Let's get started. Below are the commands we need to issue and the steps to get ASDM going:
Login to the PIX and go to enable mode: "pix> enable"
Once in enable mode, enter the command "copy tftp flash" You will now be prompted for a few bits of information as listed below:
"Address or name of remote host [x.x.x.x]? " Here you will need to enter the IP address of the TFTP server that holds the ASDM image. Press enter to continue.
"Source file name [cdisk]? " Enter the filename of the ASDM image, for example: asdm502.bin for ASDM version 5.0(2) . Press enter to continue.
"Destination file name [asdm502.bin]?" There's really nothing to do here unless you really want to rename the image you are transferring. So press enter here.
We need to tell the PIX where ASDM is so we will issue the following command in config mode. At the CLI type "conf t," or "configure terminal" if you prefer the long way. Once in config mode "pix(config)#" then type "asdm image flash:asdm502.bin" and press enter.
Now that we have our PIX knowing where ASDM is, issue the "write mem" or "write memory" command to the PIX. You will see a message that it is building configuration and then it will return to the "pix(config)#". At this point we have ASDM installed.
In order to access ASDM we need to do a few things; otherwise, the PIX will deny the traffic and tear down the connection. In order to allow the connection we need to issue the following commands from config mode:
- http server enable: This command is issued first and enables the http/https server to start.
- http 0 0 inside: This enables all traffic from any host/network configured on the inside interface of the PIX. If you wanted to allow only, say, your workstation, and its IP was 192.168.89.44, then it would look like "http 192.168.89.44 255.255.255.255 inside." You can allow a single subnet or multiple subnets to connect as well. If at any time you need to remove an entry, simply use the command "no http x.x.x.x z.z.z.z inside" where x is the IP and z is the subnet.
Now you can try and connect to ASDM using https://x.x.x.x/admin, where x.x.x.x is the IP address of the inside interface on the PIX.
Please note that ASDM can be accessed from the outside interface as well. You need to make sure that when you add the "http x.x.x.x z.z.z.z " command that you specify the interface as outside and that it is being accessed from a secure computer. This is not recommended, however, due to the power of ASDM; putting it on a publicly accessible network isn't the best idea.
ASDM should be complete and working. Log in with your PIX enable password and it's off to the races -- unless you have a problem. In the next step, we'll look at troubleshooting ASDM. I'll also provide sample output for your reference.
Tomorrow: Troubleshooting Cisco PIX ASDM