Using Cisco ASDM in Cisco ASA
Cisco ASDM provides a GUI that you can use to administer, configure, and monitor anASA. Although ASDM does not use a regular web browser, it does use the HTTPS protocol
to communicate with the ASA.
To access ASDM, you need a PC-based launcher utility. The launcher allows you to select
an ASA and enter administrator credentials. The launcher will then connect to the ASA,
download the ASDM application (if it has not already been installed on the PC), and automatically launch it on the PC.
Before you can use ASDM, you need to enter an initial “bootstrap” configuration in the
ASA using the following steps:
Step 1. Copy an ASDM image file into ASA flash memory.
Use a file transfer method such as TFTP to copy an ASDM image file from
your PC to the ASA’s flash memory. Be aware that a specific ASDM image
release might work with only a specific release of the ASA operating system.
You can verify that the ASDM image is ready to use by using the dir disk0:/
command to display the flash file system contents, as shown here:
ciscoasa# dir disk0:/
Directory of disk0:/
93 -rwx 14503836 14:46:38 Sep 17 2010 asdm-634.bin
94 -rwx 15243264 14:44:02 Sep 17 2010 asa823-k8.bin
3 drwx 8192 14:04:34 Apr 27 2007 log
13 drwx 8192 14:05:02 Apr 27 2007 crypto_archive
255426560 bytes total (225050624 bytes free)
ciscoasa#
Step 2. Specify the ASDM image file to use.
Use the asdm image configuration command to specify which ASDM image
file to use. For example, the following command tells the ASA to use ASDM
release 6.3(4), contained in file disk0:/asdm-634.bin:
ciscoasa(config)# asdm image disk0:/asdm-634.bin
Once the ASDM image file has been specified, you can use the show asdm
image command to display the file location and name.
Step 3. Enable the HTTP server process.
Use the following command to enable the HTTP server on the ASA. Both
HTTP and HTTPS are supported, although ASDM uses only HTTPS.
ciscoasa(config)# http server enable
Step 4. Specify IP addresses that are permitted to access ASDM.
Because ASDM uses the HTTP server process, you can enter the following
command to specify which IP addresses are permitted to access ASDM
through a specified interface:
ciscoasa(config)# http ip-address subnet-mask interface
For example, you can use the following commands to permit clients in the
192.168.100.0/24 subnet on the outside interface and 192.168.2.0/24 on the
inside interface to access ASDM:
ciscoasa(config)# http 192.168.100.0 255.255.255.0 outside
ciscoasa(config)# http 192.168.2.0 255.255.255.0 inside
You can also use the http 0.0.0.0 0.0.0.0 outside command to permit ASDM
access to any host on the outside interface.
Next, you will need to access ASDM for the first time. Open a web browser to the ASA
interface that you have configured to permit HTTP connections. In Figure 2-1, the web
browser has been opened to https://192.168.100.10—the outside interface of an ASA.
No comments:
Post a Comment