windows 7 无法打开ASA SSL *** 和ASDM首页

 IT从业人员经常通过win7系统来管理CISCO ASA （ASDM、SSL ***）

问题描述
配置没有问题，winxp访问一切正常，win7访问就这样

 我们可以开LOGGING，来看下原因
szhskj(config)#logging buffered debugging 开启debug级别的log记录
szhskj(config)#logging buffer-size 1048576 把log的buffer调大，要不寄存器会被冲刷
szhskj(config)#logging on

这个时候我们重新用win7的ie访问ASA首页，然后在ASA敲show logging
%ASA-7-609002: Teardown local-host outside:10.1.1.1 duration 0:01:05
%ASA-7-609002: Teardown local-host identity:10.1.1.10 duration 0:01:05
%ASA-6-725007: SSL session with client outside:10.1.1.1/1084 terminated.
%ASA-7-609001: Built local-host outside:10.1.1.2
%ASA-7-609001: Built local-host identity:10.1.1.10
%ASA-6-302013: Built inbound TCP connection 14 for outside:10.1.1.2/49177 (10.1.1.2/49177) to identity:10.1.1.10/443 (10.1.1.10/443)
%ASA-6-725001: Starting SSL handshake with client outside:10.1.1.2/49177 for TLSv1 session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC-SHA
%ASA-7-725008: SSL client outside:10.1.1.2/49177 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
%ASA-6-302014: Teardown TCP connection 14 for outside:10.1.1.2/49177 to identity:10.1.1.10/443 duration 0:00:00 bytes 7 TCP Reset by appliance
%ASA-7-609002: Teardown local-host outside:10.1.1.2 duration 0:00:00
%ASA-7-609002: Teardown local-host identity:10.1.1.10 duration 0:00:00

标红部分显示双方的sll加密方法不匹配

可以查看当前ASA支持什么加密算法

 

szhskj(config)#show ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: des-sha1
Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled
看到了吧，ASA只开启了des-sha1算法，不多说，接下来开启其他算法
szhskj(config)# ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5 rc4-sha1
如果当你敲完上面的命令 ^ 这个破玩意儿出来了，恭喜你，看看ASA的license吧
cisco(config)#show version
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
***-DES : Enabled perpetual
***-3DES-AES : Disabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other *** Peers : 5000 perpetual
Total *** Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco *** Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 10 perpetual
Total UC Proxy Sessions : 10 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Enabled perpetual
没有3des的license，咋办？点下面的连接申请个3des的license，免费的
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139

通过show Version来查看ASA的序列号（SN）号。

 

把序列号填进去，思科就给你邮箱发邮件了，如下图邮件内容：

把邮件里的key在ASA上激活
ciscoasa(config)# activation-key  0f37f47e 44f47d72 94726194 b3e0308c 4835338f

激活之后,再来配置ASA加密算法

szhskj(config)# ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5 rc4-sha1

好了，现在再去试试吧。