Cisco Adaptive Security Device Manager

Table Of Contents

Cisco ASDM Release Notes Version 5.2(1)

Introduction

New Device Manager Features

New Security Appliance Features

Client PC Operating System and Browser Requirements

Memory Errors in Firefox

Supported Platforms and Feature Licenses

ASDM and SSM Compatibility

Upgrading ASDM

Getting Started with ASDM

Before You Begin

Downloading the ASDM Launcher

Starting ASDM from the ASDM Launcher

Using ASDM in Demo Mode

Starting ASDM from a Web Browser

Using the Startup Wizard

Using the VPN Wizard

Configuring Stateful Failover

Securing the Failover Key

Printing from ASDM

ASDM Limitations

Unsupported Commands

One-Time Password Not Supported

Effects of Unsupported Commands

Ignored and View-Only Commands

Other CLI Limitations

Interactive User Commands Not Supported in ASDM CLI Tool

Unsupported Characters

Caveats

Open Caveats - Release 5.2(1)

Resolved Caveats - Release 5.2(1)

Related Documentation

Obtaining Documentation

Cisco.com

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information

Cisco ASDM Release Notes Version 5.2(1)

---

August 2006

This document contains release information for Cisco ASDM Version 5.2(1) on Cisco PIX 500 series and Cisco ASA 5500 series security appliances Version 7.2(1). It includes the following sections:

•Introduction

•New Device Manager Features

•New Security Appliance Features

•Client PC Operating System and Browser Requirements

•Caveats

•Upgrading ASDM

•Getting Started with ASDM

•ASDM Limitations

•ASDM and SSM Compatibility

•Caveats

•Related Documentation

•Obtaining Documentation

•Documentation Feedback

•Obtaining Technical Assistance

•Obtaining Additional Publications and Information

Introduction

Cisco Adaptive Security Device Manager (ASDM) delivers world-class security management and monitoring services for Cisco PIX 500 and ASA 5500 series security appliances through an intuitive, easy-to-use, web-based management interface. Bundled with supported security appliances, the device manager accelerates security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced security and networking features offered by Cisco PIX 500 and ASA 5500 series security appliance software Version 7.2(1). Its secure, web-based design enables anytime, anywhere access to security appliances.

New Device Manager Features

The following list highlights the new device manager features in this release:

•Support for the ASA 5505 and ASA 5550.

•Supports IPS Version 6.0 and later.

•Packet Tracer—The new patent-pending Packet Tracer tool lets you easily trace the life span of a packet through the security appliance in an animated packet flow model to see if it is behaving as expected and simplify troubleshooting no matter how complex the network design. The tool provides the attributes of a packet such as source and destination IP addresses with a visual representation of the different phases of the packet and the relevant configuration, which is accessible with a single click. For each phase, it displays whether the packet is dropped or allowed.

•The traceroute tool lets you trace the route of a packet to its destination.

•Enhanced ASDM rules table—The ASDM rule tables have been redesigned to streamline policy creation. In addition to simplified rule creation that maps more closely with CLI, the rule tables support most configuration scenarios including super-netting and using an object group that is associated to more than interface. The use of ASDM location and ASDM group was removed to simplify the creation of rules. You now have the ability to:

–Create objects, object-groups and rules from a single panel

–Filter on interfaces, source, destination or services

–Policy query in the rule tbale for advanced filtering using multiple conditions

–Show logs for a particular access rule in the real time log viewer

–Select a rule and packet trace with a single click which will populate with appropriate packet attributes

–Easily organize and move up and down in the table to change the order of access list entries

–Expand and display elements in an object group

–See attributes of a object or memebers of a group via tooltips

•The High Availability and Scalability Wizard is used to simplify configuration of Active/Active, Active/Standy failover and VPN Load balancing. The wizard also intelligently configures the peer device.

•Enhancements to the syslog features include:

–Syslog parsing to display source IP, destination IP, syslog ID, date and time into different columns

–Integrated syslog references with explanations and recommended actionss for each syslog with a single click

–Syslog coloring based on severity level

–A brief explanation of the syslogs as a tool tip in the log viewer

•The creation of NAT rules is simplified.

•There is now full ASDM support of network, service, protocol and ICMP-type object groups.

•The ability to create a name to be associated with an IP Address now exists.

•The new ASDM Assistant provides task-oriented guidance to configuring features such as AAA server, logging filters, SSL VPN Client, and others features. You can also upload new guides.

•Context management is improved, including context caching and better scalability.

•Enhancements to Application Inspection include the following:

–Support for DNS, ESMTP, H.323, IM, SCCP (Skinny) and other protocols.

–Predefined low, medium and high security settings simplify creation and management of inspection maps.

–RADIUS Accounting inspection maps allow inspection of management traffic to the device.

New Security Appliance Features

The following lists some of the new features supported by the security appliance.

•The Cisco ASA 5505 Easy VPN supports hardware client feature parity with the Cisco VPN 3002 and Cisco PIX501/506.

•The Cisco ASA 5505 has Power over Ethernet (PoE) switch ports that can be used for PoE devices, such as IP phones. However, these ports are not restricted to that use. They can also be used as Ethernet switch ports.

•The Cisco ASA 5505 includes the ability to detect and prevent the use of non-Cisco memory, SSM modules, SSC cards, or other modules in the security appliance. It also detect the presence of obsolete and prototype hardware. It authenticates all modules, starting with the host (itself). It disables or reboots any module that fails authentication.

•Enhanced Application Inspection and Control. Many enhancements for the Application Inspection and Control are supported in ASA Version 7.2(1). For a complete list, see the Cisco ASA 5500 Series Release Notes Version 7.2(1)

•Online Certificate Status Protocol (OCSP), which provides an alternative to CRL for obtaining the revocation status of X.509 digital certificates, is supported.

•The security appliance supports RIP Version 1 and RIP Version 2.

•Layer 2 Tunneling Protocol (L2TP) over IPSec is supported.

•The security appliance supports Network Access Control (NAC) with a configured ACS.

•You can establish a VPN using a handheld Nokia 92xx Communicator series cellular device for remote access.

•You can include the security appliance in a network that deploys the Zone Labs Integrity System for enforcement of security policies on remote VPN clients.

•You can configure hybrid authentication to enhance the IKE security between the security appliance and remote users.

•You can monitor additional IPSec fragmentation and reassembly statistics that are helpful in debugging IPSec-related fragmentation and reassembly issues.

•PPPoE clients are supported.

•You can create dynamic DNS (DDNS) update methods and configure them to update the Resource Records (RRs) on the DNS server at whatever frequency you need.

•The multicast routing enhancements let you define multicast boundaries so that domains with RPs that have the same IP address do not leak into each other, filter PIM neighbors to better control the PIM process, and filter PIM bidir neighbors to support mixed bidirectional and sparse-mode networks.

•You can assign a private MAC address (both active and standby for failover) for each interface. For multiple context mode, you can automatically generate unique MAC addresses for shared context interfaces, which makes classifying packets into contexts more reliable.

•Failover now responds to a failure in less than a second.

•This feature lets you configure a link standby ISP in case the link to your primary ISP fails. It uses static routing and object tracking to determine the availability of the primary route and to activate the secondary route when the primary fails.

•You can use DNS domain names, such as www.example.com, when configuring AAA servers and also with the ping and traceroute features.

•RTP and RTCP inspection monitors call signaling traffic and performs message validation for VoIP. It also NATs embedded IP addresses and opens pinholes for RTP and RTCP traffic.

•Generic input rate limiting is introduced to prevent Denial of Service attacks on a firewall or on certain inspection engines on a firewall.

•Long URL filtering, HTTPS filtering, and FTP filtering are enabled using both Websense (the current vendor) and N2H2 (a vendor that has been purchased by Secure Computing).

•The Auto Update feature now includes the ability to poll multiple Auto Update servers, and the ability to configure the security appliance to poll Auto Update servers on a single day, or any combination of days and times of day. You can also randomize the time of polling for any configured day, or combination of days.

•Dead Connection Detection (DCD) allows the adaptive security appliance to automatically detect and expire dead connections.

•You can now save all context configurations at once from the system execution space.

•You can now allow any traffic to enter and exit the same interface, and not just VPN traffic.

•You can now define a Layer 3/4 class map for to-the-security-appliance traffic, so you can perform special actions on management traffic. For this version, you can inspect RADIUS accounting traffic.

•The packet tracer tool lets you trace the life span of a packet through the security appliance to see if it is behaving as expected. The traceroute tool lets you trace the route of a packet to its destination.

•The Web Cache Communication Protocol (WCCP) feature lets you specify WCCP service groups and redirect web cache traffic.

•You can configure the security appliance to require that IPv6 addresses for directly connected hosts use the Modified-EUI format for the interface identifier portion of the address.

•Gatekeeper Routed Control Signaling (GKRCS), and Direct Call Signaling (DCS) control signaling methods are supported.

•SCCP version 4.1.2 messages and CCM 4.0.1 messages are supported.

•SIP IP address privacy is supported.

•Inspection, IPS, and Trend Micro for WebVPN traffic in clientless mode and port forwarding mode is supported.

For additional information see the online help for particular features. For improvements to the Cisco 5500 series ASA security appliance software, see the Cisco ASA 5500 Series Release Notes Version 7.2(1).

Client PC Operating System and Browser Requirements

Table 1 lists the supported and recommended PC operating systems and browsers for Version 5.2(1).

Table 1 Operating System and Browser Requirements 

	Operating System	Browser	Other Requirements
Windows1	Windows 2000 (Service Pack 4) or Windows XP operating systems (English or Japanese versions)	Internet Explorer 6.0 with Sun Java2 Plug-in 1.4.2 or 5.0 (1.5.0) -or- Firefox 1.5 with Java Plug-in 1.4.2 or 5.0 (1.5.0) Note HTTP 1.1—Settings for Internet Options > Advanced > HTTP 1.1 should use HTTP 1.1 for both proxy and non-proxy connections.	SSL Encryption Settings—All available encryption options are enabled for SSL in the browser preferences.
Sun Solaris	Sun Solaris 8 or 9 running CDE window manager	Mozilla 1.7.3 with Sun Java Plug-in 1.4.2 or 1.5.0
Linux	Red Hat Desktop, Red Hat Enterprise Linux WS version 3 running GNOME or KDE	Firefox 1.5 with Java Plug-in 1.4.2 or 5.0 (1.5.0)3

1 ASDM is not supported on Windows 3.1, 95, 98, ME or Windows NT4. 2 Get Sun Java from java.sun.com 3 On Windows and Linux, Firefox 1.5 replaces Mozilla 1.7.3, which was used in previous ASDM releases.

Memory Errors in Firefox

Firefox may stop responding or give an out of memory error message Linux and Windows if multiple instances of ASDM are running. You can use the following steps to increase the Java memory and work around the behavior.

This section describes how to increase the memory for Java on the following platforms:

•Java Plug-In for Windows

•Java Plug-In on Linux and Solaris

Java Plug-In for Windows

To change the memory settings of the Java Plug-in on Windows for Java Plug-in versions 1.4.2 and 1.5, perform the following steps:

---

Step 1 Close all instances of Internet Explorer or Netscape.

Step 2 Click Start > Settings > Control Panel.

Step 3 If you have Java Plug-in 1.4.2 installed:

a. Click Java Plug-in. The Java Plug-in Control Panel appears.

b. Click the Advanced tab.

c. Type -Xmx256m in the Java RunTime Parameters field.

d. Click Apply and exit the Java Control Panel.

Step 4 If you have Java Plug-in 1.5 installed:

a. Click Java. The Java Control Panel appears.

b. Click the Java tab.

c. Click View under Java Applet Runtime Settings. The Java Runtime Settings Panel appears.

d. Type -Xmx256m in the Java Runtime Parameters field and then click OK.

e. Click OK and exit the Java Control Panel.

---

Java Plug-In on Linux and Solaris

To change the settings of Java Plug-in 1.4.2 or 1.5 on Linux and Solaris, perform the following steps:

---

Step 1 Close all instances of Netscape or Mozilla.

Step 2 Bring up Java Plug-in Control Panel by launching the ControlPanel executable file.

---

Note In the Java 2 SDK, this file is located in SDK installation directory/jre/bin/ControlPanel. For example if your Java 2 SDK is installed at /usr/j2se, the full path is /usr/j2se/jre/bin/ControlPanel. In a Java 2 Runtime Environment installation, the file is located at JRE installation directory/bin/ControlPanel.

---

Step 3 If you have Java Plug-in 1.4.2 installed:

a. Click the Advanced tab.

b. Type -Xmx256m in the Java RunTime Parameters field.

c. Click Apply and close the Java Control Panel.

Step 4 If you have Java Plug-in 1.5 installed:

a. Click the Java tab.

b. Click View under Java Applet Runtime Settings.

c. Type -Xmx256m in the Java Runtime Parameters field and then click OK.

d. Click OK and exit the Java Control Panel.

---

Supported Platforms and Feature Licenses

This software version supports the following platforms; see the associated tables for the feature support for each model:

•ASA 5505, Table 2

•ASA 5510, Table 3

•ASA 5520, Table 4

•ASA 5540, Table 5

•ASA 5550, Table 6

•PIX 515/515E, Table 7

•PIX 525, Table 8

•PIX 535, Table 9

---

Note Items that are in italics are separate, optional licenses that you can replace the base license. You can mix and match licenses, for example, the 10 security context license plus the Strong Encryption license; or the 500 WebVPN license plus the GTP/GPRS license; or all four licenses together.

---

Table 2 ASA 5505 Adaptive Security Appliance License Features 

ASA 5505	Base License						Security Plus
Users, concurrent1	10	Optional Licenses:					10	Optional Licenses:
		50	Unlimited					50	Unlimited
Security Contexts	No support						No support
VPN Sessions2	10 combined IPSec and WebVPN						25 combined IPSec and WebVPN
Max. IPSec Sessions	10						25
Max. WebVPN Sessions	2	Optional License: 10					2	Optional License: 10
VPN Load Balancing	No support						No support
Failover	None						Active/Standby (no stateful failover)
GTP/GPRS	No support						No support
Maximum VLANs/Zones	3 (2 regular zones and 1 restricted zone that can only communicate with 1 other zone)						5 (3 zones, 1 failover link, and 1 backup ISP link)
Concurrent Firewall Conns3	10 K						25 K
Max. Physical Interfaces	Unlimited, assigned to VLANs/zones						Unlimited, assigned to VLANs/zones
Encryption	Base (DES)		Optional license: Strong (3DES/AES)				Base (DES)		Optional license: Strong (3DES/AES)
Minimum RAM	128 MB						128 MB

1 In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view the host limits. 2 Although the maximum IPSec and WebVPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 3 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with one host and one dynamic translation for every four connections.

Table 3 ASA 5510 Adaptive Security Appliance License Features 

ASA 5510	Base License						Security Plus
Users, concurrent	Unlimited						Unlimited
Security Contexts	No support						2	Optional Licenses:
								5
VPN Sessions1	250 combined IPSec and WebVPN						250 combined IPSec and WebVPN
Max. IPSec Sessions	250						250
Max. WebVPN Sessions	2	Optional Licenses:					2	Optional Licenses:
		10	25	50	100	250		10	25	50	100	250
VPN Load Balancing	No support						No support
Failover	None						Active/Standby or Active/Active
GTP/GPRS	No support						No support
Max. VLANs	10						25
Concurrent Firewall Conns2	50 K						130 K
Max. Physical Interfaces	3 at 10/100 plus the Management interface for management traffic only						Unlimited
Encryption	Base (DES)		Optional license: Strong (3DES/AES)				Base (DES)		Optional license: Strong (3DES/AES)
Min. RAM	256 MB						256 MB

1 Although the maximum IPSec and WebVPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.

Table 4 ASA 5520 Adaptive Security Appliance License Features 

ASA 5520	Base License
Users, concurrent	Unlimited						Unlimited
Security Contexts	2	Optional Licenses:
		5	10	20
VPN Sessions1	750 combined IPSec and WebVPN
Max. IPSec Sessions	750
Max. WebVPN Sessions	2	Optional Licenses:
		10	25	50	100	250	500	750
VPN Load Balancing	Supported
Failover	Active/Standby or Active/Active
GTP/GPRS	None		Optional license: Enabled
Max. VLANs	100
Concurrent Firewall Conns2	280 K
Max. Physical Interfaces	Unlimited
Encryption	Base (DES)		Optional license: Strong (3DES/AES)
Min. RAM	512 MB

1 Although the maximum IPSec and WebVPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.

Table 5 ASA 5540 Adaptive Security Appliance License Features 

ASA 5540	Base License
Users, concurrent	Unlimited						Unlimited
Security Contexts	2	Optional licenses:
		5	10	20	50
VPN Sessions1	5000 combined IPSec and WebVPN
Max. IPSec Sessions	5000
Max. WebVPN Sessions	2	Optional Licenses:
		10	25	50	100	250	500	750	1000	2500
VPN Load Balancing	Supported
Failover	Active/Standby or Active/Active
GTP/GPRS	None		Optional license: Enabled
Max. VLANs	200
Concurrent Firewall Conns2	400 K
Max. Physical Interfaces	Unlimited
Encryption	Base (DES)		Optional license: Strong (3DES/AES)
Min. RAM	1 GB

1 Although the maximum IPSec and WebVPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.

Table 6 ASA 5550 Adaptive Security Appliance License Features 

ASA 5550	Base License
Users, concurrent	Unlimited
Security Contexts	2	Optional licenses:
		5	10	20	50
VPN Sessions1	5000 combined IPSec and WebVPN
Max. IPSec Sessions	5000
Max. WebVPN Sessions	2	Optional Licenses:
		10	25	50	100	250	500	750	1000	2500	5000
VPN Load Balancing	Supported
Failover	Active/Standby or Active/Active
GTP/GPRS	None		Optional license: Enabled
Max. VLANs	200
Concurrent Firewall Conns2	650 K
Max. Physical Interfaces	Unlimited
Encryption	Base (DES)		Optional license: Strong (3DES/AES)
Min. RAM	4 GB

1 Although the maximum IPSec and WebVPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.

Table 7 PIX 515/515E Security Appliance License Features 

PIX 515/515E	R (Restricted)			UR (Unrestricted)						FO (Failover)1						FO-AA (Failover Active/Active)1
Users, concurrent	Unlimited			Unlimited						Unlimited						Unlimited
Security Contexts	No support			2	Optional license: 5					2	Optional license: 5					2	Optional license: 5
IPSec Sessions	2000			2000						2000						2000
WebVPN Sessions	No support			No support						No support						No support
VPN Load Balancing	No support			No support						No support						No support
Failover	No support			Active/Standby Active/Active						Active/Standby						Active/Standby Active/Active
GTP/GPRS	None	Optional license: Enabled		None		Optional license: Enabled				None		Optional license: Enabled				None		Optional license: Enabled
Max. VLANs	10			25						25						25
Concurrent Firewall Conns2	48 K			130 K						130 K						130 K
Max. Physical Interfaces	3			6						6						6
Encryption	None	Optional licenses:		None		Optional licenses:				None		Optional licenses:				None		Optional licenses:
		Base (DES)	Strong (3DES/ AES)			Base (DES)		Strong (3DES/ AES)				Base (DES)		Strong (3DES/ AES)				Base (DES)		Strong (3DES/ AES)
Min. RAM	64 MB			128 MB						128 MB						128 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model. 2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.

Table 8 PIX 525 Security Appliance License Features 

PIX 525	R (Restricted)			UR (Unrestricted)						FO (Failover)1						FO-AA (Failover Active/Active)1
Users, concurrent	Unlimited			Unlimited						Unlimited						Unlimited
Security Contexts	No support			2	Optional licenses:					2	Optional licenses:					2	Optional licenses:
					5	10	20	50			5	10	20	50			5	10	20	50
IPSec Sessions	2000			2000						2000						2000
WebVPN Sessions	No support			No support						No support						No support
VPN Load Balancing	No support			No support						No support						No support
Failover	No support			Active/Standby Active/Active						Active/Standby						Active/Standby Active/Active
GTP/GPRS	None	Optional license: Enabled		None		Optional license: Enabled				None		Optional license: Enabled				None		Optional license: Enabled
Max. VLANs	25			100						100						100
Concurrent Firewall Conns2	140 K			280 K						280 K						280 K
Max. Physical Interfaces	6			10						10						10
Encryption	None	Optional licenses:		None		Optional licenses:				None		Optional licenses:				None		Optional licenses:
		Base (DES)	Strong (3DES/ AES)			Base (DES)		Strong (3DES/ AES)				Base (DES)		Strong (3DES/ AES)				Base (DES)		Strong (3DES/ AES)
Min. RAM	128 MB			256 MB						256 MB						256 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model. 2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.

Table 9 PIX 535 Security Appliance License Features 

PIX 535	R (Restricted)			UR (Unrestricted)						FO (Failover)1						FO-AA (Failover Active/Active)1
Users, concurrent	Unlimited			Unlimited						Unlimited						Unlimited
Security Contexts	No support			2	Optional licenses:					2	Optional licenses:					2	Optional licenses:
					5	10	20	50			5	10	20	50			5	10	20	50
IPSec Sessions	2000			2000						2000						2000
WebVPN Sessions	No support			No support						No support						No support
VPN Load Balancing	No support			No support						No support						No support
Failover	No support			Active/Standby Active/Active						Active/Standby						Active/Standby Active/Active
GTP/GPRS	None	Optional license: Enabled		None		Optional license: Enabled				None		Optional license: Enabled				None		Optional license: Enabled
Max. VLANs	50			150						150						150
Concurrent Firewall Conns2	250 K			500 K						500 K						500 K
Max. Physical Interfaces	8			14						14						14
Encryption	None	Optional licenses:		None		Optional licenses:				None		Optional licenses:				None		Optional licenses:
		Base (DES)	Strong (3DES/ AES)			Base (DES)		Strong (3DES/ AES)				Base (DES)		Strong (3DES/ AES)				Base (DES)		Strong (3DES/ AES)
Min. RAM	512 MB			1024 MB						1024 MB						1024 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model. 2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.

ASDM and SSM Compatibility

For a table showing ASDM compatibility with SSMs, see:

http://www.cisco.com/en/US/products/ps6120/products_device_support_table09186a0080682a78.html

Upgrading ASDM

This section describes how to upgrade ASDM to a new ASDM release. If you have a Cisco.com login, you can obtain ASDM from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/asa

or

http://www.cisco.com/pcgi-bin/tablebuild.pl/pix

---

Note If you are upgrading from PIX Version 6.3, first upgrade to Version 7.0 according to Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0. Then upgrade PDM to ASDM according to the ASDM 5.0 release notes.

---

If you have a previous release of ASDM on your security appliance and want to upgrade to the latest release, you can do so from within ASDM. We recommend that you upgrade the ASDM image before the platform image. ASDM is backwards compatible, so you can upgrade the platform image using the new ASDM; you cannot use an old ASDM with a new platform image.

To upgrade ASDM, perform the following steps:

---

Step 1 Download the new ASDM image to your PC.

Step 2 Launch ASDM.

Step 3 From the Tools menu:

•In ASDM 5.0 and 5.1, click Upload Image from Local PC.

•In ASDM 5.2, click Upgrade Software.

Step 4 With ASDM selected, click the Browse Local button to select the new ASDM image.

Step 5 To specify the location in Flash memory where you want to install the new image, enter the directory path in the field or click the Browse Flash button.

If your security appliance does not have enough memory to hold two ASDM images, overwrite the old image with the new one by specifying the same destination filename. You can rename the image after it was uploaded using the Tools > File Management tool.

If you have enough memory for both versions, you can specify a different name for the new version. If you need to revert to the old version, it is still in your Flash memory.

Step 6 Click Upload Image.

When ASDM is finished uploading, you see the following message:

"ASDM Image is Uploaded to Flash Successfully."

Step 7 If the new ASDM image has a different name than the old image, then you must configure the security appliance to load the new image in the Configuration > Properties > Device Administration > Boot System/Configuration pane.

Step 8 To run the new ASDM image, you must quit out of ASDM and reconnect.

Step 9 Download the new platform image using the Tools > Upgrade Software tool.

To reload the new image, reload the security appliance using the Tools > System Reload tool.

---

Getting Started with ASDM

This section describes how to connect to ASDM and start your configuration. If you are using the security appliance for the first time, your security appliance might include a default configuration. You can connect to a default IP address with ASDM so that you can immediately start to configure the security appliance from ASDM. If your platform does not support a default configuration, you can log in to the CLI and run the setup command to establish connectivity. See Before You Begin for more detailed information about networking.

This section includes the following topics

•Before You Begin

•Downloading the ASDM Launcher

•Starting ASDM from the ASDM Launcher

•Using ASDM in Demo Mode

•Starting ASDM from a Web Browser

•Using the Startup Wizard

•Using the VPN Wizard

•Configuring Stateful Failover

•Printing from ASDM

Before You Begin

If your security appliance includes a factory default configuration, you can connect to the default management address of 192.168.1.1 with ASDM. On the ASA 5500 series adaptive security appliance, the interface to which you connect with ASDM is Management 0/0. For the PIX 500 series security appliance, the interface to which you connect with ASDM is Ethernet 1. To restore the default configuration, enter the configure factory-default command at the security appliance CLI.

Make sure the PC is on the same network as the security appliance. You can use DHCP on the client to obtain an IP address from the security appliance, or you can set the IP address to a 192.168.1.0/24 network address.

If your platform does not support the factory default configuration, or you want to add to an existing configuration to make it accessible for ASDM, access the security appliance CLI according to the Cisco Security Appliance Command Line Configuration Guide, and enter the setup command. The setup command prompts you for a minimal configuration to connect to the security appliance using ASDM.

---

Note You must have an inside interface already configured to use the setup command. The Cisco PIX security appliance default configuration includes an inside interface, but the Cisco ASA adaptive security appliance default configuration does not. Before using the setup command, enter the interface gigabitethernet slot/port command, and then the nameif inside command. The slot for interfaces that are built in to the chassis is 0. For example, enter interface gigabitethernet 0/1. The Cisco PIX 500 series and the ASA 5510 adaptive security appliance have an Ethernet-type interface.

---

Downloading the ASDM Launcher

The ASDM Launcher is for Windows only. The ASDM Launcher is an improvement over running ASDM in a Java Applet. The ASDM Launcher avoids double authentication and certificate dialog boxes, launches faster, and caches previously-entered IP addresses and usernames.

To download the ASDM launcher, perform the following steps:

---

Step 1 From a supported web browser on the security appliance network, enter the following URL:

https://interface_ip_address

In transparent firewall mode, enter the management IP address.

---

Note Be sure to enter https, not http.

---