Cisco ASDM predeploy installation from local package

Cisco ASDM is capable of managing a single ASA. But the same shortcut can be used to connect to multiple ASAs.

“When you run Cisco ASDM as a local application, it connects to your security appliance from your desktop using SSL. Running Cisco ASDM as an application has these advantages:

• You can invoke ASDM from a desktop shortcut. No browser is required.
• One desktop shortcut allows you to connect to multiple security appliances.” (These are independent sessions, policy sharing is not possible.)

You may use the browser-based ASDM GUI when no installation is required but starting with the 7.18.1 release, ASDM no longer supports Java Web Start/JNLP.

The ASDM image on the firewall has a version (e. g. 7.17(x.y) that is displayed when using ASDM. It is downloaded every time on the fly and the same client can open and use for example 7.14 with a firewall having 7.14 image and 7.17 an hour later when connecting to another firewall having 7.17 ASDM image. This is possible because not ASDM, but only the ASDM-IDM Launcher is installed on the client. Unfortunately, the Launcher is not universal, there have been several versions released. For example, ASDM 7.8 used the 1.8(0) launcher but 1.8(0) is not capable of launching ASDM 7.18 as it requires 1.9(5) launcher version.

The launcher version mismatches are resolved this way: the server (firewall) upgrades the client launcher software if the server version is higher. The Java console shows this:


If you have ASDM installed, you probably installed it from the firewall. ASDM is supposed to be installed from the firewall. You connect with a browser, successful authentication is required, then you have the possibility to download the ASDM-IDM Launcher.


This is what I call webdeploy method because it resembles Cisco AnyConnect (or Secure Client) webdeploy installation:

• Image resides on the firewall device
• the admin accesses the device with a browser and obtains the installation package
• the software is downloaded and installed from the network device to admin’s computer
• file format is not MSI
  

Cisco AnyConnect also offers a predeploy installation method and a predeploy package:

• The install package is placed (transferred) to the client computer without connecting to a network device
• No live connection and authentication to a network device is necessary
• It is an MSI package ready to install on a windows computer

Sometimes it would be useful to install (or reinstall) ASDM on a client computer from a predeploy installer, but unfortunately (and illogically) Cisco offers no ASDM predeploy packages. Sometimes the firewall admin is not the same person as the Windows administrator and the installation should occur at a situation when connecting to the ASA is not possible. If we have to install ASDM on a terminal server, the server administrator will want a predeploy installer package and cannot connect to an ASA to obtain it. So this demand is quite common, e. g. this Cisco forum’s numbers show real interest:


Things became simpler since Cisco created an OpenJRE-based ASDM version in ASA 9.12(2) / ASDM 7.12(2) so it is no longer required to have Oracle Java on the computer. This ASDM package has OpenJRE bundled in it so the package size is larger.
  
   

However , Java-based ASDM images are still developed and Cisco offers both a JRE-based and an OpenJRE-based version of each ASDM version. So some things have not become simpler due to mixed environments. What happens if I use OpenJRE-ASDM client and have to connect to an ASA having Java-based ASDM? Actually, now we know that ASDM versions may be different and will not cause upgrade of the client unless the ASDM Launcher version is higher on the firewall than on the client. A couple of scenarios can be possible:

• OpenJRE ASDM installed on PC
  • connect to Java-ASA: works
  • connect to OpenJRE-ASA: works
  • connect to Java-ASA with superior Launcher version: Launcher upgrade is forced (user cannot skip the upgrade) and the Java-dependent package is installed (which will not start due to Java missing)
  • connect to OpenJRE-ASA with superior Launcher version: Launcher upgrade is forced (user cannot skip the upgrade) but the new version uses OpenJRE too
    
• Java ASDM installed on PC
  • connect to Java-ASA: works
  • connect to OpenJRE-ASA: works
  • connect to Java-ASA with superior Launcher version: Launcher upgrade is forced (user cannot skip the upgrade) but the new version uses Java too
  • connect to OpenJRE-ASA with superior Launcher version: Launcher upgrade is forced (user cannot skip the upgrade) and the OpenJRE package is installed (which will work and will not use Java any more)
    

Unfortunately the software compares only the release numbers and ignores the Java/OpenJRE difference. It does not prevent the red and purple scenarios and the launcher upgrade cannot be skipped. Here is what happens when we have a not up-to-date OpenJRE ASDM and we connect to a Java-ASA with superior Launcher version:

It cannot run due to Java dependency.

Here is what happens when we have a not up-to-date Java ASDM and we connect to an OpenJRE-ASA with superior Launcher version :

6

The OpenJRE software is installed in a new directory called jre in the ASDM directory. Original Java-based ASDMs have no such directory. The Java console reveals the URL of the downloaded MSI package so we can attempt to download the MSI directly from the ASA:

This asdm50-install.msi can be downloaded and it is the same binary package as dm-launcher.msi.

To prevent the purple or red scenario we could install the v1.9(5) predeploy package to the client before connecting to the Java-ASA. But from where? To have this predeploy package, you had to obtain it previously from (another) firewall where a fresh ASDM v7.8.1(152) had been installed. If you connect to it with a browser, click Install ASDM Launcher (this is webdeploy) and make sure you save the dm-launcher.msi in a directory for future use.. Now you have a predeploy installer that you can use on any Windows computer without Java.

Actually I have been saving the predeploy installer for years.


These unofficial predeploy installers have helped me install or reinstall ASDM on my computer or on other computers.

On a terminal server the administrator has to do some additional steps after installing the MSI package. The shortcut is often wrong and needs to be corrected to ‘C:\Windows\System32\wscript.exe invisible.vbs run.bat’ (see the ASDM Release Notes). Then the shortcut should be copied to the firewall admin user’s desktop as ASDM cannot be started without the proper shortcut icon.

Using an OpenJRE-based ASDM requires AES-128-based TLS ciphers on the ASA as JRE has no built-in support for AES-256 ciphers. That is why we need these ciphers even on a hardened ASA:

ssl cipher tlsv1.2 custom
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256"