One of the topics that is tested on the CCNA security exam is the adaptive security service manager (ASDM) of the Cisco ASA. This article will walk you through “installing” the ASDM on a Cisco ASA through GNS3. This will be helpful to those who want to familiarize themselves with the ASDM interface (the way we have been doing in the CCP series).
We will need a TFTP server, the ASDM image file, and the ASA we want to install it on. Our lab setup will contain just one ASA and one host (my laptop), which will act as both the TFTP server and the computer we will use to launch the ASDM when finished. The GNS3 topology is shown below:
Notice that I have used a switch to connect the host and the ASA because GNS3 does not support connecting a cloud/host directly to an ASA. The switch is just an “Ethernet switch” and all the ports are in the same VLAN (although you can change that).
The first thing we want to do is to make sure that the host and the ASA can communicate. We will use the 192.168.10.0/24 subnet.
Notice that, even though in the GNS3 topology the ASA interfaces are identified with “e” (signifying Ethernet?), they are actually Gigabit Ethernet interfaces. The ping also reveals that I can communicated with my host PC (192.168.10.10).
Now that we have communication, the next thing we need to do is load the ASDM image unto the ASA. There are several options including HTTP, FTP, and TFTP, but we will stick with TFTP because of its simplicity. One of the best TFTP servers I have used is 3CDaemon and it can also act as an FTP or Syslog server. You can download free TFTP servers including 3CDaemon here. The 3CDaemon interface is shown below:
Notice that, when it starts up, 3CDaemon listens for requests on all of your active interfaces so you don’t have to do anything special to get it to listen for requests. However, we have to configure the location of our ASDM image by clicking on “Configure TFTP Server.”
Once you are done, you can click on the Apply button to save the changes you have made. We will now copy the ASDM image to the ASA using the copy tftp: flash: command.
Note: copy tftp: disk0: will also work.
Notice that, after issuing the copy command, I can then specify the options, such as the IP address of the TFTP server and file name. I could have specified all those options in the copy command, but I prefer this method because it is easier than having to remember syntax. Also, keep in mind that, when specifying the file name, you must also specify the extension, e.g., “.bin” or the TFTP server will not be able to locate the file you are requesting. While the file is being copied, you can view the status in 3CDaemon, as shown below:
When this process is finished, the ASA will write the ASDM image and you will be presented with the prompt where you left off.
At this point, even though the ASDM file has been copied to the ASA’s flash, we still have to specify that it was an ASDM file we copied (after all, it could have been any other file). We do this using the asdm image <file location> global configuration command. If you don’t know the name of the file, just use the show flash or show disk0: command to get the name.
If the command is successful, you can use the show version command to see the ASDM image installed. The show asdm image command is also helpful.
Just like Telnet or SSH, we need to specify what hosts can connect to the ASA through the ASDM. Remember that the ASDM is accessed via a web interface, i.e., HTTPS, so we must first enable the HTTPS server.
From the above screenshot, you can see that I have enabled the HTTPS server and configured the ASA to allow the 192.168.10.0/24 subnet on the inside interface.
I can now open a web browser and navigate to https://<ASA IP address>/. In our case, it will be https://192.168.10.1/. You will probably get a certificate error because your computer does not recognize the ASA’s digital certificate.
As you can see, we can either run ASDM as a local application (ASDM launcher installed on our computer) or as a Java Web Start application. Let us first attempt to install the ASDM launcher because, once it is installed, we will not need to connect using a web browser anymore. You will understand why I said “attempt” as you read on.
When I clicked on the “Install ASDM Launcher” button, I got an authentication dialog box as shown below:
I left the default configuration of my ASA as it was, meaning that I did not configure username or password. By leaving the username and password fields empty and clicking on the OK button, the prompt disappeared and I was able to “Run” the installation file. *shrugs*
When the installation is done, the ASDM launcher opens and you can specify the IP address, username, and password settings.
Now will be a good time to configure the username/password on the ASA. By default, the ASA will use its local database for authenticating HTTP connections, so we don’t need to explicitly specify that.
When I click on the “OK” button, I get an error: Unable to launch device manager from <ASA IP address>.
I did a search on this error and found that it has to do with my Java version, which is version 7, update 51. There are a couple of workarounds for this, including downgrading your Java version (ouch) or running ASDM via the Java Web Start through the web browser. You can view this thread for the complete details on fixing this error. In this article, we will just fall back to the Java Web Start.
Clicking that link will trigger a download that, when opened, will bring up the ASDM Launcher similar to the one we saw above but without the device IP address field.
After we specify the correct username and password, the ASDM launcher will get the updated software as shown below:
Once that is complete, we are presented with the ASDM interface for that ASA.
Now you can play around with ASDM! J Remember to save your configuration.
In this article, we have seen how to enable the ASDM on an ASA device running in GNS3. Let us recap the steps again: Make sure the ASA can access the TFTP server; specify the ASDM image file directory on the TFTP server; copy the ASDM image from the TFTP server to the ASA using the copy tftp: flash: command; enable the ASDM image on the ASA; enable the HTTP server; configure allowed host(s); configure username and password; open browser to ASA’s IP address using HTTPS.
This article prepares the way for the ASDM series that will follow. I hope you have found this article helpful.
Cisco Security Appliance Command Line Configuration Guide, Version 7.2: Managing System Access: http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/mgaccess.html#wp1047288
Unable to launch Device Manager – ASDM issue: https://supportforums.cisco.com/discussion/12077481/unable-launch-device-manager-asdm-issue