need to allow the http traffic in. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;
[box]
Petes-ASA# show run access-group
access-group inbound in interface outside
access-group outbound in interface inside
[/box]
Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DONT have an access-group entry for inbound traffic then we will do that at the end!
[box]
Petes-ASA(config)# access-list inbound permit tcp any object Internal_Web_Server eq http
[/box]
7. Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.
[box]
Petes-ASA(config)# access-group inbound in interface outside
Petes-ASA(config)#
[/box]
8. Don’t forget to save your hard work. (write memory).
object network Internal_Web_Server
host 10.254.254.5
nat (inside,outside) static interface service tcp http http
access-list inbound permit tcp any object Internal_Web_Server eq http
access-group inbound in interface outside
[/box]
Use the Command Line to Port Forward (pre version 8.3) 1 Port to 1 IP Address
1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example we will assume I’ve got a server at 10.254.254.1 and it’s a mail server so I want to forward all TCP Port 25 traffic to it. Connect to the Firewall via Console/Telnet or SSH.
[box]
Warning Notice
User Access Verification
Password:*******
Type help or '?' for a list of available commands.
Petes-ASA>
[/box]
2. Enter enable mode, and enter the enable mode password.
[box]
Petes-ASA> enable
Password: ********
Petes-ASA#
[/box]
3. Now we need to go to configuration mode.
[box]
Petes-ASA# configure terminal
Petes-ASA(config)#
[/box]
4. Now you need to allow the http traffic in. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;
[box]
Petes-ASA#show run access-group
access-group inbound in interface outside
access-group outbound in interface inside
[/box]
Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DON’T have an access-group entry for inbound traffic then we will do that at the end!
5. Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.
[box]
Petes-ASA(config)# access-group inbound in interface outside
Petes-ASA(config)#
[/box]
6. Lastly the command that actually does the port forwarding, (static command). And allow the traffic in.
Option 3 Use the PIX Device Manager (PIX Version 6 Only)1 Port to 1 IP Address
1. As above you will need to know the port and the IP to forward it to, Launch the PIX Device manager, Select Configuration > Access Rules > Then either click “Rule”s > Add or Right click an incoming rule and select > “Insert Before” or “Insert After”.
2. Under the “Action” select “Permit”, Under Source Host/Network Select “Outside”, and all the zeros, Under Destination Host/Network Select “Inside” and all the zeros then set the “Destination Port” to smtp > OK > Apply.
3, Now select the “Translation Rules” tab, Rules Add or Right click a rule and select “Insert before” or “Insert After”.
4. In this example I’ve set it to forward all TCP Port 25 traffic to 10.254.254.10 (NOTE: I’ve blurred out the public IP Address you will need to add this also) > OK > Apply.
5. Finally save your work > File > “Save Running Configuration to Flash.” > Exit.
Related Articles, References, Credits, or External Links
Below is a walk-through for setting up one end of a site to site VPN Tunnel using a Cisco ASA appliance – Via the ASDM console. Though if (like me) you prefer using the Command Line Interface I’ve put the commands at the end.
click image for full subnet information
Solution
VPN Setup Procedure carried out on ASDM 6.4
Note: The video above uses IKE v1 and IKE v2, in reality you would choose one or the other, and for IKE v2 both ASA 5500 firewalls need to be running OS 8.4(1) or above.
VPN Setup Procedure carried out on ASDM 5.2
1. Open up the ADSM console. > Click Wizards > VPN Wizard.
2. Select “Site-to-Site VPN” > Next.
3. Enter the Peer IP address (IP of the other end of the VPN tunnel – I’ve blurred it out to protect the innocent) > Select “Pre Shared Key” and enter the key (this needs to be identical to the key at the other end. > Give the tunnel group a name or accept the default entry of its IP address. > Next.
4. Choose the encryption protocol (DES, 3DES, AES-128, AES-192, or AES256), choose the Authentication Method (SHA or MD5), and choose the Diffie Hellman Group (1, 2, 5 or 7). Note the other end must match, this establishes phase 1 of the tunnel. > Next.
5. Now select the Encryption Protocols (DES, 3DES, AES-128, AES-192, or AES256), choose the Authentication method (SHA, MD5 or None). Note this is for phase 2 and will protect the encrypted traffic “In Flight”. > Next.
6. Now you need to specify what traffic to encrypt, on the left hand side enter the network or host details (of what’s behind the ASA you are working on), and on the right hand side the IP address of the network or host that’s behind the other VPN endpoint. Note the other end should be a mirror image. > Next.
7. Review the Settings (Note I’ve blurred the IP address out again) > Next.
8. Back at the ASDM console commit the settings to the ASA memory, Click File > “Save Running Configuration to Flash.”
Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.
If you have a spare/available public IP address you can statically map that IP address to one of your network hosts, (i.e. for a mail server, or a web server, that needs public access).
This is commonly referred to as a ‘Static NAT’, or a ‘One to One translation’. Where all traffic destined for public address A, is sent to private address X.
Note: This solution is for firewalls running versions above version 8.3. If you are unsure what version you are running use the following article.
In the following example I will statically NAT a public IP address of 81.81.81.82 to a private IP address behind the ASA of 172.16.254.1. Finally I will allow traffic to it, (in this example I will allow TCP Port 80 HTTP/WWW traffic as if this is a web server).
Create a Static NAT and allow web traffic via ASDM
3. Give the ‘object’ a name (I usually prefix them with obj-{name}) > It’s a Host > Type in it’s PRIVATE IP address > Tick the NAT section (press the drop-down if its hidden) > Static > Enter it’s PUBLICIP address > Advanced > Source = Inside > Destination > Outside > Protocol TCP. Note: You could set this to IP, but I’m going to allow HTTP with an ACL in a minute, so leave it on TCP > OK > OK > Apply.
4. Now navigate to Firewall > Access Rule > Add > Add Access Rule.
5. Interface = outside > Permit > Source = any > Destination = PRIVATEIP of the host > Service > Press the ‘more’ button > Locate TCP/HTTP > OK > OK > Apply.
6. Then save your work with a File > Save Running Configuration to Flash.
Create a Static NAT and allow web traffic via Command Line
2. Log In > Go to enable mode > Go to configure terminal mode.
[box]
User Access Verification
Password:*******
Type help or '?' for a list of available commands.
PetesASA> enable
Password: *******
PetesASA# conf t
PetesASA(config)
[/box]
3. First I’m going to allow the traffic to the host (Note: after version 8.3 we allow traffic to the private (per-translated IP address). This assumes you don’t have an inbound access list if you are unsure execute a “show run access-group” and if you have one applied substitute that name for the word ‘inbound’.
Warning before carrying out applying the ‘access-group’ command, see the following article;
Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.
Below is a walk through for setting up a client to gateway VPN Tunnel using a Cisco Firepower ASA appliance. This was done via the ASDM console. The video was shot with ASA version 9.13(1) and ASDM 7.13(1).
Suggestion: If you are setting this up for the first time, I would suggest setting it up to use the ASA’s LOCAL database for usernames and passwords, (as shown in the video). Then once you have it working, you can change the authentication (AAA) to your preferred method (see links at bottom of page).
The original article was written with ASA version 8.0(4) and ASDM 6.1(3), which was a little more difficult so I will leave that procedure at the end just in case 🙂
Note: The ASDM cannot be used on the normal port (https) on the outside interface when using AnyConnect, because HTTPS or TCP port 443 needs to be free (and also IMPORTANTLYNOT ‘port-forwarded’ to a web server / Exchange server etc. for this to work). To fix that, either change the port that AnyConnect is using (not the best solution!) Or, (a much better solution) Change the port ASDM is using.
Solution
Setup AnyConnect From ASDM (Local Authentication)
In case you don’t want to watch a video! Launch the ASDM > Wizards > VPN Wizards > AnyConnect VPN Wizard > Next.
Give the AnyConnect profile a name i.e PF-ANYCONNECT, (I capitalise any config that I enter, so it stands out when I’m looking at the firewall configuration). >Next > Untick IPSec > Next.
Note: You can use IPSec if you want, but you will need a Certificate pre-installed to do so!
Now you need to upload the AnyConnect client packages for each operating system that is going to want to connect,
Once the package (with a pkg extension) is located, you can upload it directly into the firewalls flash memory.
Repeat the process for each OS that will be connecting. (PLEASE! Don’t forget to add the macOS package! or your users will see THIS ERROR) > Next > As mentioned above I’m using LOCAL (on the ASA) authentication. I always set this up first, then test it, then if required, change the authentication method > If you don’t already have a LOCAL user created then add a username and password for testing > Next.
Next (Unless you want to setup SAML) > Here I’ll create a new ‘Pool’ of IP addresses for my remote clients to use. You can also use an internal DHCP server for remote clients, again I normally setup and test with a Pool from the ASA, then if I need to use a DHCP server, I swap it over once I’ve tested AnyConnect. If that’s a requirement, see the following article;
Enter the DNS server(s) details for you remote clients > WINS? Who is still using WINS! > Domain name > Next > Tick ‘Exempt VPN traffic from network address translation’ > Next.
Next > Finish
DON’T FORGET TO SAVE THE CHANGES!! (File > Save Running Configuration to Flash)
Now any remote client attempting to connect to AnyConnect can install the client software directly from the firewall, (This is assuming you have not already installed it for them beforehand).
For Older Versions of the ASA/ASDM
Note: The information below is OBSOLETE, I only leave it here in case someone is running some VERY old versions of the ASDM and AnyConnect
1. Open up the ADSM console. > Click Wizards >SSL VPN Wizard.
2. Select “Both Options”. > Next.
3. Enter a connection name > If you have a certificate already select it here or simply leave it on” -None-” and the ASA will generate an un trusted one. > Next.
4. For this example we are going to use the ASA’s Local database to hold our user database, however, if you want to use RADIUS/Windows IAS select those options and accordingly, and then follow the instructions. Note: To set up IAS read my notes HERE > Enter a username and password.
5. Add. > Next
6. We are going to create a new policy in this case called SSL Users > Next.
7. You can now add bookmarks (Links on the VPN portal page) > Manage > Add > Type in a name > Add. > OK.
8. Give it a name and subtitle (look at step 18 to see how that displays) > Enter the internal URL for the web site > OK.
9. Add > OK.
10. OK.
11. Next.
12. Create an IP Pool (IP range to be leased to the VPN clients that is DIFFERENT to your LAN IP range) > New > enter a name, IP addresses, and the subnet mask > OK.
13. Point the ASA to the Anyconnect client you want to use (Note you can upload a software image from your PC here as well) Next > Accept the warning about NAT Exemptions (Note if you do get a warning to add a NAT Exemption see the note at the end).
14. Finish.
15. Before it will work you need to Select Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Double click the Connection profile you created earlier in step 3 > Enter a name in the Aliases section i.e. AnyConnect > OK. > Tick the box that says “Allow user to select connection profile by its alias………” > Apply.
16. File > Save running configuration to flash.
17. Connect externally to https://{public_IP} (Note this has to be in the browsers trusted site list) > Enter a username and password > Login
18. You are now on the “Portal” site any bookmarks created above will be visible > Click the AnyConnect Tab.
19. Double click to launch AnyConnect.
20. The Anyconnect client will install if not used previously (User needs to be local admin) and connects.
NAT Exemptions: Note if you received a warning about needing to add the remote VPN pool as a NAT Exemption (After step 13) you will need to add the following lines to the ASA
Syntax;
[box]
access-list {name} extended permit ip {LAN behind ASA} {Subnet behind ASA} {VPN Pool Range} {VPN Pool Subnet}
nat (inside) 0 access-list {name}
Working example
access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.253.0 255.255.255.0
nat (inside) 0 access-list nonat
[/box]
WARNING: Make sure the name matches any existing no NAT ACLs or your IPsec vpns will fail!
Related Articles, References, Credits, or External Links
But if you want to use the native Windows VPN client you can still use L2TP over IPSEC. I had a look around the net to work out how to do this and most decent articles are written using the older versions of the ASDM, and the CLI information I found on Cisco’s site didn’t help either.
What I’m using
1. Cisco ASA5525 version 9.2(4) and ASDM version 7.6(1).
2. Network behind the ASA 192.168.110.0/24.
3. IP addresses of the remote clients 192.168.198.1 to 254 (DNS 192.168.110.10).
Configure the ASA 5500 for L2TP IPSEC VPNs from ASDM
1. From within the ASDM > Wizards > VPN Wizards > IPSec (IKEv1) Remote Access VPN Wizard)
2. Next.
3. Tick Microsoft Windows Client using L2TP over IPSEC > Tick MS-CHAP-V2 ONLY > Next.
4. Type in a pre-shared key > Next.
5. Select LOCAL authentication > Next.
6. Enter a username/password to use for connection to the VPN > Next.
7. Create a ‘VPN Pool‘ for the remote clients to use as a DHCP pool > OK > Next.
8. Enter your internal DNS server(s) and domain name > Next.
9. Set your internal network(s) > Tick “Enable Split tunnelling…” > Untick PFS > Next.
10. Finish.
11. Save the changes.
Configure the ASA 5500 for L2TP IPSEC VPNs from CLI
1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)#
[/box]
2. First we need to create a “Pool” of IP addresses for the remote client to use.
[box]
PetesASA(config)# ip local pool L2TP-Pool 192.168.198.1-192.168.198.10
[/box]
3. Now to make sure the traffic that’s going to travel over our VPN is not NATTED.
Note: This is assuming that 192.168.100.0/24 is the remote VPN clients subnet, and 10.254.254.0/24 is the subnet BEHIND the ASA.
4. Normally when a remote client is connected they will lose all other connections (including their other internet connections) while connected, to stop this you need to enable “Split Tunnelling“. You will refer to this later but for now we just need to create an ACL.
[box]
PetesASA(config)# access-list Split-Tunnel-ACL standard permit 192.168.110.0 255.255.255.0
[/box]
5. We need a “Transform Set” that will be used for “Phase 2” of the tunnel, I’m going to use AES encryption and SHA hashing, then set the transform type to “Transport”.
6. Remote VPNs usually use a “Dynamic Cryptomap”, the following will create one that uses our transform set, then applies that to the firewalls outside interface.
7. Then enable IKE (version 1) on the outside interface. And create a policy that will handle “Phase 1” of the tunnel, in this case 3DES for encryption, and SHA for hashing, and Diffie Hellman group 2 for the secure key exchange.
8. Create a group policy, that hold the following, DNS server IP(s) that will be leased to the remote clients. Tunnel type (L2TPIPSEC), enable spit tunnelling using the ACL we created in step 4. The domain name that will be given to the remote clients. The “intercept-dhcp enable” looks after a Windows client problem. And finally create a user and password.
Note: In this example I’m using the ASA’s local database of users for authentication.
9. Every tunnel needs a “Tunnel Group”, You HAVE TO use the DefaultRAGroup (Unless you are securing things with certificates which we are not). This pulls in the IP Pool we created in step 2 and the policy we created in step 8.
10. For the tunnel group, setup a shared key, and the authentication method for our clients.
Note: We are disabling CHAP and enabling MSCHAP v2.
[box]
PetesASA(config-tunnel-general)# tunnel-group DefaultRAGroup ipsec-attributes
PetesASA(config-tunnel-ipsec)# ikev1 pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# tunnel-group DefaultRAGroup ppp-attributes
PetesASA(config-ppp)# no authentication chap
PetesASA(config-ppp)# authentication ms-chap-v2
[/box]
11. Finally save the new config.
[box]
PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
[/box]
Configure Windows VPN client for L2TP IPSEC connection to Cisco ASA 5500
Note: Windows 10 Enterprise used.
1. Start > Settings > Network and Internet.
2. VPN > Add a VPN Connection.
3. VPN Provider = Windows (Built-in) > Connection Name = (A Sensible name) > Server name or Address = Public IP/Hostname of the ASA > Scroll Down.
4. VPN Type = L2TP/IPSEC with pre-shared key > Pre Shared Key = {the one you set on the firewall in our example 1234567890} > Type of sign-in information = Username and Password.
Note: You may want to untick “Remember my sign-in information” To supply a username and password each time.
5. Start > ncpa.cpl {Enter} > Right click your VPN connection profile > Properties..
6. Security Tab > Allow These Protocols > Tick “Microsoft CHAP version 2 (MS-CHAP v2)” > OK.
7. You can now connect your VPN.
Related Articles, References, Credits, or External Links
Out of the box Cisco PIX/ASA devices should have a working ASDM. This config can get broken over time, and also there are a few things that can trip you up on your client machine.
Solution
Make sure the client machine you are using is not the problem
1. The ASDM runs using Java make sure the machine has Java installed.
Note: If you are using Java version 7 Update 51 see the following article.
10
8(8.1)
7
Server 2012 R2
Server 2012
2008 Server
XP
Yes
Yes
No support
Yes
8.0
Apple Macintosh OS X:
10.6
10.5
10.4
No support
Yes
Yes
Yes (64 bit only)
8.0
Ubuntu Linux 14.04
Debian Linux 7
N/A
Yes
N/A
Yes
8.0 (Oracle only)
Note: Support for Java 5.0 was removed in ASDM 6.4. Obtain Sun Java updates from java.sun.com.
Note: ASDM requires an SSL connection from the browser to the ASA. By default, Firefox does not support base encryption (DES) for SSL and therefore requires the ASA to have a strong encryption (3DES/AES) license. As a workaround, you can enable the security.ssl3.dhe_dss_des_sha setting in Firefox. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.
3. Make sure you are NOT trying to access the ASDM through a proxy server, this is a common “gotcha”!
4. Can another machine access the ASDM?
5. If the ASDM opens but does not display correctly, then do the following, File > Clear ASDM Cache > File > Clear Internal Log Buffer > File > Refresh ASDM with the running Configuration on the Device.
Make sure the ASA is configured correctly, and your PC is “allowed” access
2. Log into the firewall, go to enable mode > Enter the enable password
[box]
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA#
[/box]
3. The ASDM is enabled with the command “http server enabled”, to make sure that’s there issue a “show run http” command”
[box]
PetesASA# show run http
http server enable
http 10.254.254.0 255.255.255.0 inside
http 123.123.123.123 255.255.255.255 outside
[/box]
Note: if the command is NOT there, you need to issue the following three commands:
[box]
PetesASA# configure terminal
PetesASA(config)# http server enable
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c69
9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#
[/box]
Note: If you see a number after the command e.g. “http server enable 2456” then you need to access the ASDM on that port, like so {IP address/Name of ASA}:2456 (This is common if you’re port forwarding https but you still want to access the ASDM externally).
4. Assuming that the ASDM has been enabled, the IP address you are accessing from (or the subnet you are on) also needs to be allowed access. You will notice in step 3 above that when you issue the show run http command, it also shows you the addresses that are allowed access, if yours is NOT listed you can add it as follows:
6. The ASA needs to be told what file to use for the ASDM, to make sure its been told issue the following command, (If there is NOT one specified then skip forward to step 7 to see if there is an ASDM image on the firewal)l.
[box]
PetesASA# show run asdm
asdm image disk0:/asdm-739.bin
Note: on a Cisco PIX the results will look like..
PetesPIX# show run asdm
asdm image flash:/asdm-501.bin
[/box]
7. Write down the file that it has been told to use (in the example above asdm-632.bin). Then make sure that file is actually in the firewalls memory with a “show flash” command.
Note: If the file you are looking for is NOT there then (providing you have a valid support agreement with Cisco) download an ASDM image and load it into the firewall see here for instructions.
Note: If the file is in the flash memory but was not referenced in step 6 then you can add the reference with the following command (obviously change the filename to match the one that’s listed in your flash memory).
[box]
PetesASA# configure terminal
PetesASA(config)# asdm image disk0:/asdm-631.bin
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89
9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#
[/box]
Related Articles, References, Credits, or External Links