ASA 5505 ASDM Startup Wizard - does it work at all?

Discussion in 'Cisco' started by Tilman Schmidt, Sep 17, 2007.

  1. I got a Cisco ASA 5505 with Cisco Adaptive Security Appliance Software
    Version 7.2(2). Normally I always configure my equipment through CLI,
    but since it is my first ASA I thought I would give the advertised
    Startup Wizard a try.

    First thing I tried was setting the internal and external IP addresses.
    Guess what: it didn't work! My settings had no effect at all. They were
    completely and utterly ignored.
    - Try 1: entered 192.168.14.1 as IP address for inside, fixed public
    IP address for outside, proceeded to the DHCP page, tried to enter
    a matching DHCP range - up pops the error message: "Your DHCP range
    must fit within your internal address range 192.168.1.1-192.168.1.254".
    Went back in the Wizard, and sure enough, the inside and outside
    interfaces had reverted to 192.168.1.1 and DHCP, respectively.
    - Try 2: entered 192.168.14.1 as IP address for inside, pushed "Finish"
    immediately to force the change into the device. No joy, the thing
    responded with a message: "no changes made".

    Is it just me, or is this so-called Wizard really unable to make the most
    elementary of configuration changes, namely setting the IP address of an
    interfaces?

    Oh yes, and then the final straw:

    - Try 3: changed the IP address through the ASDM main page. This actually
    succeeded - in locking me out of the device, because it changed the
    interface address immediately, disconnecting me, but left the
    "administrative access" setting at the old value 192.168.1.0/24 so I
    couldn't get back in after changing my admin PC to the new IP range.
    Had to get the old console cable out.

    Back to CLI. ASDM is too difficult for me.

    --
    Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
     
    Tilman Schmidt, Sep 17, 2007
    #1
    1. Advertising

  2. Tilman Schmidt

    Guest

    On Sep 17, 9:57 am, Tilman Schmidt <> wrote:
    > I got a Cisco ASA 5505 with Cisco Adaptive Security Appliance Software
    > Version 7.2(2). Normally I always configure my equipment through CLI,
    > but since it is my first ASA I thought I would give the advertised
    > Startup Wizard a try.
    >
    > First thing I tried was setting the internal and external IP addresses.
    > Guess what: it didn't work! My settings had no effect at all. They were
    > completely and utterly ignored.
    > - Try 1: entered 192.168.14.1 as IP address for inside, fixed public
    > IP address for outside, proceeded to the DHCP page, tried to enter
    > a matching DHCP range - up pops the error message: "Your DHCP range
    > must fit within your internal address range 192.168.1.1-192.168.1.254".
    > Went back in the Wizard, and sure enough, the inside and outside
    > interfaces had reverted to 192.168.1.1 and DHCP, respectively.
    > - Try 2: entered 192.168.14.1 as IP address for inside, pushed "Finish"
    > immediately to force the change into the device. No joy, the thing
    > responded with a message: "no changes made".
    >
    > Is it just me, or is this so-called Wizard really unable to make the most
    > elementary of configuration changes, namely setting the IP address of an
    > interfaces?
    >
    > Oh yes, and then the final straw:
    >
    > - Try 3: changed the IP address through the ASDM main page. This actually
    > succeeded - in locking me out of the device, because it changed the
    > interface address immediately, disconnecting me, but left the
    > "administrative access" setting at the old value 192.168.1.0/24 so I
    > couldn't get back in after changing my admin PC to the new IP range.
    > Had to get the old console cable out.
    >
    > Back to CLI. ASDM is too difficult for me.
    >
    > --
    > Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...


    I can see you are totally frustrated. I can understand as I have done
    a few of these. First off I would suggest that you go to vers 7.23
    code. It fixes some minor issues, DO not use 8.02 as it has some bug
    and it is too early to use. Also are you using ADSM ver 6.02? that
    vers can only be used with the 8.02 code. Please use the ASDM ver 5.23
    as it works with 7.2 code. That would be the first part I would look
    at. Then we can see what and how you are doing it in the ADSM......

    Stephen
     
    , Sep 18, 2007
    #2
    1. Advertising

  3. Pentreed@... wrote:
    > On Sep 17, 9:57 am, Tilman Schmidt <> wrote:
    >> I got a Cisco ASA 5505 with Cisco Adaptive Security Appliance Software
    >> Version 7.2(2). [...] I thought I would give the advertised
    >> Startup Wizard a try.
    >>
    >> First thing I tried was setting the internal and external IP addresses.
    >> Guess what: it didn't work! My settings had no effect at all. [...]
    >> Back to CLI. ASDM is too difficult for me.


    > I can see you are totally frustrated. I can understand as I have done
    > a few of these. First off I would suggest that you go to vers 7.23
    > code. It fixes some minor issues, [...] Please use the ASDM ver 5.23
    > as it works with 7.2 code. That would be the first part I would look
    > at. Then we can see what and how you are doing it in the ADSM......


    Thanks for your advice. I have upgraded to ASA 7.2.3 and ASDM 5.2.3
    now. (Quite an exercise in itself when you cannot connect a PC to the
    Pix and to the network at the same time because the Pix' IP address
    doesn't fit and can't be changed.) This didn't solve the problem, but
    at least it very clearly showed the nature of this ASDM bug.

    This is what I do:
    - Start ASDM Launcher, connect to 192.168.1.1, no username, no password.
    - Select from the menu: Wizards - Startup Wizard
    - On the first screen, select "Modify existing configuration"
    - Follow the wizard through its fourteen steps, specifying
    + outside vlan2 with a fixed address within our public range
    + inside vlan1 with fixed address 192.168.14.1/24
    + dmz vlan3 (which I don't want or need, but ASDM insists I create),
    deactivated and without an IP address
    + a static route, a single ssh management host, and the entire (new)
    internal address range as ASDM management hosts
    + a DHCP address pool of 192.168.14.101-.120 to match the internal
    interface

    The result: a window titled "Error in sending command" and showing:

    --------8<--------8<--------8<--------8<--------8<--------8<--------8<
    [OK] hostname pix-example
    [OK] domain-name example.org
    [OK] Interface vlan1
    Interface vlan1
    [ERROR] ip address 192.168.14.1 255.255.255.0
    Interface address is not on same subnet as DHCP pool
    ip address command failed

    [OK] Interface vlan3
    Interface vlan3
    [OK] shutdown
    [OK] no forward interface vlan1
    [OK] nameif dmz
    [OK] security-level 50
    [OK] Interface vlan2
    Interface vlan2
    [OK] ip address <fixedaddr> 255.255.255.128
    [ERROR] dhcpd address 192.168.14.101-192.168.14.120 inside
    Address range subnet 192.168.14.101 or 192.168.14.120 is not the same as inside interface subnet 192.168.1.1

    [OK] dhcpd dns <nameserver> interface inside
    [OK] dhcpd domain example.org interface inside
    [OK] no http 192.168.1.0 255.255.255.0 inside
    [OK] http 192.168.14.0 255.255.255.0 inside
    [OK] ssh 10.0.0.29 255.255.255.255 outside
    [OK] route outside 10.0.0.0 255.255.0.0 <gateway> 1
    [OK] enable password <password>
    --------8<--------8<--------8<--------8<--------8<--------8<--------8<

    followed by an error message "ASDM is unable to contact the ASA" and
    impossibility to reconnect under either old or new addresses. The only
    way out is to pull the power plug - back to square one.

    So what's happening is that the "wizard" makes the classic beginner's
    mistake of trying to change the IP address while a DHCP pool is active
    on the current one - and then blindly plods on in the face of the
    resulting error messages, sending the new DHCP pool after it (which
    now of course fails because the old IP address is still active) and
    finally changing the http client range to the new address range even
    though it hasn't been successfully set up, thereby locking me out.

    --
    Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
     
    Tilman Schmidt, Sep 18, 2007
    #3
  4. Tilman Schmidt

    JimK

    Joined:
    May 12, 2010
    Messages:
    1
    ASA 5505 Wizard Workaround

    I had the exact same issue you described trying to change the default network from 192.168.1.x to 10.10.10.x. I found that the wizard can do it, but it takes two passes.

    On the first pass thru the wizard do not change any settings, except, disble the DHCP server and BLANK the DHCP IP Ranges.

    On the second pass thru the wizard, make all necessary changes to implement the new network (change the interface and the DHCP settings.) As a safety measure include both the new network and the default (192.168.1.0) with permission to use the ASDM\HTTP administration interface.

    ***Many Bothans died to bring us this information***
     
    JimK, May 12, 2010
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    3,401
  2. Buck Rogers
    Replies:
    7
    Views:
    8,558
    dayhkr
    Jan 8, 2008
  3. MarcoGuttadauro

    Cisco ASA 5505 - unable to use ASDM Launcher

    MarcoGuttadauro, Mar 7, 2008, in forum: Cisco
    Replies:
    1
    Views:
    14,342
    Greeley
    Mar 7, 2008
  4. geek98
    Replies:
    1
    Views:
    5,303
    geek98
    Apr 17, 2010
  5. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    700
    Dogg Child
    Jun 7, 2010
Loading...

Share This Page