Cisco (internet) ASA 5505 / 5500 Series Setup

Notes:

Syntax / Example

in the following, items in italics are examples. So you should replace

Commands: After connecting to the console, you will see the router> prompt where "router" is replaced with the name of the device. Use the enable command to enter EXEC mode. The password is empty by default (just press enter). The prompt should change to router#

router> enable
Password:
router#

And the first thing you must do is delete the factory default configuration... no really... Type:
router#write erase
and then confirm by pressing enter. Then reload so the new (non) configuration can take effect:
router#reload
and press enter to confirm. After a rather long time, you will eventually get the (default) ciscoasa> prompt. Enter enable and confirm the empty password again.

To go into configuration mode, at the ciscoasa# prompt, type conf t:
ciscoasa#conf t
Enter configuration commands, one per line. End with CNTL/Z or type exit.
ciscoasa(config)#

The router responds with a new prompt showing the mode. To exit, enter Ctrl+Z

ciscoasa(config)# hostname yourasa

yourasa(config)# username youruser password yourpass privilege 15

Setup your internal network. We use vlan 1 here, but you can do that either way. Remember to replace the network address with whatever address you want as the address of the router. This will be your gateway address for internal devices. Notice the security level is set to 100.

yourasa(config)# interface vlan 1
yourasa(config-if)# ip address 192.168.0.1 255.255.255.0
yourasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.

The interface vlan 1 has changed on the 5506 X / ASA 9.8, the vlan number is just added with a dot after the port: slot 1/port x.vlan y
yourasa(config)# interface gi 1/x.y

However, by defaut, intsead of using vlans, it uses bridge groups to collect interfaces and a bridge virtual interface (BVI) to assign them. For each interface in the "inside" group (replace x with the actual interface number):
yourasa(config)# interface gi 1/x
yourasa(config-if)# bridge-group 1

yourasa(config-if)# nameif inside_x
yourasa(config-if)# security-level 100

gi = GigabitEthernet, slot 1 / port x. The name is important for static NAT as they can not be applied to an entire bridge-group and so your server will be plugged into a specific port and services will nat to that port only.

And then the Bridge Virtual Interface collects all of bridge-group 1 into a single virtual interface:
yourasa(config)# interface BVI1
yourasa(config-if)# nameif inside
yourasa(config-if)# security-level 100
yourasa(config-if)# ip address 192.168.0.1 255.255.255.0

Setup your external network. This is where you specify the IP address and netmask you were assigned by your ISP. This is your public IP address.

Note: If your ISP assigns addresses via DHCP, use ip address dhcp setroute instead, and skip the route outside command.

Note: Most ISP modems will NOT recognize a new device until they are reset. In some cases, that doesn't even happen with a power cycle; e.g. they must be reset by the ISP before they will talk to a new firewall/router in which case you must find someone on the ISP side who is available and know how to do that. This issue has caused volumns of frustration because it can easily be mistaken for an error in firewall configuration. e.g. "the new firewall doesn't allow any traffic when I put it in place, I must have set it up wrong".

To avoid that, you can set the MAC address of your new router to the MAC address of the old router. This is probably a violation of the master rules of the internet (or something) but it works, and allows you to quickly switch back and forth between the old and new routers at will. Very useful when you didn't have the new router setup as well as you thought you did... This is applied in the vlan interface setup. The command is yourasa(config-if)# mac-address H.H.H where H.H.H is the hex values of the MAC reformatted in sets of 2 bytes / 4 digits with periods between and lower case letters. E.g. 68:7F:74:95:A8:3A becomes 687f.7495.a83a and 01:18:F8:F9:64:AE is 0118.f8f9.64ae

yourasa(config)# interface vlan 2
yourasa(config-if)# ip address 123.123.123.123 255.255.255.248

yourasa(config-if)# nameif outside
INFO: Security level for outside set to 0 by default.
yourasa(config-if)# exit

Setup a manual route to the ISP's gateway from all internal addresses. Note: skip this for ISP's that use DHCP.

yourasa(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.122

Make one of the ports your interface to the ISP's modem. Typically this is 0/0

yourasa(config)# interface ethernet0/0
yourasa(config-if)# switchport access vlan 2
yourasa(config-if)# no shutdown

And setup the other ports for inside access. You don't need to specify the vlan because it defaults to vlan 1

yourasa(config)# interface ethernet0/1
yourasa(config-if)# no shutdown

Repeat the above for all the ports you want on the inside.

Again, different on the 5506-X / ASA 9.8. Since only one external interface is really needed, by default, it's just setup with the physical interface. This example assumes port 1 is used for the connection to the ISP device.
yourasa(config)# interface gi 1/1
yourasa(config-if)# mac-address H.H.H

yourasa(config-if)# nameif outside
yourasa(config-if)# security-level 0
yourasa(config-if)# ip address 123.123.123.123 255.255.255.248

When you setup the route to the ISP gateway, you have to specify the interface port at the end. Change the 1 if you want to plug in your ISP device to a different port. Again, not needed if your ISP device supports DHCP
yourasa(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.122 1

And now to make internet work from your inside network we have to configure NAT.

yourasa(config)#object network inside-net
yourasa(config-network)#subnet 192.168.0.0 255.255.255.0
yourasa(config-network)#nat (inside, outside) dynamic interface

Note this is the synax for the newer device firmware. Older devices may need the following from
http://www.firewall.cx/forum/10-firewall-filtering-idsips-a-security/32041-howto-basic-asa-5505-configuration.html

1st you make a global interface to where all the addresses from the inside need to be translated to.

yourasa(config)# global (outside) 10 interface
INFO: outside interface address added to PAT pool

The number 10 in that line of configuration is a identifier. This way you can tell the NAT on the inside to wich outside IP address they should translate to. The interface part means that you use your interface IP address to translate to. In this case the outside interface. Next we need to make a NAT rule for the inside network.

yourasa(config)# nat (inside) 10 192.168.0.0 255.255.255.0

As you can see I also used the number 10 in this rule. This links the inside network to the outside global. The subnet behind that states that the network 192.168.0.0/24 is allowed to be translated to the outside IP address.

Remote Admin:

And now to setup admin access via the network, so you can unplug your laptop and put away the console cable. You probably already have an RSA key, but if not,
crypto key generate rsa modulus 1024

For SSH to the CLI

yourasa(config)# aaa authentication ssh console LOCAL
yourasa(config)# ssh 192.168.0.0 255.255.255.0 inside

To setup ASDM access via the browser or ASDM java app.

yourasa(config)# http server enable
yourasa(config)# aaa authentication http console LOCAL
yourasa(config)# http 192.168.0.0 255.255.255.0 inside

Save configuration

yourasa(config)# write mem

Move on to setting up Access Control Lists

See also: