Category:Cisco Systems -> Security
There are two types of ASA firewalls - one is K8 and another one is K9. The difference between them is that K8 supports only DES encryption and K9 supports encryptions up to AES.
ASDM requires minimum 3DES capability, so if you have K8 type of ASA go to http://www.cisco.com/go/license to get an upgrade license key.
Use it on the device and turn it into K9 by typing the following commands in global config mode:
activation-key <copy and paste the 4-tuple or 5-tuple>
If you are not sure what types of encryptions are supported, issue sh ver and make sure the unit has VPN-3DES-AES license:
sh ver
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 64MB
Slot 1: ATA Compact Flash, 32MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
In the same output, pay attention that ASDM image is uploaded to Cisco ASA:
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Make sure HTTP server is up and running:
sh run http
http server enable
http 172.18.124.0 255.255.255.0 inside ------> all hosts in this subnet are allowed to asdm
http 10.10.10.10 255.255.255.255 dmz ----> only one host 10.10.10.10 is the subnet is
allowed to asdm
Make sure that ASA is listening on port 443:
sh asp table socket
Protocol Socket Local Address Foreign Address State
SSL 0000e5bf 172.18.124.254:443 0.0.0.0:* LISTEN
SSL 00019c6f 10.10.10.1:443 0.0.0.0:* LISTEN
If it is not listening, then canceling and retyping http server enable command could help with the issue.
Also make sure that SSL protocol is active by typing the following command:
ASA# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
// You must see 3DES in the output. If it is not there, upgrade your ASA to K9.