ASDM Cipher Settings?
I was just checking out the SSL settings on our 5515X and set the TLSv1.2 to HIGH....and I was unable to connect to the ASA with ASDM after I committed that change.
ASDM just kept saying it couldn't launch....but looking at the logs in the ASA I saw the following:
Apr 08 2015 15:51:52: %ASA-6-725001: Starting SSL handshake with client INSIDE:10.XX.XX.X/56251 to 10.XXX.X.XX/443 for TLS session
Apr 08 2015 15:51:52: %ASA-7-725010: Device supports the following 2 cipher(s)
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[1] : DHE-RSA-AES256-SHA256
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[2] : AES256-SHA256
Apr 08 2015 15:51:52: %ASA-7-725008: SSL client INSIDE:10.XX.XX.X/56251 to 10.XXX.X.XX/443 proposes the following 24 cipher(s)
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[1] : ECDHE-ECDSA-AES128-SHA256
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[2] : ECDHE-RSA-AES128-SHA256
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[3] : AES128-SHA256
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA256
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA256
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[6] : ECDHE-ECDSA-AES128-SHA
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[7] : ECDHE-RSA-AES128-SHA
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[8] : AES128-SHA
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[9] : DHE-RSA-AES128-SHA
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[10] : DHE-DSS-AES128-SHA
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[11] : ECDHE-ECDSA-AES128-GCM-SHA256
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[12] : ECDHE-RSA-AES128-GCM-SHA256
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[13] : AES128-GCM-SHA256
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[14] : DHE-RSA-AES128-GCM-SHA256
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[15] : DHE-DSS-AES128-GCM-SHA256
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[16] : ECDHE-ECDSA-DES-CBC3-SHA
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[17] : ECDHE-RSA-DES-CBC3-SHA
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[18] : DES-CBC3-SHA
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[19] : EDH-RSA-DES-CBC3-SHA
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[20] : EDH-DSS-DES-CBC3-SHA
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[21] : ECDHE-ECDSA-RC4-SHA
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[22] : ECDHE-RSA-RC4-SHA
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[23] : RC4-SHA
Apr 08 2015 15:51:52: %ASA-7-725011: Cipher[24] : RC4-MD5
Apr 08 2015 15:51:52: %ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
So my ASA is running v9.3.2(200) and ASDM 7.3.1
Why would ASDM on my computer (latest version 1.6(0)) not support these higher encryption ciphers?
Is there something I can set on my client side to enable the better encryption?
When I connect with TLSv1.2 set to medium....this is what I see in the ASA log:
Apr 08 2015 16:10:41: %ASA-6-725001: Starting SSL handshake with client INSIDE:10.XX.XX.X/56251 to 10.XXX.X.XX/443 for TLS session
Apr 08 2015 16:10:41: %ASA-7-725010: Device supports the following 9 cipher(s)
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[1] : DHE-RSA-AES256-SHA256
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[2] : AES256-SHA256
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[3] : DHE-RSA-AES128-SHA256
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[4] : AES128-SHA256
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[5] : DHE-RSA-AES256-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[6] : AES256-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[7] : DHE-RSA-AES128-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[8] : AES128-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[9] : DES-CBC3-SHA
Apr 08 2015 16:10:41: %ASA-7-725008: SSL client INSIDE:10.XX.XX.X/56251 to 10.XXX.X.XX/443 proposes the following 24 cipher(s)
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[1] : ECDHE-ECDSA-AES128-SHA256
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[2] : ECDHE-RSA-AES128-SHA256
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[3] : AES128-SHA256
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA256
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA256
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[6] : ECDHE-ECDSA-AES128-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[7] : ECDHE-RSA-AES128-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[8] : AES128-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[9] : DHE-RSA-AES128-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[10] : DHE-DSS-AES128-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[11] : ECDHE-ECDSA-AES128-GCM-SHA256
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[12] : ECDHE-RSA-AES128-GCM-SHA256
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[13] : AES128-GCM-SHA256
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[14] : DHE-RSA-AES128-GCM-SHA256
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[15] : DHE-DSS-AES128-GCM-SHA256
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[16] : ECDHE-ECDSA-DES-CBC3-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[17] : ECDHE-RSA-DES-CBC3-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[18] : DES-CBC3-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[19] : EDH-RSA-DES-CBC3-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[20] : EDH-DSS-DES-CBC3-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[21] : ECDHE-ECDSA-RC4-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[22] : ECDHE-RSA-RC4-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[23] : RC4-SHA
Apr 08 2015 16:10:41: %ASA-7-725011: Cipher[24] : RC4-MD5
Apr 08 2015 16:10:41: %ASA-7-725012: Device chooses cipher DHE-RSA-AES128-SHA256 for the SSL session with client INSIDE:10.XX.XX.X/56251 to 10.XXX.X.XX/443
Apr 08 2015 16:10:41: %ASA-6-725016: Device selects trust-point ASA-self-signed for client INSIDE:10.XX.XX.X/56251 to 10.XXX.X.XX/443
This is my IE11 Supported Cipher Suites according to SSLLABS:
Cipher Suites (in order of preference)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Forward Secrecy
256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) Forward Secrecy
256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) Forward Secrecy
128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
128
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy
128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Forward Secrecy
128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Forward Secrecy
128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Forward Secrecy
256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy
128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
128
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Forward Secrecy
256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Forward Secrecy
256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy
256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy
128
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x6a) Forward Secrecy2
256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x40) Forward Secrecy2
128
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38) Forward Secrecy2
256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32) Forward Secrecy2
128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
112
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13) Forward Secrecy2
112
And this is what Chrome returns:
Cipher Suites (in order of preference)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy
128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy
128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) Forward Secrecy
128
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14) Forward Secrecy
256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13) Forward Secrecy
256
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15) Forward Secrecy
256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy
256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Forward Secrecy
256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) Forward Secrecy
256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy
128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy
128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) Forward Secrecy
128
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) WEAK
128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) WEAK
128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
128
TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK
128
TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK
128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
112
TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0xff)
Similar Messages
-
Unable to Decrypt the data properly using javax.crypto class and SunJCE
Hello all,
I am not new to Java but new to this forums
but and JCE and i wanted to write a program that Encrypts a file and also another program that decrypts it. As far Encryption is concerned i have been successful but When it comes to Decryption things aren't looking bright i have some or the other Problem with it. plz help me out .
Here is the Code for my Programs
Encryption
Code:
import java.io.*;
import javax.crypto.*;
import javax.crypto.spec.SecretKeySpec;
import java.security.*;
import javax.swing.*;
class MyJCE
public static void main(String args[])throws Exception
Provider sunjce = new com.sun.crypto.provider.SunJCE();
Security.addProvider(sunjce);
JFileChooser jfc = new JFileChooser();
int selection= jfc.showOpenDialog(null);
if(selection==JFileChooser.APPROVE_OPTION)
FileInputStream fis = new FileInputStream(jfc.getSelectedFile());
System.out.println("Selected file " + jfc.getSelectedFile());
try{
KeyGenerator kg = KeyGenerator.getInstance("DESede");
SecretKey key= kg.generateKey();
byte[] mkey=key.getEncoded();
System.out.println(key);
SecretKeySpec skey = new SecretKeySpec(mkey, "DESede");
Cipher cipher=Cipher.getInstance("DESede/ECB/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE,skey);
byte[] data= new byte[fis.available()];
//reading the file into data byte array
byte[] result= cipher.update(data);
byte[] enc= new byte [fis.read(result)];
System.out.println("Encrypted =" + result);
File fi= new File("/home/srikar/Encrypted");
FileOutputStream fos= new FileOutputStream(fi);
fos.write(enc);
fos.close();
byte[] encodedSpeckey = skey.getEncoded();
FileOutputStream ks= new FileOutputStream("./key.txt");
ks.write(encodedSpeckey);
System.out.println("Key written to a file");
}//try
catch(Exception ex)
ex.printStackTrace();
}//catch
}This Creates a Encrypted File. and a Encrypted key.txt
Code:
import java.io.*;
import javax.crypto.*;
import javax.crypto.spec.SecretKeySpec;
import java.security.*;
import javax.swing.*;
class Decrypt
public static void main(String[] args)
try
JFileChooser jfc = new JFileChooser();
int selection= jfc.showOpenDialog(null);
if(selection==JFileChooser.APPROVE_OPTION)
FileInputStream fis = new FileInputStream(jfc.getSelectedFile());
System.out.println("Selected file " + jfc.getSelectedFile());
//Read from the Encrypted Data
int ll= (int)jfc.getSelectedFile().length();
byte[] buffer = new byte[ll];
int bytesRead=fis.read(buffer);
byte[] data= new byte[bytesRead];
System.arraycopy(buffer,0,data,0,bytesRead);
//Read the Cipher Settings
FileInputStream rkey= new FileInputStream("./key.txt");
bytesRead = rkey.read(buffer);
byte[] encodedKeySpec=new byte[bytesRead];
System.arraycopy(buffer,0,encodedKeySpec,0,bytesRead);
//Recreate the Secret Symmetric Key
SecretKeySpec skeySpec= new SecretKeySpec(encodedKeySpec,"DESede");
//create the cipher for Decrypting
Cipher cipher = Cipher.getInstance("DESede/ECB/NoPadding");
cipher.init(Cipher.DECRYPT_MODE,skeySpec);
byte[] decrypted= cipher.update(data);
FileOutputStream fos= new FileOutputStream("/home/srikar/Decrypted");
fos.write(decrypted);
}//if
}//try
catch(Exception e)
e.printStackTrace();
}//catch
}//main
}//classthis Decrypt.java is expected to decrypt the above encrypted file but this simply creates a plaintext file of the same size as the Encrypted file but its contents are unreadable.
Or I endup with Exceptions like BadPadding or IllegalBlockSize Exception if i use any other Algorithm .
Please help out
thanx in advanceSrikar2871 wrote:
Well thanx for ur reply but
As i said there are No issues with ENCRYPTION and am getting an Encrypted file exactly of the same size as that of the original file and NOT as null bytes and Even am able to get a Decrypted file of again the same size of the Encrypted File but this time that data inside is in unreadable format.I ran your code EXACTLY* as posted and the contents of the file when viewed in a Hex editor was
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00So unless you are running different code to what you have posted, your file will look the same.
Cheers,
Shane -
SSL/TLS ciphers of an SMA (M-series) appliance
So SMA does not include sslconfig CLI command. We cannot reonfigure SSL/TLS ciphers as we do for ESA (C-series) appliances. Once I got instructions from TAC support telling, that I must download config file from SMA, edit those cipher parameters manually and then upload it back to the appliance. Is this still the only way to do it with SMA 8.1.1, 8.30 and 8.3.5?
If we download the config file and do the changes, can we use sslconfig CLI command and there VERIFY subcommand of an ESA appliance to verify that a planned cipher set would surely work in a SMA appliance? I think I might be interested in cipher set
MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
Is the proper parameter to be changed named ssl_gui_ciphers? Does it cover only the management web GUI or also spam quarantine web GUI? Not interested in STARTTLS SMTP ciphers at this point. As s default, those SSL ciphers are set as:
<ssl>
<ssl_inbound_method>sslv3tlsv1</ssl_inbound_method>
<ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_inbound_ciphers>
<ssl_outbound_method>sslv3tlsv1</ssl_outbound_method>
<ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_outbound_ciphers>
<ssl_gui_method>sslv3tlsv1</ssl_gui_method>
<ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_gui_ciphers>
</ssl>
After fixing a locally downloaded config file and loading it back to SMA, will the config file load require a reboot? Are our safelists/blocklists, logs, message tracking, scheduled reports, spam quarantine content safe and we will not lost anything? So all we plan to change in config file, are the cipher settings.
Testing a SMA spam quarantine https service with Qualys Inc. SSL labs test service opened my eyes on this case:
https://www.ssllabs.com/ssltest/analyze.htmlI believe you already got an answer back on this with the direct support case that was opened... but just to verify and follow-up on the forums side... without FIPS enabled, you can run sslconfig > verify and get the following output for FIPS:-aNULL
[]> FIPS:-aNULL
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
-Robert -
WPA2 on 1220-B with MS IAS (2003 server)
All -
I have a Win2003 server running IAS. I have a 1220-B AP running 12.3(8)JA2.
I am trying to create two VLANs/SSIDs; one for guest mode - fully open without encryption, and one for secure mode WPA2.
The two segments will be firewalled using an ASA-5510.
I have followed the guidelines provided in the WPA2 sample configuration (though AES is not available to me in the encryption Cipher settings - only TKIP), and the using VLANs on wireless access points.
However - the clients (Intel Pro Set 3945 ABG running 10.1.0.3 client) are not able to associate to the secured segment as expected - even when using the AP's local radius server (to eliminate IAS as a source of problems).
Anyone have any suggestions - or known working configs they would care to share?Scott -
The radio units for use in production include the G radio module. The test environment does not (my bad!). I'll have to see about taking one of the upgraded units out of production to further test WPA2. This concerns me though because we have a cache of 350 PCMCIA adapters - and this suggests that they will never be able to do WPA2 because they cannot associate as G devices. I've got to come up with a workable solution for basic B devices (both Cisco and non) and our newer A/B/G devices.
I've used both the ProSet Utilities and WZC to attempt this on the test environment laptop.
Authentication will be testing/proven in two sequences.
The first sequence for authentication will be against the AP's local user database using LEAP.
The second sequence (and ultimately final) will require authentication against the Win2003 IAS AD domain due to multiple APs in the production environment, likely using PEAP.
If I can successfully go directly to the second sequence, that would be nice, but I'm concerned about the simplicity of troubleshooting - in the event something is wrong with the IAS configuration.
For the record, I'm a router/switch head - with only moderate skills with wireless, and virtually no experience with Win 2003 Server. I may need some hand-holding . -
Going from 128-bit to 256-bit encryption
Hello all,
This is my first post here so please be gentle.
I'm a tech manager who inherited an undocumented environment and have a question regarding upgrading the encryption on our 6.1 iPlanet instances from 128-bit to 256-bit.
I've searched through the documentation and I can't seem to get a clear answer.
1. To upgrade to 256-bit do I just need to update the following line in my obj.conf file:
PathCheck fn="ssl-check" secret-keysize="128"
to
PathCheck fn="ssl-check" secret-keysize="256"
2. Are there any dependencies for making this change such as generating a new SSL cert?
Thanks in advance - BillHere is some documentation about ssl-check :
http://docs.sun.com/app/docs/doc/820-2203/abujv?l=en&a=view&q=ssl-check
The ssl-check function is used along with a Client tag to limit
access of certain directories to non-exportable browsers. If a
restriction is selected that is not consistent with the current cipher
settings, this function displays a warning that ciphers with larger
secretkeysizes must be enabled.
secret-keysize (Optional) Minimum number of bits required in the secret key.
Which version of 6.1 Server are you using?
$cd <web-server-install-dir>/<web-server-instance-dir>/
$start -versionCan you send your server.xml settings?
Assuming your machine is foo.bar.test.com
$cd alias
$../bin/https/admin/bin/certutil -L -d . -p https-foo.bar.test.com-foo-displays the server's certificate nickname lets say it is Server-Cert
Then try to get the certificate details in ascii format
$../bin/https/admin/bin/certutil -n Server-Cert -p https-foo.bar.test.com-foo-It will show something like :
Certificate:
Data:
Version: 3 (0x2)
Serial Number: .... (0x...)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=..."
Validity:
Not Before: .... 2008
Not After : .... 2018
Subject: "CN=..."
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
bd:10:c2:e0:bc:ad:fd:e6:75:ce:86:82:51:de:bf:37:
51:05:06:89:db:c2:6d:0c:31:f4:19:32:90:59:77:c1:
a0:6c:ef:88:54:ed:f8:d3:d2:6a:f7:22:f4:c6:95:60:
06:3a:64:f3:e4:0c:09:f4:37:c6:44:e7:d4:37:5a:4d
Exponent: 65537 (0x10001)
...Each line in Modulus section corresponds to 128 bits. In my case I have 4 lines, so my certificates key size is 4*128 = 512 bits.
Can you send your modulus info i.e key size with which your certificates were created?
Edited by: mv on Feb 8, 2008 9:28 AM -
Hi.
I'm setting up the remote site side of a vpn and can only find the IKE Phase 1 settings in ASDM. Can someone tell me where I can find the phase 2 settings? Thanks.Which ASDM version that you are using? If you are using 6.4 above, you use below link to configure it:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bb8500.shtml#hq-asa
If you have older version of ASDM you can use below link:
http://www.cisco.com/en/US/docs/security/pix/pix72/quick/guide/sitvpn_p.html -
Hi.
I can't connect to ASDM. ASA closes connection becouse browser doesn't support ssl with DES-CBC-SHA
<167>:Nov 16 15:52:41 GST: %ASA-session-7-609001: Built local-host inside:10.1.11.77
<167>:Nov 16 15:52:41 GST: %ASA-session-7-609001: Built local-host identity:10.1.11.10
<166>:Nov 16 15:52:41 GST: %ASA-session-6-302013: Built inbound TCP connection 59 for inside:10.1.11.77/1257 (10.1.11.77/1257) to identity:10.1.11.10/443 (10.1.11.10/443)
<166>:Nov 16 15:52:41 GST: %ASA-ssl-6-725001: Starting SSL handshake with client inside:10.1.11.77/1257 for TLSv1 session.
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725010: Device supports the following 1 cipher(s).
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[1] : DES-CBC-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725008: SSL client inside:10.1.11.77/1257 proposes the following 11 cipher(s).
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[1] : DHE-RSA-AES256-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[2] : DHE-DSS-AES256-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[3] : AES256-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[4] : DHE-RSA-AES128-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[6] : RC4-MD5
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[7] : RC4-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[8] : AES128-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[9] : EDH-RSA-DES-CBC3-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[10] : EDH-DSS-DES-CBC3-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[11] : DES-CBC3-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
<166>:Nov 16 15:52:41 GST: %ASA-session-6-302014: Teardown TCP connection 59 for inside:10.1.11.77/1257 to identity:10.1.11.10/443 duration 0:00:00 bytes 7 TCP Reset by appliance
<167>:Nov 16 15:52:41 GST: %ASA-session-7-609002: Teardown local-host inside:10.1.11.77 duration 0:00:00
<167>:Nov 16 15:52:41 GST: %ASA-session-7-609002: Teardown local-host identity:10.1.11.10 duration 0:00:00
On https://supportforums.cisco.com/docs/DOC-15016 is written what i must install 3des/aes license. But it's impossible for me because of law.
How can I use asdm without strong ecryption?If you are unable to upgrade your ASA to 3DES/AES license, then you must downgrade your browser (or its settings).
I don't have a weak key ASA to test against, but I believe if you go into the advanced settings of your browser and DESELECT SSL 3.0 (and possibly 2.0 and TLS as well) that your client will then accept the low security SSL settings offered by your ASA.
Here is a listing of typical locations for those settings on browsers:
http://www2.westlaw.com/CustomerSupport/KnowledgeBase/Technical/WestlawCreditCard/WebHelp/Browser_Security_Requirements.htm
Change these settings with care and take into account changing them back for other uses. -
I'm new to the forum/discussions so forgive me if this is already posted. I read through several other posts and have followed the troubleshooting procedures in them, but I still can't access ASDM. I deleted the old ASDM versions and upgraded to ASDM 7.1(1)52 which shows compatible with ASA 8.2(1). I'm on an inside NAT address connected to Eth 0/5, 192.168.1.5/24. I can ping and SSH to the FW but no ASDM. FW is passing traffic and everything else works just fine. Please advise. Thank you.
JEREMY-ASA# show ver
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 7.1(1)52
JEREMY-ASA# show run asdm
asdm image disk0:/asdm-711-52.bin
no asdm history enable
JEREMY-ASA# show run http
http server enable
http 192.168.1.0 255.255.255.0 inside
JEREMY-ASA# show run
: Saved
ASA Version 8.2(1)
hostname JEREMY-ASA
enable password OMIT encrypted
passwd OMIT encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 134.121.11.153 255.255.248.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner exec
OMIT BANNER STATEMENTS
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit intra-interface
access-list outside_access_in extended deny ip any any
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 250
logging trap informational
logging asdm informational
logging device-id ipaddress outside
logging host outside OMIT
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip audit attack action drop
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.1.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 134.121.15.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 10
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server OMIT
ssl encryption des-sha1
webvpn
username OMIT password OMIT encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
crashinfo console disable
Cryptochecksum:3c8669ae6960ca4cc206db58ffbf3c21
: endIt's most likely the string:
ssl encryption des-sha1
That weak cipher is not compatible with most modern browsers and current releases of Java which ASDM depend on. Try adding a strong cipher, e.g.:
ssl encryption des-sha1 aes256-sha1
Make sure you have 3DES-AES activation first ("show version" or "show activation-key" will confirm that feature license is active). -
ASA 5505 ASDM username / password
Hello everyone,
I completed the PIX 515 to ASA 5505 migration today with no problems - ok one problem with the logon for ASDM.
I'm trying no username and password - then using username and password from the 515 Pix with no success.
Anyone know how to reset the username and password for the ASDM GUI website.
Thank youUmmm,
Did you possibly try the default username/password combination? (cisco/cisco) It should then prompt you to change these settings once you gain access. I'm not familiar with how the migration works, if it transitions the user accounts over or you end up starting from scratch. Give that a try and hopefully it gets you into your new system. -
Cisco ASA 5505 IOS 9.2(1), ASDM 7.3(2) NAT issues
Hey all,
I am really new to Cisco and am trying to get this Cisco ASA 5505 configured that I bought recently configured properly.
Things I have successfully been able to do:
1. Configure static WAN IP on WAN port e0/0 (I have a /29 block of addresses)
2. Create static routes to point to all of my vlans that are currently being being routed through my layer 3 SG-300
3. Install and run ASDM 7.3(2)
4. Went through the start-up wizard and configured all of my WAN and LAN settings (I have a WAN block of /29 addresses. So I congured my device with NAT and put in the range the first usable IP address outside of the one I configured for the direct connected WAN port from my modem. Example: 10.24.56.99-102 where .98 is already configured as the direct connect from modem to ASA 5505 and .97 is the gateway of my ISP modem.)
The struggle that I am running into today is with NAT rules from outside to inside. I currently have an Exchange server behind this device but I am unable to get ports forwarded to it. I followed this tutorial about Static NAT, however there is still no joy.
http://www.networkworld.com/article/2162844/tech-primers/how-to-configure-static-nat-on-a-cisco-asa-security-appliance.html
Attached is a copy of my running-config and version. Any help with this would be greatly appreciated.Your Ethernet0/1 is a trunk with multiple VLANs allowed but you do not have corresponding VLAN interfaces for SVIs in each of the associated subnets. If, as your routing setup indicates, you will be going via your internal gateway at 10.10.1.1 to reach the internal subnets then Eth0/1 should just be an access port.
So your Exchange server in the 10.10.12.0/24 subnet will talk via the internal gateway (10.10.12.1?) and thus on to the ASA inside interface at 10.10.1.2.
I assume your "public" IPs have been changed to anonymize the output. If those are your actual addresses (10.24.56.x) then there must be additional NAT taking place upstream - that would all need to be setup properly as well. -
ASDM will no longer load configuration
Hi Everyone,
I have an issue with an ASDM that will no longer pull the configuration. Originally I couldn't even log in via CLI, but after consoling in I was able to restart SSH and HTTP services and that seemed to work for being able to log in. However I'm stuck with ASDM not being able to pull the configuration from the device. It gets about 52% of the way and then stops. Here is the sh ver for starters:
(scrubbed)# sh ver
Cisco Adaptive Security Appliance Software Version 8.4(1)
Device Manager Version 6.4(7)
Compiled on Mon 31-Jan-11 02:11 by builders
System image file is "disk0:/asa841-k8.bin"
Config file at boot was "startup-config"
(scrubbed) up 247 days 0 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: GigabitEthernet0/0 : address is 0023.044b.6484, irq 9
1: Ext: GigabitEthernet0/1 : address is 0023.044b.6485, irq 9
2: Ext: GigabitEthernet0/2 : address is 0023.044b.6486, irq 9
3: Ext: GigabitEthernet0/3 : address is 0023.044b.6487, irq 9
4: Ext: Management0/0 : address is 0023.044b.6483, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 50 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: (scrubbed)
Running Permanent Activation Key: (scrubbed)
Configuration register is 0x1
Configuration last modified by enable_15 at 17:54:32.790 time Thu Feb 19 2015Go to Control Panel > Add or Remove Programs (Win XP) or Programs and Features (later)
Remove all of these items in the following order:
iTunes
Apple Software Update
Apple Mobile Device Support (if this won't uninstall move on to the next item)
Bonjour
Apple Application Support
Reboot, download iTunes, then reinstall, either using an account with administrative rights, or right-clicking the downloaded installer and selecting Run as Administrator.
The uninstall and reinstall process will preserve your iTunes library and settings, but ideally you would back up the library and your other important personal documents and data on a regular basis. See this user tip for a suggested technique.
Please note:
Some users may need to follow all the steps in whichever of the following support documents applies to their system. These include some additional manual file and folder deletions not mentioned above.
HT1925: Removing and Reinstalling iTunes for Windows XP
HT1923: Removing and reinstalling iTunes for Windows Vista, Windows 7, or Windows 8
tt2 -
"Anyconnect client profile" option missing in ASDM
Hello,
I'm in the process of setting up Anyconnect on the ASA, and have successfully updated the licensing, as well as uploaded the anyconnect pkg for web deployment. I enabled anyconnect on the outside interface and can now have the ASA push the client to the machine. Works fine. However, I want to add backup servers that the client will attempt to reach in the event the primary is down. I understand that "client profiles" can be created to customize settings like this. Problem is, when I follow the configuration guide with instructions for making client profiles at this location:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac02asaconfig.html#wp1289905
It shows that I should have an option for Anyconnect Client Profile and Anyconnect Client Settings.
I don't have either of those options in ASDM. Here's what mine shows:
I have another "SSL Client profiles" option, but it doesn't seem the same as the options above.
Can someone assist with what I need to do to get the Client Profiles option to be available so I can add backup server information to the client? Thanks!Thanks for the response Marvin,
It shows the ASA and ASDM versions are 8.2 and 6.2 respectively.
Result of the command: "sh version"
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Result of the command: "sh act | i Ess"
AnyConnect Essentials : Enabled
I don't have the premium license, just the Anyconnect Essentials and Mobile licenses. I would imagine essentials should have the same profile configuration options, though. If it is in fact because I'm running an older version of ASDM, do I need to update both the ASA IOS and ASDM together, or can I just upgrade ASDM on its own? Thanks again. -
I need to revert the security settings back to the way they were BEFORE the update because now I am unable to access my secured work website (that I was on yesterday) to actually do work. When I attempt to go to my log-in page I get the following message:
Secure Connection Failed
The connection to corect.ct.gov:10000 was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
It doesn't even give me the option to allow the site (it is my computer after all, it should be my choice). I NEED TO GET TO THIS WEBSITE.The website may try to fallback to TLS 1.0 in a way that is no longer allowed in current releases or may be using a deprecated cipher suite.
You can open the <b>about:config</b> page via the location/address bar and use its search bar to locate this pref:
*security.tls.insecure_fallback_hosts
You can double-click the line to modify the pref and add the domain (corect.ct.gov) to this pref.
If there are already websites (domains) in this list then add a comma and the new domain (no spaces).
You should only see domains separated by a comma in the value column.
*https://developer.mozilla.org/en-US/Firefox/Releases/36/Site_Compatibility#Security
*https://developer.mozilla.org/en-US/Firefox/Releases/37/Site_Compatibility#Security -
ASDM and privilege level (using TACACS)
Hi experts,
Initial question: How can I force ASDM to ask for the enable password when the user click on Apply ?
Environment description:
I have an ASA 5510 connected to an ACS 5.0.
Security policy:
I want the user defined on my ACS to be able to gain privilege level 15 but only after using their enable password. But by default the user must be in no privileged mode (<15).
A SNMP alert is sent when the ASA catches a "User priv level changed" syslog message. (logging customization)
ACS configuration:
Maybe I misunderstand the TACACS privilege level parameters on ACS.
I set a Shell Profile which gives the user the following privilege levels:
Default Privilege Level = 7
Maximum Privilege Level = 15
1st config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
! no authorization set
Results:
On CLI: perfect
My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and his enable password
On ASDM: policy security failure
When the user connects through ASDM, he gains privilege level 15 directly
It seems that if authorization is not set, ASDM always gives privilege level 15 to any user
So OK for CLI, but NOK pour ASDM
2nd config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
aaa authorization exec authentication-server
! no authorization command set
Results:
On CLI: lose enable access
I can't gain privilege level 15 access anymore. When I use the enable command, I move to privilege level 7 only. So in this case ASA use the TACACS Default Privilege Level value.
On ASDM: policy security failure
When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window BUT the user has full rights and can change settings.
So NOK for CLI and ASDM
Question: Why do I have more access rights with ASDM as on CLI with the same settings ?
3rd config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
aaa authorization exec authentication-server
aaa authorization command LOCAL
! specific authorization command set for ASDM applied
Results:
On CLI: lose enable access (same as config 2)
On ASDM: unenable to gain privilege level 15 --> acceptable
When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window AND the user really has level 7 access rights.
So NOK for CLI and Acceptable for ASDM
Question: Is there no possibility to move to enable mode on ASDM ?
4th config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authorization exec authentication-server
aaa authorization command LOCAL
! no aaa authentication for 'enable access', using local enable_15 account
! specific authorization command set for ASDM applied
Results:
On CLI: acceptable
My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and the local enable password
On ASDM: unenable to gain privilege level 15 --> acceptable (same as config 3)
So Acceptable for CLI and ASDM
Questions review:
1 - Is it possible to force ASDM to ask for the enable password when the user click on Apply ?
2 - Why do I have different access rights using ASDM as on CLI with the same settings ?
3 - Is there no possibility to move to enable mode on ASDM when the user is on privilege level 7 whereas he has Maximum Privilege Level = 15 ?
4 - How may I understand these parameters on TACACS: Default Privilege Level and Maximum Privilege Level ?
Thanks for your help.Thanks for your answer jedubois.
In fact, my security policy is like this:
A) Authentication has to be nominative with password enforcement policy
--> I'm using CS ACS v5.1 appliance with local user database on it
B) Every "network" user can be granted priviledge level 15
--> max user priviledged level is set to 15 in my authentication mechanism on ACS
C) A "network" user can log onto the network equipments (RTR, SW and FW) but having monitor access only first.
D) A "network" user can be granted priviledged level 15 after a second authentication which generates a log message
--> SNMP trap sent to supervision server
E) The user password and enable password have to be personal.
So, I need only 2 priviledged level:
- monitor (any level from 1 to 14. I set 7)
- admin (level 15)
For RTR, SW and FW (on CLI), it works as wanted: the "network" users connect to the equipment in monitor mode. They type "enable" and they use their private enable password to be granted priviledged level 15.
ASDM interface is requested by the customer.
For ASDM, as I were not able to satisfy the security policy, I apply this:
1- I activated Exec Shell Access authorization to get the default user priviledge level value from ACS
--> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 but I am able to change the parameter.
2- I activated LOCAL Command authorization (adding "ASDM defined User Roles")
--> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 and I can't push any modification.
--> The issue is that I can't push any modification on CLI either ... :-( because my user is stuck on "default priviledge level" 7 and can't get access to "max priviledge level 15" as defined on ACS when LOCAL authorization is set
(ok I go on my ACS and move the default priviledge level to 15 to restore an admin access to the ASA and apply 3- before resetting it to default priviledge level to 7)
3- I remove "aaa authorization enable console TACACS" to use local enable password
--> now I can't get admin access on ASDM: OK
--> and I can get admin access on CLI entering the local enable password
At the end, I satisfy my policy security tokens A to D but not E. That's a good compromise but do you see a solution to satisfy E either ?
Thanks -
ASA5505 Loading a template config doesn't allow me to connect via ASDM & SSH
Hi All,
I have built a base template for the ASA5505, i login via the ASDM and backup the configuration. Once i have backed it up and got the next customer i configure the ASA so i can gain ASDM access then reload the config using "Merge".
I then have sent this out with the engineer we have plugged it all in and i'm unable to login to the device via ASDM or SSH i get to login but its as if it doesn't accept the username and password.
Does anybody have any idea's?
Thanks
NathanJust to add more detail, DNS settings are fine for both PTR (numeric / reverse) or A/CNAME (address) record lookups. All resolve perfectly fine and confirmed against another system which is working fine (sadly not running Snow Leopard).
On my MBP running Snow Leopard with the 'Network Diagnostics' application running, the "Internet" connection shows "up" (green) for 2 seconds, then "down" (red) for 4 seconds and cycling continuously between these two states. The application itself fails to complete the test, constantly alerting of "Network Change Detected" suggesting the network configuration has changed.
Being a UNIX systems engineer, I thought running a dtrace on both the 'Network Diagnostic' app and Safari would show up something but sadly highlighted nothing (I'm assuming Apple have disabled dtrace's ability to snoop system calls from these apps and others for whatever reason). I also wondered if the network interface (en0) was changing whilst the state is toggling between failed and passed in the 'Network Diagnostic' app but ifconfig constantly shows the interface in an "UP" state... I just did an unscientific "while true; do ifconfig en0 | grep mtu ; sleep 1 ; done" to display the interface state in a Terminal window on a regular basis.
I think the biggest irony is, it all works fine when browsing to the www.apple.com website - it's never "Safari can't find the server" on me yet! Ah well, I'll have another look at this tomorrow if I get time
Maybe you are looking for
-
I dropped my cracked iPod touch 4th generation in water and now it's just done. The touch doesn't work anymore (by that I mean I cant touch it anymore, I cant slide it open or slide it to turn it off). It wouldn't really be a big problem cause I plug
-
I've NT4 SP6 and 9.0.1 Database on LInux 7.1 Server with my NT4 client i manage the DB. when I try to compile a Trigger an ther is an error inthe PL/SQL code the error-text is not visíble. but a doubleclick into he error-line brings me to the right l
-
Choose fields option in Selection Screen of report program.
Hi Experts, Actually In my requirement , the user wants to display the output fields in ALV Grid and also in Block ALV format.They need 10 fields to be displayed by default and the additional fields has to be displayed based on the choose field
-
Can't use both adjust and settings icons when creating a slideshow
I have a slideshow that begins with a poem that needs to show longer than the rest of the pictures. If I use the settings icon, then the pictures are all set the same length of time and the adjust icon does not let me make any changes to individual p
-
Hello Guru's what is schedule manager and how is it used? any documentation on this transaction will help. Thanks,