Can you install ASDM on Windows 11? yes, but as usual there’s some pre requisites. Someone asked this question on EE today, so I thought I’d check.
ASDM on Windows 11 Solution
ASDM requires Java, theres an open Java version, but to be honest, most people (and certainly most older firewalls) are using the Oracle JRE so make sure you have that installed before you do anything.
Note: Some older versions of ASDM may require older versions of Java, I like to keep my ASDM images up to date, so this never trips me up. Consider updating your firewalls OS and ASDM images (I’ll put instructions at the bottom of the page – if you unsure how to do that).
Browse to the interface on the firewall you have ASDM working on, and add /admin to the end of the URL, i.e. https://192.168.1.1/admin or https://10.1.1.1:444/admin (if you have ASDM on a non standard port). From there select Install ASDM Launcher.
Note: If you DON’T know how to enable ADSM then read this article.
The installer (.msi) will open and load to your default browsers download directory.
Run the installer.
Accept all the defaults.
Open the shortcut
Note: At this point if you get an error that says “This app can’t run on your PC” then see this article.
All being well, your ASDM will open.
Related Articles, References, Credits, or External Links
When attempting to connect to an iLO 3 remote console on an HP Server;
General Exception Name: com.hp.ilo2.intgapp.intgapp
ExitException: Unable to load resource
https://{Server}/html/intgapp3_231.jar
Solution
Having added the URL to the iLO to the trusted sites in the the Java Preferences, I thought this all I had to do. Turns out I was wrong. Navigate to Administration > Security > Encryption > Encryption Enforcement Settings > Enforce AES/DES Encryption > Change to ‘Enabled‘ > Apply > Wait for the iLO to reset, and try again.
Related Articles, References, Credits, or External Links
Out of the box Cisco PIX/ASA devices should have a working ASDM. This config can get broken over time, and also there are a few things that can trip you up on your client machine.
Solution
Make sure the client machine you are using is not the problem
1. The ASDM runs using Java make sure the machine has Java installed.
Note: If you are using Java version 7 Update 51 see the following article.
10
8(8.1)
7
Server 2012 R2
Server 2012
2008 Server
XP
Yes
Yes
No support
Yes
8.0
Apple Macintosh OS X:
10.6
10.5
10.4
No support
Yes
Yes
Yes (64 bit only)
8.0
Ubuntu Linux 14.04
Debian Linux 7
N/A
Yes
N/A
Yes
8.0 (Oracle only)
Note: Support for Java 5.0 was removed in ASDM 6.4. Obtain Sun Java updates from java.sun.com.
Note: ASDM requires an SSL connection from the browser to the ASA. By default, Firefox does not support base encryption (DES) for SSL and therefore requires the ASA to have a strong encryption (3DES/AES) license. As a workaround, you can enable the security.ssl3.dhe_dss_des_sha setting in Firefox. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.
3. Make sure you are NOT trying to access the ASDM through a proxy server, this is a common “gotcha”!
4. Can another machine access the ASDM?
5. If the ASDM opens but does not display correctly, then do the following, File > Clear ASDM Cache > File > Clear Internal Log Buffer > File > Refresh ASDM with the running Configuration on the Device.
Make sure the ASA is configured correctly, and your PC is “allowed” access
2. Log into the firewall, go to enable mode > Enter the enable password
[box]
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA#
[/box]
3. The ASDM is enabled with the command “http server enabled”, to make sure that’s there issue a “show run http” command”
[box]
PetesASA# show run http
http server enable
http 10.254.254.0 255.255.255.0 inside
http 123.123.123.123 255.255.255.255 outside
[/box]
Note: if the command is NOT there, you need to issue the following three commands:
[box]
PetesASA# configure terminal
PetesASA(config)# http server enable
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c69
9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#
[/box]
Note: If you see a number after the command e.g. “http server enable 2456” then you need to access the ASDM on that port, like so {IP address/Name of ASA}:2456 (This is common if you’re port forwarding https but you still want to access the ASDM externally).
4. Assuming that the ASDM has been enabled, the IP address you are accessing from (or the subnet you are on) also needs to be allowed access. You will notice in step 3 above that when you issue the show run http command, it also shows you the addresses that are allowed access, if yours is NOT listed you can add it as follows:
6. The ASA needs to be told what file to use for the ASDM, to make sure its been told issue the following command, (If there is NOT one specified then skip forward to step 7 to see if there is an ASDM image on the firewal)l.
[box]
PetesASA# show run asdm
asdm image disk0:/asdm-739.bin
Note: on a Cisco PIX the results will look like..
PetesPIX# show run asdm
asdm image flash:/asdm-501.bin
[/box]
7. Write down the file that it has been told to use (in the example above asdm-632.bin). Then make sure that file is actually in the firewalls memory with a “show flash” command.
Note: If the file you are looking for is NOT there then (providing you have a valid support agreement with Cisco) download an ASDM image and load it into the firewall see here for instructions.
Note: If the file is in the flash memory but was not referenced in step 6 then you can add the reference with the following command (obviously change the filename to match the one that’s listed in your flash memory).
[box]
PetesASA# configure terminal
PetesASA(config)# asdm image disk0:/asdm-631.bin
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89
9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#
[/box]
Related Articles, References, Credits, or External Links
A colleague of mine was trying to connect to a firewall via ASDM last week, and was greeted by an error like this.
Now this is a pretty standard error, and usually means you haven’t been allowed access, or there isn’t a firewall at that address, but in this case I knew that a) he did have access, b) that was the correct IP address, and c) it worked fine on my machine, so it was setup correctly.
As I said above this is a pretty generic error make sure your ASDM is configured correctly. If no one else can access it then run though the article below.
I saw this very problem again today, while hardening a firewall I had disabled some SSL encryption ciphers, I had left aes256-sha1 active, and removed the others. Took me a while to realise, but if you only have one (or both), of the following ciphers enabled, ASDM won’t load;
aes-256-sha1
dhe-aes256sha1
If you have any of the following ASDM should load normally;
aes128-sha1
dhe-aes128-sha1
rc4-sha1
3des-sha1
At this point I would consider the problem ‘fixed’ and move on, but the client I’m installing the firewall for wanted some clarification as to why it would not work. “Was it a bug?” So I opened a TAC call, and did some Googling. I came across an excellent article. And found I could replicate it exactly;
Note: the Client (My machine running ASDM) offers 14 cipher sets and theres no match.
By this time I had reply from TAC
————————————–
“The ciphers depends on the client, which in this case is ASDM launcher. ASDM launcher depends on ASDM version installed, latest available launcher is 1.5(73) – ASDM 7.4.1.
I did some tests with the latest software (ciphers741.png) but AES256 was still not proposed by the launcher.
I found a bug opened back in 2012 for exactly same issue, which was closed due to inactivity. Developers mentioned there that launcher is using all the ciphers supported by Java installed on client PC.
https://tools.cisco.com/bugsearch/bug/CSCtx78540/
Please refer to:
https://en.wikipedia.org/wiki/Java_Cryptography_Extension
JCE adds additional ciphers support for a Java client.
I downloaded the JCE for Java 7
Then I copied local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security (these jars were already there so I had to overwrite them).
After that I tried once again and it worked.
————————————–
OK, that seems fair enough, and Kudos to the TAC engineer who had really gone the extra mile. So I thought I’d try and replicate it on the test bench.
Then it worked fine, so I logged the results once again;
Note: We now have 23 cipher proposals from the client.
Solution 3
Java 7 Update 51
Java Version 7 update 51 (Released Jan 2014) does not play nice with the Cisco ASDM.
Note: This is NOT the case if the ASDM presents a known, trusted, (not self signed) digital certificate.
Option 1
The easiest option is simply remove Java and downgrade to Java Version 7 Update 45
OR
You can also upgrade your ASDM to version 7.1(5.100) or later, and use the Java Web Start Option.
java
OR
Create a Java site exception. Note: This DID NOT WORK for me with Java version 7 update 51 to both ASDM Versions 7.1(1) and 7.1(5.100). I only put it here for completeness, because Cisco say it’s a solution.
Related Articles, References, Credits, or External Links
Original Article Written 11/02/14
Kudos and thanks to Michal Kunikowski from Cisco TAC for his assistance.
Unless your firewall is brand new (in which case the passwords will either be {blank} or cisco), to access a Cisco firewall you will need a password, (this stands to reason it is a security device after all!).
Cisco Firewall Usernames
As for usernames, with a few exceptions, you do not USUALLY need a username. Those exceptions being;
Access via SSH needs a username (before version 8.4 you could use the username pix, and the Telnet password, this no longer works).
If you have set up authentication to be done by AAA.
Cisco Firewall Forgotten Password Recovery
If you do not know the password then you need to perform some password recovery.
Cisco ASA – Methods of Access.
1. Console Cable: This uses the rollover cable that came with the firewall, They are usually pale blue in colour, and the more modern ones have a moulded serial socket on them. The older ones have a grey network to serial converter that plugs on the end. Access is via some Terminal Emulation Software, e.g. PuTTy or HyperTerminal. This method of access is enabled by default, but requires physical access to the devices console port.
2. Telnet: This simply allows connection via a telnet client, all versions of Windows have one, though Microsoft have done a good job of Hiding it in Windows 7. You can also use PuTTy, HyperTerminal, or another third party telnet client. This is considered the LEAST SECURE method of connection, (as passwords are sent in clear text). On a new firewall the telnet password is usually set to cisco (all lower case).
3. Web Browser: (How the vast majority of people access the firewall). Depending on the age and version of the firewall dictates what “Web Server” you are connecting to, devices running Version 7 and above use the “Adaptive Security Device Manager”. Cisco firewalls running an Operating system of version 6 and below use the “PIX Device Manager”. Both the ADSM and the PDM have a similar look and feel, and both require you have to Java installed and working.
4. SSH: Secure Sockets Handshake: This is sometimes called “secure telnet” as it does not send passwords and user names in clear text. It requires you supply a username and a password. Firewalls running an OS older than 8.4 can use the username of pix and the telnet password. After version 8.4 you need to enable AAA authentication and have a username and password setup for SSH access.
5. ASDM Client software: (Version 7 firewalls and above). You will need to have the software installed on your PC for this to work (you can download it from the firewall’s web interface, or install from the CD that came with the firewall).
Cisco ASA Remote Management via VPN
Even if you allow traffic for a remote subnet, there are additional steps you need to take to allow either a remote client VPN session, or a machine at another site that’s connected via VPN. Click here for details.
Solution
Connecting to a Cisco Firewall Using a Console Cable
Obviously before you start you will need a console cable, you CAN NOT use a normal network cable, OR a crossover cable as they are wired differently! They are wired the opposite way round at each end, for this reason some people (and some documentation) refer to them as rollover cables. They are usually Pale blue (or black). Note if you find your console cable is too short you can extend it with a normal network cable coupler and a standard straight through network cable.
On each end of the console cable the wiring is reversed.
Old (Top) and New (Bottom) versions of the Console Cable.
Note: If you don’t have a serial socket on your PC or Laptop you will need a USB to Serial converter (this will need a driver installing to add another COM Port to the PC).
Option 1 Using PuTTY for Serial Access.
1. Connect your console cable, then download and run PuTTy. (I’m assuming you are using the COM1 socket on your machine, if you have multiple serial sockets then change accordingly).
2. By default PuTTy will connect with the correct port settings, if you want to change the settings see the option I’ve indicated below. Simply select Serial and then ‘Open’.
3. You will be connected. (Note: The password you see me entering below is the enable password).
Option 2 Using HyperTerminal for Serial Access
1. Connect your console cable, then download install and run HyperTerminal. (Note: With Windows XP and older it’s included with Windows, look in > All Programs > Communications). Give your connection a name > OK.
2. Change the ‘Connect Using’ option to COM1 > OK.
3. Set the connection port settings from top to bottom, they are, 9600, 8, None, 1, None > Apply > OK.
4. You will be connected. (Note: The password you see me entering below is the enable password).
Connecting to a Cisco Firewall via Telnet
To connect via telnet, the IP address you are connecting from (or the network you are in) has to have been granted access. If you cannot access the firewall using Telnet then you will need to connect via a console cable. Note Windows 7/2008/Vista needs to have telnet added.
Option 1 Use Windows Telnet Client for Firewall Access
1. Ensure you have a network connection to the firewall and you know its IP address > Start.
2. In the search/run box type cmd {enter}.
3. Execute the telnet command followed by the IP address of the firewall.
Also to access via this method you need to know the firewall’s “Enable Password”. If you use a proxy server then you will need to remove it from the browser settings while you carry out the following. Ensure also that you have Java installed and working.
1. Ensure you have a network connection to the firewall and you know its IP address > launch your web browser.
2. If you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”. IE6 Users will see this instead.
3. Click “Run ASDM” (older versions say ‘Run ADSM Applet’). Note: for information on the other option ‘Install ASDM launcher…’ see connecting via ASDM).
The Startup Wizard is for setting up a new firewall, I don’t recommend you ever use this unless you follow this guide.
4. You might receive a few Java warning messages, answer them in the affirmative.
Note: After version 8.4 you can only access the Cisco ASA using AAA authentication, see here. Prior to version 8.4 you can use the username of ‘pix’ and the firewall’s telnet password.
1. Ensure you have a network connection to the firewall and you know its IP address > Launch PuTTy.
2. Tick SSH > enter the IP address of the firewall > Open.
3. The first time you connect you will be asked to accept the certificate > Yes.
4. You will be connected, supply the username and password configured for AAA access., (or username pix and the telnet password if you are older than version 8.4).
Connecting to a Cisco Firewall via ASDM Client Software
1. Ensure you have a network connection to the firewall and you know its IP address > launch your web browser.
2. If you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”. IE6 Users will see this instead.
3. Select ‘Install ASDM Launcher and Run ASDM’.
4. The username is usually blank (unless you are using AAA), and you will need to enter the enable password.
5. Run (or save if you want to install manually later).
6. Accept all the defaults.
7. The ASDM, will once again ask for the password. (By default it will place a shortcut on the desktop for the next time you need to access the firewall).
8. The ASDM will launch and you will be connected.
Connecting to a Cisco Firewall via Pix Device Manager
1. Open your web browser and navigate to the following,
https://{inside IP address of the firewall}
Note if you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”.
IE6 Users will see this instead
2. If Prompted leave the username blank, and the password is the firewall’s enable password.
Note if you are using AAA you might need to enter a username and password.
3. You will see this.
4.You might receive a few Java warning messages, answer them in the affirmative, on some newer versions of Java you may also need to enter the password a second time.
5. The PDM opens. You are successfully connected.
Related Articles, References, Credits, or External Links
I used to use Dreamweaver all the time, it was used to design and build the site and handle all the uploads etc. Since I moved to WordPress I don’t use is as much. But it’s still a great code editor so I still fire it up on occasion. At least I did until this started happening;
To open “dreamweaver” you need to install the legacy Java SE 6 runtime.
Click “More info…” to visit the legacy Java SE 6 download website.
Solution
I’m a bit twitchy about Java, I need to tread a fine line between keeping updated, and still having a version that works with my clients firewalls. The amount of times things have ‘smashed’ because Java has updated for me are numerous. Java can turn a 25 second job into a two hour job.
So the thought of ‘downgrading’ to version 6 was not one I relished. But thankfully, if you avoid the Sun Java site and install the Apple Legacy Java package everything continues to work.
If you’re still having problems, see this article.
Related Articles, References, Credits, or External Links
Most of the time I’m on my mac for work, but sometimes when the ADSM fails, I switch to a windows VM (in VMware Fusion). I recently upgraded to Windows 10, and for the most part that’s been a painless process.
I did notice though, that when I try to run the ADSM, it will let me install the software, then sit there doing nothing?
Install the ADSM if you have not previously done so, then navigate to C:\Program Files (x86)\ Cisco Systems\ASDM > Locate the adsm-launcher.jar file and create a shortcut to it on the desktop.
Now use that to launch the ASDM and, (after a few seconds, it is Java) it should load.
And for those of you muggles who don’t work at command line, your life can be filled with GUI goodness.
Related Articles, References, Credits, or External Links
Next to the rise of Nazism, war, hunger, and pestilence Java is the worst hing to happen to humankind! But because people keep using it for management consoles and things we are stuck with it.
I’m particularly a big fan of the way they (Oracle) upgrade it because it’s got some huge security flaw in it, then all my remote iLO, DRAC and Cisco ASDM sessions don’t work anymore. It’s even better when the device that launches Java is old and not supported so I can’t upgrade that either, So I have to maintain a VM with an old version of Java just to do my job.
So this week after I stupidly hit the ‘update’ button I had to downgrade Java ‘again’. Seriously just put in a button that says, “You need to click this button for things to work but tough luck if it all breaks”, and was on the brink of being able to get back to work, when Safari decided to download the java file and not run it, (which is not normally the end of the world, but was the straw that broke the camels back!)
Solution
When the .jnlp file has downloaded once, go and find it > Right click (or cmd click) > Open With > Other.
Navigate to System/Library/CoreServices > Locate and select Java Web Start > Always Open With > Open.
Related Articles, References, Credits, or External Links
ThinApp is an “Odd” VMware product, insofar as it’s got nothing to do with virtual machines or virtual technology. It’s a product that turns applications into “Stand alone” thin applications, that can be sent to a user and ran without the need for that user to have administrative access, or the need to install anything.
ThinApp was a product called Thinstall that VMware purchased and “re-badged”, you get a free copy with VMware View 5 (Premier Edition). And it ships with a copy of VMware workstation. (Not because it needs a copy, but VMware recommends you use a clean virtual machine to create your ThinApps on).
If you’ve ever used sysdiff in the past or Novell Zenworks for Desktops, you will be familiar with the process, take a ‘scan’ of a clean machine, then install application(s), then carry out another ‘scan’. The software then works out the ‘difference’ and uses that information to build a software package.
In the example below I’m going to create a stand alone version of Google Chrome, that is pre configured, and has Java already installed, and finally deploy that as a single executable file.
Solution
1. It’s recommended that you create your ThinApp on the oldest operating system that it might be deployed on, so here I’m creating a virtual machine in VMware workstation that’s running Windows XP.
2. When built remove any hardware that will not be needed, like the floppy drive, and the USB Controller (Edit > Settings).
3. Installing ThinApp is pretty straightforward, simply run the executable and follow the on screen prompts the only thing to note is; when you enter your licence key, be aware the name you enter will display on the “splash screen” as your ThinApp loads (as shown).
4. Once your reference machine is setup, take a snapshot of it, so you can roll back to this point to create further ThinApps on this clean machine (VM > Snapshot > Take Snapshot).
5. Run the ThinApp Setup Capture > Next > Prescan > This will take a few minutes > When finished simply minimise the window you are finished with it for now. Note: Don’t worry if the application you are installing requires a reboot, ThinApp is clever enough to cope with that.
6. Now install and configure the application you require, in this case Google Chrome. I’m also installing Java, and setting the default homepage to the Google search page.
7. When the application is installed to your liking, maximise (or open the capture if you’ve rebooted) and select ‘Postscan’ > OK.
Note: Before running Postscan make sure you delete any installer files downloaded, any icons from the desktop you do not want deployed in the ThinApp, and empty the recycle bin (you don’t want all that stuff captured, when creating your ThinApp).
8. Make sure only the executable you require is ticked as an entry point > Next > At the Horizon App Manage Page > Next.
9. In a domain environment you can restrict ThinApp access to particular users or groups > Next.
10. Set the isolation mode as required, for most cases it will be ‘Full’ > Next.
11. Select the option to store the sandbox in the user profile > Next > Select whether you want to provide statistics to VMware > Next.
12. You will see this screen ONLY of you are capturing a browser. This is used if you have a particular website that will only run in IE6, or Firefox etc. So that only when URL’s enters listed here are accessed (either directly or from a hyper link) the ThinApp browser will open them, all other URL’s will be opened by the default browser. It’s a cool feature but not one I’m using > Next.
13. Give your ThinApp a name > Next.
14. I’m choosing the option to embed everything into my executable, selecting this may cause a warning about icons, but I ignored and deployed with no problems > Save.
Note: You can use this page to create an MSI file to deploy via group policy if you wish.
15. After ThinApp generates the files it needs > Build.
16. Finish
17. Heres my ThinApp executable file.
18. To test I’ve copied it to a Windows 7 machine.
19. While it’s loading this is what you will see.
20. And here is my ThinApp version of Google Chrome running and pre configured.
Related Articles, References, Credits, or External Links