Basic ASA 5505 Configuration
In this article we will share the basic information and tips of the ASA 5505 Firewall Configuration. As we known, Cisco ASA devices can be configured and managed using either the command-line interface (CLI) or the Adaptive Security Device Manager (ASDM) GUI.
The ASA CLI is a proprietary OS which has a similar look and feel to the router IOS.
There are many similar commands between the ASA CLI and the IOS CLI. There are also many different commands.
The Cisco ASA contains a command set structure similar to that of a Cisco IOS router and offers the following access modes:
User EXEC mode - ciscoasa> en
Privileged EXEC mode - ciscoasa# config t
Global configuration mode - ciscoasa(config)#
Various sub-configuration modes, for example - ciscoasa(config-if)#
ROMMON mode - ROMMON> (Read-Only-Memory Monitor mode)
Unlike an ISR, the ASA performs as follows:
-Execute any ASA CLI command regardless of the current configuration mode prompt. The IOS "do" command is not required or recognized.
-Provide a brief description and command syntax when help is entered followed by the command. For example, typing help reload will display the command syntax for reload, a description, and the supported arguments.
-Interrupt show command output using Q. The IOS requires the use of Ctrl+C (^C).
In ROMMON mode, an administrator can use a TFTP server to load a system image into the security appliance. ROMMON mode is also used to recover the system password.
IOS Router Command
Equivalent ASA Command
line con 0
show ip interfaces brief
show interfaces ip brief
show ip route
show ip nat translations
show switch vlan
The ASA 5505 ships with a default configuration that, in most cases, is sufficient for a basic SOHO deployment.
The configuration includes two preconfigured VLAN networks: VLAN1 and VLAN2.
VLAN 1 is for the inside network and VLAN 2 is for the outside network.
The inside interface also provides DHCP addressing and NAT features. Clients on the inside network obtain a dynamic IP address from the ASA so that they can communicate with each other and with devices on the Internet.
Specifically, the default factory configuration for the ASA 5505 configures the following:
*A default host name of ciscoasa
*Console or enable passwords which are blank.
*An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. The VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0.
*An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address from the ISP using DHCP.
*The default route that is derived from DHCP.
*All inside IP addresses to be translated when accessing the outside using interface PAT.
*The HTTP server to support ASDM access.
*An internal DHCP server to provide addresses between 192.168.1.5 and 192.168.1.36 for hosts that connect to a VLAN 1 interface.
The ASA can be restored to its factory default configuration by using the global configuration command:
The ASA startup configuration can be erased using the commands:
write erase and reload
Once rebooted, the ASA displays the following prompt "Pre-configure Firewall now through interactive prompts [yes]?"
hostname nam -Changes the name of the ASA
clock set 8:05:00 3 OCT 2011
domain-name name - Changes the domain name.
enable password password - Configures the privileged EXEC mode password. Note that there is no secret option.
passwd password - Configures the Telnet / SSH password
key config-key password-encryption [new-passphrase [old-passphrase]] - Creates or changes an existing master passphrase created to encrypt all passwords (aes). (similar to IOS service password-encryption
password encryption aes
Configure the Interfaces (vlan interfaces)
interface vlan <vlan-number> - Creates a switch virtual interface (SVI).
nameif <name> - Assigns a name to the SVI interface.
security-level <value> - Assigns a security level to the SVI interface
no shutdown - enables the Layer 2 port
show switch vlan
show int ip brief
IP address config
ip address ip-address netmask - Manually
ip address dhcp - Using DHCP
ip address dhcp setroute - also requests and installs a default route to the upstream device.
ip address pppoe - Using PPPoE
ip address pppoe setroute - also requests and installs a default route
CAUTION: An ASA 5505 with a Base license does not allow three fully functioning VLAN interfaces to be created.
If an ASA is configured as a DHCP client, then it can receive and install a default route from the upstream device.
Default static route will have to be configured using the usingcommand
route interface-name 0.0.0.0 0.0.0.0 next-hop-ip-address
route outside 0.0.0.0 0.0.0.0 22.214.171.124
Configure Telnet Access
passwd password - Configures the Telnet / SSH password.
telnet - Identifies which inside host can telnet to the ASA.
telnet 0.0.0.0 0.0.0.0 management
telnet timeout minutes - Alters the default exec timeout of 5 minutes
SSH is also supported but requires AAA authentication to be enabled.
username name password password - Creates a local database entry.
aaa authentication ssh console LOCAL - Configures SSH to refer to the local database for authentication. The LOCAL keyword is case sensitive and is a predefined server tag.
crypto key generate rsa modulus 1024 - Generates the RSA key required for SSH encryption.
ssh ip-addresssubnet-maskinterface-name - Identifies which inside host can SSH to the ASA.
ssh timeout minutes - Alters the default exec timeout of 5 minutes.
Configure NTP Services
ntp server ip-address - Identifies the NTP server address.
ntp authentication-key - Configures the authentication key and password.
ntp trusted-key value - Identifies which configured key is to be trusted.
ntp authenticate - Enables NTP authentication.
show ntp status
show ntp associations
Configure DHCP Services
An ASA can be configured to be a DHCP client and a DHCP server.
dhcpd enable inside - Enables the DHCP server service (daemon) on the inside interface of the ASA.
dhcpd address [start-of-pool]-[end-of-pool] inside - Defines the pool of IP addresses and assigns the pool to inside users. Notice that the start-of-pool and end-of-pool IP addresses are separated by a hyphen.
Note: The ASA 5505 Base license is a 10-user license and therefore the maximum number of DHCP clients supported is 32.
DHCP options such as DNS, domain name, WINS, and lease time can all be manually configured as follows:
dhcpd domain domain-name - Configures the DNS domain name.
dhcpd dns dns-ip-address - Configures the DNS server IP address.
dhcpd wins wins-ip-address - Command to configure the WINS server address.
dhcpd lease seconds - Configures the lease time in seconds. The default is 3600 seconds (1 hour).
dhcpd option value - Configures the DHCP option code. Option code is in the range 0 - 250.
If the ASA outside interface was configured as a DHCP client, then the dhcpd auto_config outside global configuration command can be used to pass DNS, WINS, and domain information obtained from the DHCP client on the outside interface to the DHCP clients on the inside interface.
show dhcpd state - Displays the current DHCP state for inside and outside interfaces.
show dhcpd binding - Displays the current DHCP bindings of inside users.
show dhcpd statistics - Displays the current DHCP statistics.
To clear the DHCP bindings or statistics, use the commands
clear dhcpd binding
clear dhcpd statistics
Rs from http://sclabs.blogspot.com/2013/01/chapter-10-implementing-cisco-adaptive.html
More Cisco ASA Reviews and Topics