Overblog Follow this blog
Edit post Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Basic ASA 5505 Configuration

July 28 2014 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

In this article we will share the basic information and tips of the ASA 5505 Firewall Configuration. As we known, Cisco ASA devices can be configured and managed using either the command-line interface (CLI) or the Adaptive Security Device Manager (ASDM) GUI.

The ASA CLI is a proprietary OS which has a similar look and feel to the router IOS.

There are many similar commands between the ASA CLI and the IOS CLI. There are also many different commands.

The Cisco ASA contains a command set structure similar to that of a Cisco IOS router and offers the following access modes:

User EXEC mode - ciscoasa> en
Privileged EXEC mode - ciscoasa# config t
Global configuration mode - ciscoasa(config)# 
Various sub-configuration modes, for example - ciscoasa(config-if)#
ROMMON mode - ROMMON>    (Read-Only-Memory Monitor mode)

 

Unlike an ISR, the ASA performs as follows:
-Execute any ASA CLI command regardless of the current configuration mode prompt. The IOS "do" command is not required or recognized.
-Provide a brief description and command syntax when help is entered followed by the command. For example, typing help reload will display the command syntax for reload, a description, and the supported arguments.
-Interrupt show command output using Q. The IOS requires the use of Ctrl+C (^C).

In ROMMON mode, an administrator can use a TFTP server to load a system image into the security appliance. ROMMON mode is also used to recover the system password.

IOS Router Command

Equivalent ASA Command

erase startup-config

write erase

enable secret

enable password

line con 0
 password password
 login

passwd password

show ip interfaces brief

show interfaces ip brief

show ip route

show route

show ip nat translations

show xlate

show vlan

show switch vlan

ip route

route outside

Ctrl+C

Q


The ASA 5505 ships with a default configuration that, in most cases, is sufficient for a basic SOHO deployment.

The configuration includes two preconfigured VLAN networks: VLAN1 and VLAN2.
VLAN 1 is for the inside network and VLAN 2 is for the outside network.

The inside interface also provides DHCP addressing and NAT features. Clients on the inside network obtain a dynamic IP address from the ASA so that they can communicate with each other and with devices on the Internet. 

Specifically, the default factory configuration for the ASA 5505 configures the following:
*A default host name of ciscoasa
*Console or enable passwords which are blank.
*An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. The VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0.
*An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address from the ISP using DHCP.
*The default route that is derived from DHCP.
*All inside IP addresses to be translated when accessing the outside using interface PAT.
*The HTTP server to support ASDM access.
*An internal DHCP server to provide addresses between 192.168.1.5 and 192.168.1.36 for hosts that connect to a VLAN 1 interface.


The ASA can be restored to its factory default configuration by using the global configuration command:

configure factory-default

 

The ASA startup configuration can be erased using the commands:

write erase   and   reload

 

Once rebooted, the ASA displays the following prompt "Pre-configure Firewall now through interactive prompts [yes]?" 

Basic Config

hostname nam -Changes the name of the ASA
clock set 8:05:00 3 OCT 2011
domain-name name - Changes the domain name.
enable password password - Configures the privileged EXEC mode password. Note that there is no secret option.
passwd password - Configures the Telnet / SSH password
key config-key password-encryption [new-passphrase [old-passphrase]] - Creates or changes an existing master passphrase created to encrypt all passwords (aes). (similar to IOS service password-encryption
password encryption aes

 

Configure the Interfaces (vlan interfaces)

interface vlan <vlan-number> - Creates a switch virtual interface (SVI).
nameif <name>                - Assigns a name to the SVI interface.
security-level <value>       - Assigns a security level to the SVI interface
no shutdown                  - enables the Layer 2 port

show switch vlan
show interface
show int ip brief

 

IP address config

ip address ip-address netmask - Manually
ip address dhcp - Using DHCP
ip address dhcp setroute - also requests and installs a default route to the upstream device.
ip address pppoe  - Using PPPoE
ip address pppoe setroute - also requests and installs a default route

 

CAUTION: An ASA 5505 with a Base license does not allow three fully functioning VLAN interfaces to be created.

Default route
If an ASA is configured as a DHCP client, then it can receive and install a default route from the upstream device. 
Default static route will have to be configured using the usingcommand

route interface-name 0.0.0.0 0.0.0.0 next-hop-ip-address
route outside 0.0.0.0 0.0.0.0 209.195.0.1
show route

 

Configure Telnet Access

passwd password - Configures the Telnet / SSH password.
telnet - Identifies which inside host can telnet to the ASA.
telnet 0.0.0.0 0.0.0.0 management
telnet timeout minutes - Alters the default exec timeout of 5 minutes

 

SSH is also supported but requires AAA authentication to be enabled. 

username name password password - Creates a local database entry.
aaa authentication ssh console LOCAL - Configures SSH to refer to the local database for authentication. The LOCAL keyword is case sensitive and is a predefined server tag.
crypto key generate rsa modulus 1024 - Generates the RSA key required for SSH encryption.
ssh ip-addresssubnet-maskinterface-name - Identifies which inside host can SSH to the ASA.
ssh timeout minutes - Alters the default exec timeout of 5 minutes.
show ssh

 

Configure NTP Services

ntp server ip-address   - Identifies the NTP server address.
ntp authentication-key    - Configures the authentication key and password.
ntp trusted-key value    - Identifies which configured key is to be trusted.
ntp authenticate    - Enables NTP authentication.
show ntp status
show ntp associations

 

Configure DHCP Services
An ASA can be configured to be a DHCP client and a DHCP server. 
DHCP Server

dhcpd enable inside   - Enables the DHCP server service (daemon) on the inside interface of the ASA.
dhcpd address [start-of-pool]-[end-of-pool] inside - Defines the pool of IP addresses and assigns the pool to inside users. Notice that the start-of-pool and end-of-pool IP addresses are separated by a hyphen.

 

Note: The ASA 5505 Base license is a 10-user license and therefore the maximum number of DHCP clients supported is 32.

DHCP options such as DNS, domain name, WINS, and lease time can all be manually configured as follows:
dhcpd domain domain-name - Configures the DNS domain name.
dhcpd dns dns-ip-address - Configures the DNS server IP address. 
dhcpd wins wins-ip-address - Command to configure the WINS server address.
dhcpd lease seconds - Configures the lease time in seconds. The default is 3600 seconds (1 hour).
dhcpd option value - Configures the DHCP option code. Option code is in the range 0 - 250.

 

If the ASA outside interface was configured as a DHCP client, then the dhcpd auto_config outside global configuration command can be used to pass DNS, WINS, and domain information obtained from the DHCP client on the outside interface to the DHCP clients on the inside interface.

 

Verify

show dhcpd state - Displays the current DHCP state for inside and outside interfaces.
show dhcpd binding - Displays the current DHCP bindings of inside users.
show dhcpd statistics - Displays the current DHCP statistics.

 

To clear the DHCP bindings or statistics, use the commands

clear dhcpd binding
clear dhcpd statistics

 

Rs from http://sclabs.blogspot.com/2013/01/chapter-10-implementing-cisco-adaptive.html

 

More Cisco ASA Reviews and Topics

Cisco ASA IPS Module Configuration

WAYS to Help You Set Up Your Small, Medium and Large Networks

Cisco ASA Failover, Failover Modes & ASA Failover Configuration

ASA Routed vs. Transparent

ASA 5505 vs. ASA 5510 vs. ASA 5512-X vs. ASA 5515-X

Does Cisco ASA 5500-X Series Support Both IPS and AVC/WSE in One Box?

Share this post

Repost 0
To be informed of the latest articles, subscribe:

Comment on this post