Configuration de base : Cisco ASA 5505

When you open the box containing your new ASA 5505 and plug in your console you will see the following:

Type help or ‘?’ for a list of available commands.

Here you type the command “enable” to get in enabled mode.

Type help or ‘?’ for a list of available commands.
ciscoasa> enable

As you can see you will get a password prompt. Simply hit enter here because there is no enable password configured.

The 1st thing you want to do is type the command “write erase”. This will delete all the default configuration Cisco made for you. You might wonder why but there is a lot of stuff in that configuration that you don’t need/want and could even cause some network issues if you connected it to your network (DHCP).

ciscoasa# write erase
Erase configuration in flash memory? [confirm]

You will be prompted to confirm that you want to erase the configuration. Simply hit enter here.

Now that you erased your startup configuration you will need to reload the ASA to get a clean configuration. You will use the “reload” command for this.

ciscoasa# reload
Proceed with reload? [confirm]

Shutting down isakmp
Shutting down File system


Now when your router is restarted you will get this question:

Pre-configure Firewall now through interactive prompts [yes]?

Answer with “no” since you want to configure the ASA yourself (you want to be a cisco engineer right ?).

Now enter enabled mode (look up if you forgot how to) and issue the command “show running-config“.

ciscoasa# show running-config

Looks nice and clean right ?
Now we can start the configuration.

The 1st thing you want to do is get into configuration mode. You can do this by issuing the command “configure terminal”

ciscoasa# configure terminal

Notice the (config) behind the device hostname. This means your in configuration mode.
Now we will give our ASA another hostname.

ciscoasa(config)# hostname ExampleASA

As you can see the hostname changes immediately.
Now we will set a username and password so you can actually manage the ASA from your desk with SSH/Telnet/ASDM.

ExampleASA(config)# username example password example privilege 15

Setting your privilege to 15 is very important if you’re the one that is going to manage the ASA. Privilege 15 is the highest of the privileges and gives you full control over the device.

Now that this is done we will configure the inside (LAN) address of the ASA.
With the ASA 5505 you work with VLANs instead of assigning IP addresses to actual interfaces. We will use VLAN 1 as our inside VLAN.

ExampleASA(config)# interface vlan 1
ExampleASA(config-if)# ip address
ExampleASA(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.

All the ASA devices work with security levels that you apply to VLANs/interfaces. With security levels you can always go from high (100) to low (0) but never the other way around unless configured otherwise. This means that no one from the outside can start a session to the inside.
So far for the inside VLAN.
Now we will start on the outside (WAN) configuration.
Depending on the provider you might have to do this a little bit different but I will start with a static IP address first.

ExampleASA(config)# interface vlan 2
ExampleASA(config-if)# ip address
ExampleASA(config-if)# nameif outside
INFO: Security level for outside set to 0 by default.
ExampleASA(config-if)# exit
ExampleASA(config)# route outside

As you can see the ASA sets the security level of the interface called outside to 0.
You also need to make a static route if your provider supplied you with a static IP address. This is called the default gateway.

If your provider gives you a IP address trough DHCP the configuration is a little easier.

ExampleASA(config)# interface vlan 2
ExampleASA(config-if)# ip address dhcp setroute
ExampleASA(config-if)# nameif outside

With this command you dont need to configure a default gateway since you will get this from your provider.

Now we need to attach the outside VLAN to one of the interfaces of the ASA.
By default all the interfaces are attached to VLAN 1 and by default all the interfaces are in the “shutdown” state. In this example I will attach the interface “Ethernet 0” to the outside VLAN (VLAN 2) and make the port operational.

ExampleASA(config)# interface ethernet0/0
ExampleASA(config-if)# switchport access vlan 2
ExampleASA(config-if)# no shutdown

Now this interface is attached to VLAN 2 and operational.
You need to make at least one other port operational for your inside network by typing the command “no shutdown”.

ExampleASA(config)# interface ethernet0/1
ExampleASA(config-if)# no shutdown

By default all the interfaces are attached to VLAN 1 so you don’t need to assign a VLAN to the interface.

And now to make internet work from your inside network we have to configure NAT.
1st you make a global interface to where all the addresses from the inside need to be translated to.

ExampleASA(config)# global (outside) 10 interface
INFO: outside interface address added to PAT pool

The number 10 in that line of configuration is a identifier. This way you can tell the NAT on the inside to wich outside IP address they should translate to.
The interface part means that you use your interface IP address to translate to. In this case the outside interface.

2nd we need to make a NAT rule for the inside network.

ExampleASA(config)# nat (inside) 10

As you can see I also used the number 10 in this rule. This links the inside network to the outside global. The subnet behind that states that the network is allowed to be translated to the outside IP address.

Congratulations! You now should have an internet connection!
But now you want to manage the ASA without having to walk to the server room all the time.
The ASA supports remote administration trough SSH and Telnet. The ASA also has a good graphical interface called the ASDM (Advanced Security Device Manager).
I will show you how to configure the ASA so you can connect with the ASDM (graphical) and with SSH (CLI).
First we start with SSH. To enable SSH you will need to generate a key wich will encrypt the traffic between the user and the ASA.

ExampleASA(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait…

Now we want to use the username we made earlier to connect to the ASA with SSH.

ExampleASA(config)# aaa authentication ssh console LOCAL

The LOCAL means that the ASA uses the local username database to authenticate users.

When this is done you need to tell the ASA wich IP address are allowed to connect to the ASA. We will only allow users on the inside to access the ASA by SSH.

ExampleASA(config)# ssh inside

Now your ASA is accessible by SSH from your own workspace.

Next, we enable the ASDM graphic interface.

ExampleASA(config)# http server enable

This command enables the ASDM on the ASA.
We want to use the username we made earlier and tell wich networks are allowed to connect to the ASA with the ASDM.

ExampleASA(config)# aaa authentication http console LOCAL
ExampleASA(config)# http inside

When this is done you want to make sure your ASA doesn’t start up without a configuration next time the ASA reboots. You can do this by saving the configuration with the following command.

ExampleASA(config)# write mem
Building configuration…
Cryptochecksum: e5fa3ae9 add2aae4 c0be8847 79cec1ba

2502 bytes copied in 1.190 secs (2502 bytes/sec)

Congratulations! You are now finished with configuring your ASA.
Next time I will go into the more detailed configuration of an ASA.

Leave a Reply

Your email address will not be published. Required fields are marked *