Cisco ASDM GUI tips and tricks for managing your Cisco ASA

A look at some of the ASA ASDM features that will make your life a bit easier

Cisco's Adaptive Security Device Manager (ASDM) is the GUI tool used to manage the Cisco ASA security appliances.  In this blog I'll reveal to you some of my favorite tips, tricks and secrets found inside ASDM.  If you haven't dealt with it before, ASDM is a free configuration, monitoring and troubleshooting management tool that comes with the ASA.  In a nutshell, ASDM will manage all the features of the ASA appliance including FW, IPS and VPN.  Unlike its big brother Cisco Security Manager (CSM), ASDM is made to configure a standalone ASA one at a time.  CSM is the tool you would use to manage and share policy across multiple ASA's, routers, and IPS appliances. 

First, installing the tool.  You can download ASDM from cisco.com or from your ASA itself.  You can then run it inside a browser or download the ASDM launcher so it runs as its own application on your PC.  I highly recommend ASDM launcher as the way to go.  The ASDM launcher works for both Windows and MAC OSX (requires ASDM version 6.4.5 or later).  Once launched it will look like the below image.  You fill out the info and away you go.

A few secrets about ASDM launcher.  First, to get the MAC launcher working you must install it directly from your ASA using a web browser.  Currently, there is not a downloadable .dmg file on cisco.com, only a .msi file for windows. 

Second, you see that cool "run in demo mode" checkbox?  This can be a very handy feature and is available to everyone.  To enable it, check the box and click on the link it provides.  This will take you to cisco.com where you will need to download the ASDM demo .msi package.  It will look like this:

Once installed, ASDM can then be used in a offline demo mode on a windows or mac computer. Demo mode provides you with several configuration types to choose from so you can make it pretend to be an ASA FW or a ASA FW with IPS or a ASA with SSLVPN, etc. The ASDM demo mode even models event logs.  All in all ASDM demo mode gives you the experience of configuring and monitoring a live ASA. 

Which brings me to another ASDM secret, demo mode is designed for windows but will also work on MACs.  This is not something supported by Cisco or found in there docs.  It is more of a hack, but a useful one for those (like me) that don't like to run fusion on their MACs.  Here is how you get it to work on a MAC running Lion:

-First, On your MAC install the ASDM launcher by connecting to an ASA via a web browser and clicking install launcher.

-Second, download and install ASDM demo .msi on a Windows PC.

-Next, Copy the Demo folder contents from C:\Program Files\Cisco Systems\ASDM to your MAC. 

-On your MAC,  open the folder the launcher app is in (usually applications\Cisco) and right click on the launcher app. Now click show package contents

-A new finder window will open.  Navigate to /Applications/ASDM/Cisco ASDM-IDM.app/Contents/Resources/Java/demo

-Finally, copy the contents of the windows demo folder into this folder.  Now Mac launcher demo should work great!

Here is a screenshot of ASDM demo mode on a Mac:

And here it is opened up:

Now that we have ASDM installed here are some quick tips.

• Need to see if there are upgrades for your specific ASA type and version? Use the check for updates tool in ASDM. This software update wizard is much quicker and error free than going to cisco's website downloading the images then uploading them to the ASA and configuring it to use them. This can all now be done with about 4 clicks right from ASDM. Huge timesaver!
•  

• Need to quickly see in/out throughput on ASA interfaces? On homepage click on an interface and below it will show the input and output kbps.

• Need to quickly see your VPN sessions and their details? On homepage view the VPN sessions and click on details to see all the info about your sessions.

• Packet Tracer is a must use tool for ASA admins. If you haven't heard about it yet see my previous blog. Packet tracer lets you model how the ASA will react to certain traffic types moving through it. The new feature you need to know about is now tracer can model traffic based on usernames and FQDNs. Stuff like this:

• Need to send an alert message to your clientless sslvpn users? Under tools you'll find just such a feature. You can send any alert message you want to your users.
• 
• Need to get your ASA configured fast? Need to capture packets off the ASA quickly? Use the ASDM wizards! They save you time and eliminate common mistakes, especially for VPN setup. In this case wizards are not for dummies. There are all sorts of wizards in ASDM:
• 

Can't find where in ASDM to configure something?  Find it quickly using the look for tool.  You can find it on the ASDM toolbar.  Just type in a keyword or two of what you are looking for and the ASDM assistant will take you there.  Here is an example:

• To speed up firewall rule creation use the drag and drop of objects. You can quickly drag and drop objects and service objects into your firewall rule table. If the object table is not open goto view/services to open it.
• Need to find where an object is being used? Right click on the object and select where used. You will see output like this:
• 

• Need to put in a temporary rule that auto-expires after a certain time? Or maybe a rule that expires and only allows traffic during business hours for contractors? Use the time-based option in your firewall rules under advanced options on a rule. It looks like this:

• Need to quickly add NAT to a server or any host object? Use the new object based NAT. This can be a huge timesaver.

• Need to find botnet and other malware activity quickly? Turn on the botnet traffic filter license on your ASA and you'll see all sorts of useful info on malicious traffic. Here is a look at just a couple of the botnet monitoring panels.
• 

• Think you might have a slow or broken connection to your authentication server? You can quickly check the server to ASA performance from your ASDM monitoring/properties/aaa server view. Great tool to help troubleshoot authentication slowness or other erradic behavior. It will look like this:
• 

Need to see who is currently logged in to manage the ASA?  Need to kick them off?  You can do both from the Monitoring > Properties > Device Access > ASDM/HTTPS/Telnet/SSH Sessions screen.  Like this:

• Need to troubleshoot the ASA connections? Need to parse the ASA logs real-time? The ASDM Log viewer under monitoring is a nice tool for just such activities. It is best suited to near or real-time log parsing. A few of the really cool tools are create rule, show rule, whois and dns lookup. Any of these can be accessed by right clicking on a log message. Again can be a big timesaver.
• 

Well, there are some of my favorite ASDM tips.  If you have some of your own to share please post them.  If you have any questions let me know.

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Google Nexus One vs. Top 10 Phone Security Requirements
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>

Go to Jamey's Blog for more articles on security.

• Security
• Firewall & UTM
• asa asdm
• ASDM
• asdm best practices
• asdm help
• asdm tips
• asdm tricks
• cisco asa asdm
• cisco asdm
• Heary
• Jamey Heary
• managing cisco asa
• security