Basic Configuration of Cisco ASA (5505)

In this article, I will guide you to basic configuration of Cisco ASA 5505.

http://www.o2.co.uk/broadband/

• Open Cisco ASA 5505  from packing box, attach power cord and console cable.
• Access ASA 5505 console through hyper terminal / putty program and you will see below interface:

ode:

Type help or ‘?’ for a list of available commands. ciscoasa>

 

• Type the command “enable” to get in enabled mode.

 

You may see password prompt, just pres “Enter” key as there is no password configured with new appliance. 

• The 1st thing you want to do is type the command “write erase”. This will delete all the default configuration set by Cisco. You might wonder why but there is a lot of stuff in that configuration that you may not require and you may face some network issues if you connected your ASA 5505 security appliance with your your DHCP enabled network.

 

 

• You will be prompted to confirm that you want to erase the default configuration. Press enter to proceed to erase content.
• Once you erase your startup configuration you are required to reload the ASA to load clean configuration. Type “reload” command to load clean configurations.

• After ASA 5505 reload you will see below prompt to setup firewall through wizard, type “no” to setup ASA 5505 security appliance yourself manually.

 

• Now enter enabled mode (look up if you forgot how to) and issue the command “show running-config”.

•  Looks nice and clean right?
• Now we can start manual configuration of ASA security appliance. 
• Load configuration mode. You can do this by issuing the command “configure terminal” 

• Notice the (config) behind the device hostname. This means you’re in configuration mode. 
• Change Cisco ASA hostname. 

 

 

You can see the hostname changes immediately. 

• Set a username and password to manage the ASA from your desk with SSH/Telnet/ASDM.

Setting your privilege to 15 is very important if you’re the one that is going to manage the ASA. Privilege 15 is the highest of the privileges and gives you full control over the device.

• Configure the inside (LAN) address of the ASA 5505 security appliance.

With the ASA 5505 you work with VLANs instead of assigning IP addresses to actual interfaces. We will use VLAN 1 as our inside VLAN.

All the ASA devices work with security levels that you apply to VLANs/interfaces. With security levels you can always go from high (100) to low (0) but never the other way around unless configured otherwise. This means that no one from the outside can start a session to the inside. 

For the inside VLAN:

• Configure outside (WAN) interface.

Depending on the provider you might have to do this a little bit different but we are configuring with a static IP address.

 

As you can see the ASA sets the security level of the interface called outside to 0. 
You also need to make a static route if your provider supplied you with a static IP address. This is called the default gateway. 

If your provider gives you a IP address trough DHCP the configuration is a little easier.

With this command you’re not required to configure a default gateway as it will provided by ISP and configured automatically with ASA 5505 WAN interface.

Now we need to attach the outside VLAN to one of the interfaces of the ASA. 
By default all the interfaces are attached to VLAN 1 and by default all the interfaces are in the “shutdown” state. In this example I will attach the interface “Ethernet 0″ to the outside VLAN (VLAN 2) and make the port operational.

 

Now this interface is attached to VLAN 2 and operational. 
You need to make at least one other port operational for your inside network by typing the command “no shutdown”.

 

By default all the interfaces are attached to VLAN 1 so you don’t need to assign a VLAN to the interface.

• Configure NAT to make internet work from your inside network.
• For NAT fist step: you need to make a global interface to where all the addresses from the inside need to be translated to.

 

The number 10 in that line of configuration is a identifier. This way you can tell the NAT on the inside to wich outside IP address they should translate to. 
The interface part means that you use your interface IP address to translate to. In this case the outside interface.

• For NAT second step we need to make a NAT rule for the inside network.

I use used the number 10 in this NAT rule. This links the inside network to the outside global. The subnet behind that states that the network 192.168.1.0/24 is allowed to be translated to the outside IP address.

Congratulations! You configured your ASA to allow internet for your internal LAN with 192.168.1.0 network.

If you want to manage the ASA security appliance remotely i.e without having access to console.

The ASA supports remote administration trough SSH and Telnet. The ASA also has a good graphical interface called the ASDM (Adaptive Security Device Manager). 
I will guide you  to configure the ASA so you should able to connect with the ASDM (graphical) and with SSH (CLI). 

• Enable SSH on Cisco ASA 5505 security appliance. To enable SSH you will need to generate a key wich will encrypt the traffic between the user and the ASA.

 

 

• Now we want to use the username we made earlier to connect to the ASA with SSH.

The LOCAL means that the ASA uses the local username database to authenticate users. 

• Setup ACL (access control list) to access ASA with SSH. In this example we only allow users on the inside to access the ASA with SSH.

 

Now your ASA is accessible with SSH from any computer from inside network.

• Enable ASDM GUI interface.  Use below command to enable ASDM on ASA.

• If you want to enable existing username we made earlier for SSH and setup ACL (access control list) to access ASA GUI (ASDM).

• Save all changes to make sure ASA 5505 load with new configurations.

Congratulations! You completed your Cisco ASA 5505 security appliance.

http://www.o2.co.uk/broadband/