ASDM Cipher Settings?

Similar Messages

• Unable to Decrypt the data properly using javax.crypto class and SunJCE

  Hello all,
  I am not new to Java but new to this forums
  but and JCE and i wanted to write a program that Encrypts a file and also another program that decrypts it. As far Encryption is concerned i have been successful but When it comes to Decryption things aren't looking bright i have some or the other Problem with it. plz help me out .
  Here is the Code for my Programs
  Encryption
  Code:
  import java.io.*;
  import javax.crypto.*;
  import javax.crypto.spec.SecretKeySpec;
  import java.security.*;
  import javax.swing.*;
  class MyJCE
  public static void main(String args[])throws Exception
  Provider sunjce = new com.sun.crypto.provider.SunJCE();
  Security.addProvider(sunjce);
  JFileChooser jfc = new JFileChooser();
  int selection= jfc.showOpenDialog(null);
  if(selection==JFileChooser.APPROVE_OPTION)
  FileInputStream fis = new FileInputStream(jfc.getSelectedFile());
  System.out.println("Selected file " + jfc.getSelectedFile());
  try{
  KeyGenerator kg = KeyGenerator.getInstance("DESede");
  SecretKey key= kg.generateKey();
  byte[] mkey=key.getEncoded();
  System.out.println(key);
  SecretKeySpec skey = new SecretKeySpec(mkey, "DESede");
  Cipher cipher=Cipher.getInstance("DESede/ECB/NoPadding");
  cipher.init(Cipher.ENCRYPT_MODE,skey);
  byte[] data= new byte[fis.available()];
  //reading the file into data byte array
  byte[] result= cipher.update(data);
  byte[] enc= new byte [fis.read(result)];
  System.out.println("Encrypted =" + result);
  File fi= new File("/home/srikar/Encrypted");
  FileOutputStream fos= new FileOutputStream(fi);
  fos.write(enc);
  fos.close();
  byte[] encodedSpeckey = skey.getEncoded();
  FileOutputStream ks= new FileOutputStream("./key.txt");
  ks.write(encodedSpeckey);
  System.out.println("Key written to a file");
  }//try
  catch(Exception ex)
  ex.printStackTrace();
  }//catch
  }This Creates a Encrypted File. and a Encrypted key.txt
  Code:
  import java.io.*;
  import javax.crypto.*;
  import javax.crypto.spec.SecretKeySpec;
  import java.security.*;
  import javax.swing.*;
  class Decrypt
  public static void main(String[] args)
  try
  JFileChooser jfc = new JFileChooser();
  int selection= jfc.showOpenDialog(null);
  if(selection==JFileChooser.APPROVE_OPTION)
  FileInputStream fis = new FileInputStream(jfc.getSelectedFile());
  System.out.println("Selected file " + jfc.getSelectedFile());
  //Read from the Encrypted Data
  int ll= (int)jfc.getSelectedFile().length();
  byte[] buffer = new byte[ll];
  int bytesRead=fis.read(buffer);
  byte[] data= new byte[bytesRead];
  System.arraycopy(buffer,0,data,0,bytesRead);
  //Read the Cipher Settings
  FileInputStream rkey= new FileInputStream("./key.txt");
  bytesRead = rkey.read(buffer);
  byte[] encodedKeySpec=new byte[bytesRead];
  System.arraycopy(buffer,0,encodedKeySpec,0,bytesRead);
  //Recreate the Secret Symmetric Key
  SecretKeySpec skeySpec= new SecretKeySpec(encodedKeySpec,"DESede");
  //create the cipher for Decrypting
  Cipher cipher = Cipher.getInstance("DESede/ECB/NoPadding");
  cipher.init(Cipher.DECRYPT_MODE,skeySpec);
  byte[] decrypted= cipher.update(data);
  FileOutputStream fos= new FileOutputStream("/home/srikar/Decrypted");
  fos.write(decrypted);
  }//if
  }//try
  catch(Exception e)
  e.printStackTrace();
  }//catch
  }//main
  }//classthis Decrypt.java is expected to decrypt the above encrypted file but this simply creates a plaintext file of the same size as the Encrypted file but its contents are unreadable.
  Or I endup with Exceptions like BadPadding or IllegalBlockSize Exception if i use any other Algorithm .
  Please help out
  thanx in advance

  Srikar2871 wrote:
  Well thanx for ur reply but
  As i said there are No issues with ENCRYPTION and am getting an Encrypted file exactly of the same size as that of the original file and NOT as null bytes and Even am able to get a Decrypted file of again the same size of the Encrypted File but this time that data inside is in unreadable format.I ran your code EXACTLY* as posted and the contents of the file when viewed in a Hex editor was
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00So unless you are running different code to what you have posted, your file will look the same.
  Cheers,
  Shane

• SSL/TLS ciphers of an SMA (M-series) appliance

  So SMA does not include sslconfig CLI command. We cannot reonfigure SSL/TLS ciphers as we do for ESA (C-series) appliances. Once I got instructions from TAC support telling, that I must download config file from SMA, edit those cipher parameters manually and then upload it back to the appliance. Is this still the only way to do it with SMA 8.1.1, 8.30 and 8.3.5?
  If we download the config file and do the changes, can we use sslconfig CLI command and there VERIFY subcommand of an ESA appliance to verify that a planned cipher set would surely work in a SMA appliance? I think I might be interested in cipher set
  MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
  Is the proper parameter to be changed named ssl_gui_ciphers? Does it cover only the management web GUI or also spam quarantine web GUI? Not interested in STARTTLS SMTP ciphers at this point. As s default, those SSL ciphers are set as:
    <ssl>
      <ssl_inbound_method>sslv3tlsv1</ssl_inbound_method>
      <ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_inbound_ciphers>
      <ssl_outbound_method>sslv3tlsv1</ssl_outbound_method>
      <ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_outbound_ciphers>
      <ssl_gui_method>sslv3tlsv1</ssl_gui_method>
      <ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_gui_ciphers>
    </ssl>
  After fixing a locally downloaded config file and loading it back to SMA, will the config file load require a reboot? Are our safelists/blocklists, logs, message tracking, scheduled reports, spam quarantine content safe and we will not lost anything? So all we plan to change in config file, are the cipher settings.
  Testing a SMA spam quarantine https service with Qualys Inc. SSL labs test service opened my eyes on this case:
  https://www.ssllabs.com/ssltest/analyze.html

  I believe you already got an answer back on this with the direct support case that was opened... but just to verify and follow-up on the forums side... without FIPS enabled, you can run sslconfig > verify and get the following output for FIPS:-aNULL
  []> FIPS:-aNULL
  DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
  DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
  AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
  DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
  DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
  AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
  EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
  EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
  DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
  -Robert

• WPA2 on 1220-B with MS IAS (2003 server)

  All -
  I have a Win2003 server running IAS. I have a 1220-B AP running 12.3(8)JA2.
  I am trying to create two VLANs/SSIDs; one for guest mode - fully open without encryption, and one for secure mode WPA2.
  The two segments will be firewalled using an ASA-5510.
  I have followed the guidelines provided in the WPA2 sample configuration (though AES is not available to me in the encryption Cipher settings - only TKIP), and the using VLANs on wireless access points.
  However - the clients (Intel Pro Set 3945 ABG running 10.1.0.3 client) are not able to associate to the secured segment as expected - even when using the AP's local radius server (to eliminate IAS as a source of problems).
  Anyone have any suggestions - or known working configs they would care to share?

  Scott -
  The radio units for use in production include the G radio module. The test environment does not (my bad!). I'll have to see about taking one of the upgraded units out of production to further test WPA2. This concerns me though because we have a cache of 350 PCMCIA adapters - and this suggests that they will never be able to do WPA2 because they cannot associate as G devices. I've got to come up with a workable solution for basic B devices (both Cisco and non) and our newer A/B/G devices.
  I've used both the ProSet Utilities and WZC to attempt this on the test environment laptop.
  Authentication will be testing/proven in two sequences.
  The first sequence for authentication will be against the AP's local user database using LEAP.
  The second sequence (and ultimately final) will require authentication against the Win2003 IAS AD domain due to multiple APs in the production environment, likely using PEAP.
  If I can successfully go directly to the second sequence, that would be nice, but I'm concerned about the simplicity of troubleshooting - in the event something is wrong with the IAS configuration.
  For the record, I'm a router/switch head - with only moderate skills with wireless, and virtually no experience with Win 2003 Server. I may need some hand-holding .

• Going from 128-bit to 256-bit encryption

  Hello all,
  This is my first post here so please be gentle.
  I'm a tech manager who inherited an undocumented environment and have a question regarding upgrading the encryption on our 6.1 iPlanet instances from 128-bit to 256-bit.
  I've searched through the documentation and I can't seem to get a clear answer.
  1. To upgrade to 256-bit do I just need to update the following line in my obj.conf file:
  PathCheck fn="ssl-check" secret-keysize="128"
  to
  PathCheck fn="ssl-check" secret-keysize="256"
  2. Are there any dependencies for making this change such as generating a new SSL cert?
  Thanks in advance - Bill

  Here is some documentation about ssl-check :
  http://docs.sun.com/app/docs/doc/820-2203/abujv?l=en&a=view&q=ssl-check
  The ssl-check function is used along with a Client tag to limit
  access of certain directories to non-exportable browsers. If a
  restriction is selected that is not consistent with the current cipher
  settings, this function displays a warning that ciphers with larger
  secretkeysizes must be enabled.
  secret-keysize (Optional) Minimum number of bits required in the secret key.
  Which version of 6.1 Server are you using?
  $cd <web-server-install-dir>/<web-server-instance-dir>/
  $start -versionCan you send your server.xml settings?
  Assuming your machine is foo.bar.test.com
  $cd alias
  $../bin/https/admin/bin/certutil -L -d . -p  https-foo.bar.test.com-foo-displays the server's certificate nickname lets say it is Server-Cert
  Then try to get the certificate details in ascii format
  $../bin/https/admin/bin/certutil -n Server-Cert -p https-foo.bar.test.com-foo-It will show something like :
  Certificate:
      Data:
          Version: 3 (0x2)
          Serial Number: .... (0x...)
          Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
          Issuer: "CN=..."
          Validity:
              Not Before: .... 2008
              Not After : .... 2018
          Subject: "CN=..."
          Subject Public Key Info:
              Public Key Algorithm: PKCS #1 RSA Encryption
              RSA Public Key:
                  Modulus:
                      bd:10:c2:e0:bc:ad:fd:e6:75:ce:86:82:51:de:bf:37:
                      51:05:06:89:db:c2:6d:0c:31:f4:19:32:90:59:77:c1:
                      a0:6c:ef:88:54:ed:f8:d3:d2:6a:f7:22:f4:c6:95:60:
                      06:3a:64:f3:e4:0c:09:f4:37:c6:44:e7:d4:37:5a:4d
                  Exponent: 65537 (0x10001)
  ...Each line in Modulus section corresponds to 128 bits. In my case I have 4 lines, so my certificates key size is 4*128 = 512 bits.
  Can you send your modulus info i.e key size with which your certificates were created?
  Edited by: mv on Feb 8, 2008 9:28 AM

• ASDM IKE Phase 2 settings

  Hi. 
  I'm setting up the remote site side of a vpn and can only find the IKE Phase 1 settings in ASDM.  Can someone tell me where I can find the phase 2 settings?  Thanks.

  Which ASDM version that you are using? If you are using 6.4 above, you use below link to configure it:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bb8500.shtml#hq-asa
  If you have older version of ASDM you can use below link:
  http://www.cisco.com/en/US/docs/security/pix/pix72/quick/guide/sitvpn_p.html

• Can't connect to ASDM

       Hi.
  I can't connect to ASDM. ASA closes connection becouse browser doesn't support ssl with DES-CBC-SHA
  <167>:Nov 16 15:52:41 GST: %ASA-session-7-609001: Built local-host inside:10.1.11.77
  <167>:Nov 16 15:52:41 GST: %ASA-session-7-609001: Built local-host identity:10.1.11.10
  <166>:Nov 16 15:52:41 GST: %ASA-session-6-302013: Built inbound TCP connection 59 for inside:10.1.11.77/1257 (10.1.11.77/1257) to identity:10.1.11.10/443 (10.1.11.10/443)
  <166>:Nov 16 15:52:41 GST: %ASA-ssl-6-725001: Starting SSL handshake with client inside:10.1.11.77/1257 for TLSv1 session.
  <167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725010: Device supports the following 1 cipher(s).
  <167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[1] : DES-CBC-SHA
  <167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725008: SSL client inside:10.1.11.77/1257 proposes the following 11 cipher(s).
  <167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[1] : DHE-RSA-AES256-SHA
  <167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[2] : DHE-DSS-AES256-SHA
  <167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[3] : AES256-SHA
  <167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[4] : DHE-RSA-AES128-SHA
  <167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
  <167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[6] : RC4-MD5
  <167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[7] : RC4-SHA
  <167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[8] : AES128-SHA
  <167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[9] : EDH-RSA-DES-CBC3-SHA
  <167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[10] : EDH-DSS-DES-CBC3-SHA
  <167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[11] : DES-CBC3-SHA
  <167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
  <166>:Nov 16 15:52:41 GST: %ASA-session-6-302014: Teardown TCP connection 59 for inside:10.1.11.77/1257 to identity:10.1.11.10/443 duration 0:00:00 bytes 7 TCP Reset by appliance
  <167>:Nov 16 15:52:41 GST: %ASA-session-7-609002: Teardown local-host inside:10.1.11.77 duration 0:00:00
  <167>:Nov 16 15:52:41 GST: %ASA-session-7-609002: Teardown local-host identity:10.1.11.10 duration 0:00:00
  On https://supportforums.cisco.com/docs/DOC-15016 is written what i must install 3des/aes license. But it's impossible for me because of law.
  How can I use asdm without strong ecryption?

  If you are unable to upgrade your ASA to 3DES/AES license, then you must downgrade your browser (or its settings).
  I don't have a weak key ASA to test against, but I believe if you go into the advanced settings of your browser and DESELECT SSL 3.0 (and possibly 2.0 and TLS as well) that your client will then accept the low security SSL settings offered by your ASA.
  Here is a listing of typical locations for those settings on browsers:
  http://www2.westlaw.com/CustomerSupport/KnowledgeBase/Technical/WestlawCreditCard/WebHelp/Browser_Security_Requirements.htm
  Change these settings with care and take into account changing them back for other uses.

• Unable to access ASDM on 5505

  I'm new to the forum/discussions so forgive me if this is already posted. I read through several other posts and have followed the troubleshooting procedures in them, but I still can't access ASDM. I deleted the old ASDM versions and upgraded to ASDM 7.1(1)52 which shows compatible with ASA 8.2(1). I'm on an inside NAT address connected to Eth 0/5, 192.168.1.5/24. I can ping and SSH to the FW but no ASDM. FW is passing traffic and everything else works just fine. Please advise. Thank you.
  JEREMY-ASA# show ver
  Cisco Adaptive Security Appliance Software Version 8.2(1)
  Device Manager Version 7.1(1)52
  JEREMY-ASA# show run asdm
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  JEREMY-ASA# show run http
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  JEREMY-ASA# show run
  : Saved
  ASA Version 8.2(1)
  hostname JEREMY-ASA
  enable password OMIT encrypted
  passwd OMIT encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 134.121.11.153 255.255.248.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  banner exec
  OMIT BANNER STATEMENTS
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  same-security-traffic permit intra-interface
  access-list outside_access_in extended deny ip any any
  pager lines 24
  logging enable
  logging timestamp
  logging asdm-buffer-size 250
  logging trap informational
  logging asdm informational
  logging device-id ipaddress outside
  logging host outside OMIT
  mtu outside 1500
  mtu inside 1500
  ip verify reverse-path interface outside
  ip audit attack action drop
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 10 interface
  nat (inside) 10 192.168.1.0 255.255.255.0
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 134.121.15.254 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authorization command LOCAL
  aaa authorization exec LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh 192.168.0.0 255.255.255.0 inside
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 10
  ssh version 2
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server OMIT
  ssl encryption des-sha1
  webvpn
  username OMIT password OMIT encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  crashinfo console disable
  Cryptochecksum:3c8669ae6960ca4cc206db58ffbf3c21
  : end

  It's most likely the string:
       ssl encryption des-sha1
  That weak cipher is not compatible with most modern browsers and current releases of Java which ASDM depend on. Try adding a strong cipher, e.g.:
       ssl encryption des-sha1 aes256-sha1
  Make sure you have 3DES-AES activation first ("show version" or "show activation-key" will confirm that feature license is active).

• ASA 5505 ASDM username / password

  Hello everyone,
  I completed the PIX 515 to ASA 5505 migration today with no problems - ok one problem with the logon for ASDM.
  I'm trying no username and password - then using username and password from the 515 Pix with no success.
  Anyone know how to reset the username and password for the ASDM GUI website.
  Thank you

  Ummm,
  Did you possibly try the default username/password combination? (cisco/cisco) It should then prompt you to change these settings once you gain access. I'm not familiar with how the migration works, if it transitions the user accounts over or you end up starting from scratch. Give that a try and hopefully it gets you into your new system.

• Cisco ASA 5505 IOS 9.2(1), ASDM 7.3(2) NAT issues

  Hey all,
  I am really new to Cisco and am trying to get this Cisco ASA 5505 configured that I bought recently configured properly.
  Things I have successfully been able to do:
  1. Configure static WAN IP on WAN port e0/0 (I have a /29 block of addresses)
  2. Create static routes to point to all of my vlans that are currently being being routed through my layer 3 SG-300
  3. Install and run ASDM 7.3(2)
  4. Went through the start-up  wizard and configured all of my WAN and LAN settings (I have a WAN block of /29 addresses. So I congured my device with NAT and put in the range the first usable IP address outside of the one I configured for the direct connected WAN port from my modem. Example: 10.24.56.99-102 where .98 is already configured as the direct connect from modem to ASA 5505 and .97 is the gateway of my ISP modem.)
  The struggle that I am running into today is with NAT rules from outside to inside. I currently have an Exchange server behind this device but I am unable to get ports forwarded to it. I followed this tutorial about Static NAT, however there is still no joy. 
  http://www.networkworld.com/article/2162844/tech-primers/how-to-configure-static-nat-on-a-cisco-asa-security-appliance.html
  Attached is a copy of my running-config and version. Any help with this would be greatly appreciated. 

  Your Ethernet0/1 is a trunk with multiple VLANs allowed but you do not have corresponding VLAN interfaces for SVIs in each of the associated subnets. If, as your routing setup indicates, you will be going via your internal gateway at 10.10.1.1 to reach the internal subnets then Eth0/1 should just be an access port.
  So your Exchange server in the 10.10.12.0/24 subnet  will talk via the internal gateway (10.10.12.1?) and thus on to the ASA inside interface at 10.10.1.2.
  I assume your "public" IPs have been changed to anonymize the output. If those are your actual addresses (10.24.56.x) then there must be additional NAT taking place upstream - that would all need to be setup properly as well.

• ASDM will no longer load configuration

  Hi Everyone,
  I have an issue with an ASDM that will no longer pull the configuration. Originally I couldn't even log in via CLI, but after consoling in I was able to restart SSH and HTTP services and that seemed to work for being able to log in. However I'm stuck with ASDM not being able to pull the configuration from the device. It gets about 52% of the way and then stops. Here is the sh ver for starters:
  (scrubbed)# sh ver
  Cisco Adaptive Security Appliance Software Version 8.4(1) 
  Device Manager Version 6.4(7)
  Compiled on Mon 31-Jan-11 02:11 by builders
  System image file is "disk0:/asa841-k8.bin"
  Config file at boot was "startup-config"
  (scrubbed) up 247 days 0 hours
  Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
  Internal ATA Compact Flash, 256MB
  BIOS Flash M50FW080 @ 0xfff00000, 1024KB
  Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                               Boot microcode        : CN1000-MC-BOOT-2.00 
                               SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06
                               Number of accelerators: 1
   0: Ext: GigabitEthernet0/0  : address is 0023.044b.6484, irq 9
   1: Ext: GigabitEthernet0/1  : address is 0023.044b.6485, irq 9
   2: Ext: GigabitEthernet0/2  : address is 0023.044b.6486, irq 9
   3: Ext: GigabitEthernet0/3  : address is 0023.044b.6487, irq 9
   4: Ext: Management0/0       : address is 0023.044b.6483, irq 11
   5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
   6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
  Licensed features for this platform:
  Maximum Physical Interfaces       : Unlimited      perpetual
  Maximum VLANs                     : 150            perpetual
  Inside Hosts                      : Unlimited      perpetual
  Failover                          : Active/Active  perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  Security Contexts                 : 2              perpetual
  GTP/GPRS                          : Disabled       perpetual
  AnyConnect Premium Peers          : 50             perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 750            perpetual
  Total VPN Peers                   : 750            perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Enabled        perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has an ASA 5520 VPN Plus license.
  Serial Number: (scrubbed)
  Running Permanent Activation Key:  (scrubbed)
  Configuration register is 0x1
  Configuration last modified by enable_15 at 17:54:32.790 time Thu Feb 19 2015

  Go to Control Panel > Add or Remove Programs (Win XP) or Programs and Features (later)
  Remove all of these items in the following order:
  iTunes
  Apple Software Update
  Apple Mobile Device Support (if this won't uninstall move on to the next item)
  Bonjour
  Apple Application Support
  Reboot, download iTunes, then reinstall, either using an account with administrative rights, or right-clicking the downloaded installer and selecting Run as Administrator.
  The uninstall and reinstall process will preserve your iTunes library and settings, but ideally you would back up the library and your other important personal documents and data on a regular basis. See this user tip for a suggested technique.
  Please note:
  Some users may need to follow all the steps in whichever of the following support documents applies to their system. These include some additional manual file and folder deletions not mentioned above.
  HT1925: Removing and Reinstalling iTunes for Windows XP
  HT1923: Removing and reinstalling iTunes for Windows Vista, Windows 7, or Windows 8
  tt2

• "Anyconnect client profile" option missing in ASDM

  Hello,
  I'm in the process of setting up Anyconnect on the ASA, and have successfully updated the licensing, as well as uploaded the anyconnect pkg for web deployment. I enabled anyconnect on the outside interface and can now have the ASA push the client to the machine. Works fine. However, I want to add backup servers that the client will attempt to reach in the event the primary is down. I understand that "client profiles" can be created to customize settings like this. Problem is, when I follow the configuration guide with instructions for making client profiles at this location:
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac02asaconfig.html#wp1289905
  It shows that I should have an option for Anyconnect Client Profile and Anyconnect Client Settings.
  I don't have either of those options in ASDM. Here's what mine shows:
  I have another "SSL Client profiles" option, but it doesn't seem the same as the options above.
  Can someone assist with what I need to do to get the Client Profiles option to be available so I can add backup server information to the client? Thanks!

  Thanks for the response Marvin,
  It shows the ASA and ASDM versions are 8.2 and 6.2 respectively.
  Result of the command: "sh version"
  Cisco Adaptive Security Appliance Software Version 8.2(1)
  Device Manager Version 6.2(1)
  Result of the command: "sh act | i Ess"
  AnyConnect Essentials        : Enabled 
  I don't have the premium license, just the Anyconnect Essentials and Mobile licenses. I would imagine essentials should have the same profile configuration options, though. If it is in fact because I'm running an older version of ASDM, do I need to update both the ASA IOS and ASDM together, or can I just upgrade ASDM on its own? Thanks again.

• With this latest update (on 4/10/15) I am unable to access a secured work website due to the TLS. How do I revert back to the previous settings?

  I need to revert the security settings back to the way they were BEFORE the update because now I am unable to access my secured work website (that I was on yesterday) to actually do work. When I attempt to go to my log-in page I get the following message:
  Secure Connection Failed
  The connection to corect.ct.gov:10000 was interrupted while the page was loading.
  The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  Please contact the website owners to inform them of this problem.
  It doesn't even give me the option to allow the site (it is my computer after all, it should be my choice). I NEED TO GET TO THIS WEBSITE.

  The website may try to fallback to TLS 1.0 in a way that is no longer allowed in current releases or may be using a deprecated cipher suite.
  You can open the <b>about:config</b> page via the location/address bar and use its search bar to locate this pref:
  *security.tls.insecure_fallback_hosts
  You can double-click the line to modify the pref and add the domain (corect.ct.gov) to this pref.
  If there are already websites (domains) in this list then add a comma and the new domain (no spaces).
  You should only see domains separated by a comma in the value column.
  *https://developer.mozilla.org/en-US/Firefox/Releases/36/Site_Compatibility#Security
  *https://developer.mozilla.org/en-US/Firefox/Releases/37/Site_Compatibility#Security

• ASDM and privilege level (using TACACS)

  Hi experts,
  Initial question:     How can I force ASDM to ask for the enable password when the user click on Apply ?
  Environment description:
  I have an ASA 5510 connected to an ACS 5.0.
  Security policy:
  I want the user defined on my ACS to be able to gain privilege level 15 but only after using their enable password. But by default the user must be in no privileged mode (<15).
  A SNMP alert is sent when the ASA catches a "User priv level changed" syslog message. (logging customization)
  ACS configuration:
  Maybe I misunderstand the TACACS privilege level parameters on ACS.
  I set a Shell Profile which gives the user the following privilege levels:
  Default Privilege Level = 7
  Maximum Privilege Level = 15
  1st config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  ! no authorization set
  Results:
       On CLI:     perfect
  My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and his enable password
       On ASDM:     policy security failure
  When the user connects through ASDM, he gains privilege level 15 directly
  It seems that if authorization is not set, ASDM always gives privilege level 15 to any user
  So OK for CLI, but NOK pour ASDM
  2nd config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  ! no authorization command set
  Results:
       On CLI:     lose enable access
  I can't gain privilege level 15 access anymore. When I use the enable command, I move to privilege level 7 only. So in this case ASA use the TACACS Default Privilege Level value.
       On ASDM:     policy security failure
  When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window BUT the user has full rights and can change settings.
  So NOK for CLI and ASDM
  Question:    Why do I have more access rights with ASDM as on CLI with the same settings ?
  3rd config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  aaa authorization command LOCAL
  ! specific authorization command set for ASDM applied
  Results:
       On CLI:     lose enable access (same as config 2)
       On ASDM:     unenable to gain privilege level 15 --> acceptable
  When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window AND the user really has level 7 access rights.
  So NOK for CLI and Acceptable for ASDM
  Question:     Is there no possibility to move to enable mode on ASDM ?
  4th config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  aaa authorization command LOCAL
  ! no aaa authentication for 'enable access', using local enable_15 account
  ! specific authorization command set for ASDM applied
  Results:
       On CLI:     acceptable
  My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and the local enable password
       On ASDM:     unenable to gain privilege level 15 --> acceptable (same as config 3)
  So Acceptable for CLI and ASDM
  Questions review:
  1 - Is it possible to force ASDM to ask for the enable password when the user click on Apply ?
  2 - Why do I have different access rights using ASDM as on CLI with the same settings ?
  3 -  Is there no possibility to move to enable mode on ASDM when the user is on privilege level 7 whereas he has Maximum Privilege Level = 15 ?
  4 - How may I understand these parameters on TACACS: Default Privilege Level and Maximum Privilege Level ?
  Thanks for your help.

  Thanks for your answer jedubois.
  In fact, my security policy is like this:
  A) Authentication has to be nominative with password enforcement policy
       --> I'm using CS ACS v5.1 appliance with local user database on it
  B) Every "network" user can be granted priviledge level 15
       --> max user priviledged level is set to 15 in my authentication mechanism on ACS
  C) A "network" user can log onto the network equipments (RTR, SW and FW) but having monitor access only first.
  D) A "network" user can be granted priviledged level 15 after a second authentication which generates a log message
       --> SNMP trap sent to supervision server
  E) The user password and enable password have to be personal.
  So, I need only 2 priviledged level:
  - monitor (any level from 1 to 14. I set 7)
  - admin (level 15)
  For RTR, SW and FW (on CLI), it works as wanted: the "network" users connect to the equipment in monitor mode. They type "enable" and they use their private enable password to be granted priviledged level 15.
  ASDM interface is requested by the customer.
  For ASDM, as I were not able to satisfy the security policy, I apply this:
  1- I activated Exec Shell Access authorization to get the default user priviledge level value from ACS
       --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 but I am able to change the parameter.
  2- I activated LOCAL Command authorization (adding "ASDM defined User Roles")
       --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 and I can't push any modification.
       --> The issue is that I can't push any modification on CLI either ... :-( because my user is stuck on "default priviledge level" 7 and can't get access to "max priviledge level 15" as defined on ACS when LOCAL authorization is set
       (ok I go on my ACS and move the default priviledge level to 15 to restore an admin access to the ASA and apply 3- before resetting it to default priviledge level to 7)
  3- I remove "aaa authorization enable console TACACS" to use local enable password
       --> now I can't get admin access on ASDM: OK
       --> and I can get admin access on CLI entering the local enable password
  At the end, I satisfy my policy security tokens A to D but not E. That's a good compromise but do you see a solution to satisfy E either ?
  Thanks

• ASA5505 Loading a template config doesn't allow me to connect via ASDM & SSH

  Hi All,
  I have built a base template for the ASA5505, i login via the ASDM and backup the configuration. Once i have backed it up and got the next customer i configure the ASA so i can gain ASDM access then reload the config using "Merge".
  I then have sent this out with the engineer we have plugged it all in and i'm unable to login to the device via ASDM or SSH i get to login but its as if it doesn't accept the username and password.
  Does anybody have any idea's?
  Thanks
  Nathan

  Just to add more detail, DNS settings are fine for both PTR (numeric / reverse) or A/CNAME (address) record lookups. All resolve perfectly fine and confirmed against another system which is working fine (sadly not running Snow Leopard).
  On my MBP running Snow Leopard with the 'Network Diagnostics' application running, the "Internet" connection shows "up" (green) for 2 seconds, then "down" (red) for 4 seconds and cycling continuously between these two states. The application itself fails to complete the test, constantly alerting of "Network Change Detected" suggesting the network configuration has changed.
  Being a UNIX systems engineer, I thought running a dtrace on both the 'Network Diagnostic' app and Safari would show up something but sadly highlighted nothing (I'm assuming Apple have disabled dtrace's ability to snoop system calls from these apps and others for whatever reason). I also wondered if the network interface (en0) was changing whilst the state is toggling between failed and passed in the 'Network Diagnostic' app but ifconfig constantly shows the interface in an "UP" state... I just did an unscientific "while true; do ifconfig en0 | grep mtu ; sleep 1 ; done" to display the interface state in a Terminal window on a regular basis.
  I think the biggest irony is, it all works fine when browsing to the www.apple.com website - it's never "Safari can't find the server" on me yet! Ah well, I'll have another look at this tomorrow if I get time