Mr. Brown: Let me tell you what ‘Like a Virgin’s about. It’s all about a girl who digs a guy with a big dick. The entire song. It’s a metaphor for big dicks.
Mr. Blonde: No, it ain’t. It’s about a girl who’s very vulnerable. She’s been fucked over a few times. And, uh, then she meets a guy who’s really sensitive…
Mr. Brown: Whoa, whoa, whoa, whoa, whoa, whoa… Time out, Green Bay. Tell that fucking bullshit to the tourists.
CLI vs. GUI
At a client site this afternoon, stuck within earshot of ye olde CLI vs. GUI pissing contest. UNIX geeks? Cisco geeks? No, this time it’s VMware geeks. I mentally flash to the opening scene of Reservoir Dogs, where the gang of crooks (all male) are in a diner arguing about the real meaning of Madonna’s “Like a Virgin”. It’s Tarantino’s usual verbal horseplay. Funny. Lots of pop culture references. But “What It Feels Like for a Girl” does not exist in the Reservoir Dogs universe.
Today’s CLI vs. GUI argument is the same feverish righteousness, and equally lacking in empirical data that comes from firsthand experience. The argument is a mental flatline because there’s only one way to win: Your method gets the job done safely and efficiently whereas the other method cannot. Everything else is personal preference or the need to personify that intangible quality which the ancients called “leetness”.
Anyway. The bickering comes to a standstill when the burly Avaya tech yells at them to get a room already. The vSphere guys grin and get back to their usual Friday afternoon workload: trolling Reddit.
Note to self: Bring earplugs next time.
Cisco Adaptive Security Device Manager (ASDM)
You can manage a Cisco ASA via several methods: a direct serial connection with a console cable, or remotely via Telnet, SSH or ASDM. And then there are those enterprise-level management tools where you push out policies and updates to multiple devices. These methods all have their advantages and limitations. Encrypted or plaintext communication; local or remote connection; command line or GUI.
The Cisco ASDM provides encryption because the management session runs over HTTPS. Unlike the console, Telnet or SSH, the ASDM gives you a GUI interface to manage the ASA. It’s fairly undemanding. You do not need anything other than a management workstation with a network connection, a web browser and Java.
I get why some of the command line jockeys have a beef with GUIs. Some GUIs are clunky and get in the way of administering the system. The earlier iterations of the ASDM (and the even older PDM) were not very user-friendly, but ASDM Version 6 and onwards is pretty stable and well-organized. This is partly because the ASDM is simply a GUI representation of the features and config available on the ASA boot image. An older ASDM version can only allow you to manage the cruder feature set of an older, clunkier version of the ASA image. Version 8.0 and later of the ASA is far superior to version 7.x and their compatible versions of ASDM duly reflect that fact.
The command line is fast and efficient for config, but the ASDM is good for visualizing data that you are tracking, such as bandwidth utilization or the VPN connection count. Also good not to have debug messages interrupt what you are doing on the console. The ASDM has several configuration wizards for basic setup and VPN config. The point-and-clickability of the ASDM is also helpful for minor reconfiguration by customers who are not familiar with the CLI. For example, I’ll set up ASAs and deploy them at a customer site. Once everything is ticking along, the customer can use the ASDM to make minor changes, such as managing VPN users or tweaking firewall rules.
Ultimately, all these management tools are just different ways of presenting the same data (the ASA configuration).
ASDM Image File
So, what do we need for ASDM access? For starters, the ASA flash drive must contain an ASDM image that is compatible with the currently-running ASA boot image. The following compatibility matrix is from Cisco as of August 2011:
|ASA 7.0||ASDM 5.0. Recommended: 5.0(8).|
|ASA 7.1(1)||ASDM 5.1. Recommended: 5.1(2).|
|ASA 7.1(2)||ASDM 5.1(2)|
|ASA 7.2||ASDM 5.2. Recommended: 5.2(4).|
|ASA 8.0(2)||ASDM 6.0(2) and later. Recommended: 6.4(5).|
|ASA 8.0(3)||ASDM 6.0(3) and later. Recommended: 6.4(5).|
|ASA 8.0(4)||ASDM 6.1(3) and later. Recommended: 6.4(5).|
|ASA 8.0(5)||ASDM 6.2(3) and later. Recommended: 6.4(5).|
|ASA 8.1(1)||ASDM 6.1(1) and later. Recommended: 6.4(5).|
|ASA 8.1(2)||ASDM 6.1(5) and later. Recommended: 6.4(5).|
|ASA 8.2(1)||ASDM 6.2(1) and later. Recommended: 6.4(5).|
|ASA 8.2(2)||ASDM 6.2(5) and later. Recommended: 6.4(5).|
|ASA 8.2(3)||ASDM 6.3(4) and later. Recommended: 6.4(5).|
|ASA 8.2(4)||ASDM 6.3(5) and later. Recommended: 6.4(5).|
|ASA 8.2(5)||ASDM 6.4(3) and later. Recommended: 6.4(5).|
|ASA 8.3(1)||ASDM 6.3(1) and later. Recommended: 6.4(5).|
|ASA 8.3(2)||ASDM 6.3(2) and later. Recommended: 6.4(5).|
|ASA 8.4(1)||ASDM 6.4(1) and later. Recommended: 6.4(5).|
|ASA 8.4(2)||ASDM 6.4(5).|
|ASA 8.5(1)||ASDM 6.5(1).|
Configuring ASDM Image to Boot
If you do not specify the ASDM image to be used, the ASA will look on the internal Flash card and then the external Flash card, and select the first ASDM image that it finds. It will insert the ASDM image command into the running config. If you only have one ASDM image, and you’re not using Auto Update, it makes no nevermind. The ASA will just take a few seconds longer to boot up as it searches for an ASDM image.
ciscoasa# conf t ciscoasa(config)# asdm image disk0:/asdm-641.bin
Enabling ASDM Management Access
To permit ASDM connections to the ASA, you need to enable ASA’s HTTP server with the http server enable command. (Sidenote: the ASDM actually uses HTTPS, not HTTP.) You also need to specify the management hosts that are allowed to use ASDM to manage the ASA. You can specify single IPs or a range of addresses.
ciscoasa(config)# http server enable ciscoasa(config)# http 126.96.36.199 255.255.255.255 inside ciscoasa(config)# http 188.8.131.52 255.255.255.0 outside