Evil_TTL> show | s


Category:Cisco Systems -> Security

There are two types of ASA firewalls - one is K8 and another one is K9. The difference between them is that K8 supports only DES encryption and K9 supports encryptions up to AES.

ASDM requires minimum 3DES capability, so if you have K8 type of ASA go to http://www.cisco.com/go/license to get an upgrade license key.

Use it on the device and turn it into K9 by typing the following commands in global config mode:

activation-key <copy and paste the 4-tuple or 5-tuple

If you are not sure what types of encryptions are supported, issue sh ver and make sure the unit has VPN-3DES-AES license:

sh ver

ASA5510256 MB RAMCPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash
Slot 1
ATA Compact Flash32MB
BIOS Flash M50FW080 

-DES Enabled
-3DES-AES Enabled 

In the same output, pay attention that ASDM image is uploaded to Cisco ASA:

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1

Make sure HTTP server is up and running:

sh run http

http server enable
http inside 
------> all hosts in this subnet are allowed to asdm
http dmz 
----> only one host is the subnet is
allowed to asdm 

Make sure that ASA is listening on port 443:

sh asp table socket

Protocol Socket Local Address Foreign Address State
SSL 0000e5bf
:443* LISTEN
SSL 00019c6f
:443* LISTEN 

If it is not listening, then canceling and retyping http server enable command could help with the issue.

Also make sure that SSL protocol is active by typing the following command:

ASA# sh run all ssl
ssl server-version any
ssl client
-version any
ssl encryption rc4
-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

// You must see 3DES in the output. If it is not there, upgrade your ASA to K9. 
By privilege15