Cisco ASA 5505 Basic Configuration – Step by Step Guide for Dummies
Basic Configuration of Cisco ASA (5505)
In this article, I will guide you to basic configuration of Cisco ASA 5505.
Cisco ASA 5505 Adaptive Security Device
http://www.o2.co.uk/broadband/
- Open Cisco ASA 5505 from packing box, attach power cord and console cable.
- Access ASA 5505 console through hyper terminal / putty program and you will see below interface:
| ode: |
| Type help or ‘?’ for a list of available commands. ciscoasa> |
- Type the command “enable” to get in enabled mode.
| Code: |
| Type help or ‘?’ for a list of available commands. ciscoasa> enable Password: ciscoasa# |
You may see password prompt, just pres “Enter” key as there is no password configured with new appliance.
- The 1st thing you want to do is type the command “write erase”. This will delete all the default configuration set by Cisco. You might wonder why but there is a lot of stuff in that configuration that you may not require and you may face some network issues if you connected your ASA 5505 security appliance with your your DHCP enabled network.
| Code: |
| ciscoasa# write erase Erase configuration in flash memory? [confirm] [OK] ciscoasa# |
- You will be prompted to confirm that you want to erase the default configuration. Press enter to proceed to erase content.
- Once you erase your startup configuration you are required to reload the ASA to load clean configuration. Type “reload” command to load clean configurations.
| Code: |
| ciscoasa# reload Proceed with reload? [confirm] ciscoasa# *** *** — START GRACEFUL SHUTDOWN — Shutting down isakmp Shutting down File system *** — SHUTDOWN NOW —– |
- After ASA 5505 reload you will see below prompt to setup firewall through wizard, type “no” to setup ASA 5505 security appliance yourself manually.
| Code: |
| Pre-configure Firewall now through interactive prompts [yes]? |
- Now enter enabled mode (look up if you forgot how to) and issue the command “show running-config”.
| Code: |
| ciscoasa# show running-config |
- Looks nice and clean right?
- Now we can start manual configuration of ASA security appliance.
- Load configuration mode. You can do this by issuing the command “configure terminal”
| Code: |
| ciscoasa# configure terminal ciscoasa(config)# |
- Notice the (config) behind the device hostname. This means you’re in configuration mode.
- Change Cisco ASA hostname.
| Code: |
| ciscoasa(config)# hostname MyASA MyASA(config)# |
You can see the hostname changes immediately.
- Set a username and password to manage the ASA from your desk with SSH/Telnet/ASDM.
| Code: |
| MyASA(config)# username example password example privilege 15 MyASA(config)# |
Setting your privilege to 15 is very important if you’re the one that is going to manage the ASA. Privilege 15 is the highest of the privileges and gives you full control over the device.
- Configure the inside (LAN) address of the ASA 5505 security appliance.
With the ASA 5505 you work with VLANs instead of assigning IP addresses to actual interfaces. We will use VLAN 1 as our inside VLAN.
| Code: |
| MyASA(config)# interface vlan 1 MyASA(config-if)# ip address 192.168.1.1 255.255.255.0 MyASA(config-if)# nameif inside INFO: Security level for “inside” set to 100 by default. |
All the ASA devices work with security levels that you apply to VLANs/interfaces. With security levels you can always go from high (100) to low (0) but never the other way around unless configured otherwise. This means that no one from the outside can start a session to the inside.
For the inside VLAN:
- Configure outside (WAN) interface.
Depending on the provider you might have to do this a little bit different but we are configuring with a static IP address.
| Code: |
| MyASA(config)# interface vlan 2 MyASA(config-if)# ip address 212.115.192.193 255.255.255.248 MyASA(config-if)# nameif outside INFO: Security level for “outside” set to 0 by default. ExampleASA(config-if)# exit ExampleASA(config)# route outside 0.0.0.0 0.0.0.0 212.115.192.192 |
As you can see the ASA sets the security level of the interface called outside to 0.
You also need to make a static route if your provider supplied you with a static IP address. This is called the default gateway.
If your provider gives you a IP address trough DHCP the configuration is a little easier.
| ode: |
| MyASA(config)# interface vlan 2 MyASA(config-if)# ip address dhcp set route MyASA(config-if)# nameif outside |
With this command you’re not required to configure a default gateway as it will provided by ISP and configured automatically with ASA 5505 WAN interface.
Now we need to attach the outside VLAN to one of the interfaces of the ASA.
By default all the interfaces are attached to VLAN 1 and by default all the interfaces are in the “shutdown” state. In this example I will attach the interface “Ethernet 0″ to the outside VLAN (VLAN 2) and make the port operational.
| Code: |
| MyASA(config)# interface ethernet0/0 MyASA(config-if)# switchport access vlan 2 MyASA(config-if)# no shutdown |
Now this interface is attached to VLAN 2 and operational.
You need to make at least one other port operational for your inside network by typing the command “no shutdown”.
| Code: |
| MyASA(config)# interface ethernet0/1 MyASA(config-if)# no shutdown |
By default all the interfaces are attached to VLAN 1 so you don’t need to assign a VLAN to the interface.
- Configure NAT to make internet work from your inside network.
- For NAT fist step: you need to make a global interface to where all the addresses from the inside need to be translated to.
| Code: |
| MyASA(config)# global (outside) 10 interface INFO: outside interface address added to PAT pool |
The number 10 in that line of configuration is a identifier. This way you can tell the NAT on the inside to wich outside IP address they should translate to.
The interface part means that you use your interface IP address to translate to. In this case the outside interface.
- For NAT second step we need to make a NAT rule for the inside network.
| Code: |
| MyASA(config)# nat (inside) 10 192.168.1.0 255.255.255.0 MyASA(config)# |
I use used the number 10 in this NAT rule. This links the inside network to the outside global. The subnet behind that states that the network 192.168.1.0/24 is allowed to be translated to the outside IP address.
Congratulations! You configured your ASA to allow internet for your internal LAN with 192.168.1.0 network.
If you want to manage the ASA security appliance remotely i.e without having access to console.
The ASA supports remote administration trough SSH and Telnet. The ASA also has a good graphical interface called the ASDM (Adaptive Security Device Manager).
I will guide you to configure the ASA so you should able to connect with the ASDM (graphical) and with SSH (CLI).
- Enable SSH on Cisco ASA 5505 security appliance. To enable SSH you will need to generate a key wich will encrypt the traffic between the user and the ASA.
| Code: |
| MyASA(config)# crypto key generate rsa modulus 1024 INFO: The name for the keys will be: <Default-RSA-Key> Keypair generation process begin. Please wait… MyASA(config)# |
- Now we want to use the username we made earlier to connect to the ASA with SSH.
| Code: |
| MyASA(config)# aaa authentication ssh console LOCAL |
The LOCAL means that the ASA uses the local username database to authenticate users.
- Setup ACL (access control list) to access ASA with SSH. In this example we only allow users on the inside to access the ASA with SSH.
| Code: |
| MyASA(config)# ssh 192.168.1.0 255.255.255.0 inside |
Now your ASA is accessible with SSH from any computer from inside network.
- Enable ASDM GUI interface. Use below command to enable ASDM on ASA.
| Code: |
| MyASA(config)# http server enable |
- If you want to enable existing username we made earlier for SSH and setup ACL (access control list) to access ASA GUI (ASDM).
| Code: |
| MyASA(config)# aaa authentication http console LOCAL MyASA(config)# http 192.168.1.0 255.255.255.0 inside |
- Save all changes to make sure ASA 5505 load with new configurations.
| Code: |
| MyASA(config)# write mem Building configuration… Cryptochecksum: e5fa3ae9 add2aae4 c0be8847 79cec1ba 2502 bytes copied in 1.190 secs (2502 bytes/sec) [OK] MyASA(config)# |
Congratulations! You completed your Cisco ASA 5505 security appliance.
http://www.o2.co.uk/broadband/
Tags: ASA 5505, ASDM, broadband, Cisco, Cisco ASA, Firewall, Information Security, IT Security, putty, Security, Security appliance, ssh
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET CLR 1.1.4322; .NET4.0C)
Thanks for the tutorial. I’ve tried stepping through it however when I get to the nat section and put in the global line I get an error. ERROR: This syntax of nat command has been deprecated. My ASA5505 is running 8.4 version of the software. What command can I use as an alternative? Thanks!
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
I will update tutorial soon, The video below provides a basic command line configuration example of Network Address Translation (NAT) on the CIsco ASA Version 8.3.
https://supportforums.cisco.com/docs/DOC-12324
Also this link should help understanding of migration from old versions to ASA version 8.3 and 8.4.
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
Thank you for your reminder
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Sorry but where did you set the username / local for the aaa command?
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
User is created in local database, then it is setup for ssh and http services:
MyASA(config)# username example password example privilege 15
MyASA(config)# aaa authentication ssh console LOCAL
MyASA(config)# aaa authentication http console LOCAL
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Example 1 (with local credentials):
username admin password AdminPassword00 privilege 15
enable password TYPE_ENABLE_MODE_PASSWORD_HERE
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
Example Description:
There will be dedicated password for each username with this AAA command. however there will be single enable password that all usernames share to log into enable mode. In other words, password for username and password for enable mode are in general different. When there is only single username defined, password for username and password for enable mode could be set as the same. With either case, this approach is considered insecure since the idea of having “shared password” as the only enable password is unreliable.
To logon, enter the local username and password you created above. To enter the privilege mode, enter the enable password.
———————————-
Example 2 (with local credentials):
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
Example Description
Similar to previous AAA command set, there will be dedicated password for each username with this AAA command set. You may note that there will be single enable password that all usernames could at one time share to log into enable mode. Each username has to use its own password to log into enable mode. The shared enable password is not used in default. If all of defined usernames are removed along with the password for any reason, firewall admin will able to use the shared enable password to enter to enable mode. This approach is more secure as compared to previous example since the shared password in reality may never be used at anytime.
Note that the password to logon and to enter privilege mode is the same. Therefore firewall admin may never use the enable password to enter the privilege mode.