Configuration example Cisco ASA 5505
Descriptions:
Device has eight 10/100 Ethernet port E0/0 to E0/7, last two port E0/6 & E0/7 are PoE.
Licensing:
- Base License
- 3Vlans
- Support three security zones (inside, outside, dmz) but with communication restriction between DMZ & INSIDE
(Note: Inside vlan is permited to send traffic to the dmz only, but reverse traffic is not permited.
- No failover redundancy
- Security Plus Licens
- Upto 20 VLANs
- Failover redundancy
To Verify Serial Number and License type of ASA 5505
ciscoasa# show activation-key
Serial Number: XXXXXXXXXXX
Running Permanent Activation Key: 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
The flash permanent activation key is the SAME as the running permanent key.
Clear configuration on ASA 5505
ASA5505# write erase
Resetting ASA 5505 to factory default
ASA5505(config)# config factory-default
Note: Factory default setting
- DHCP is enabled
- Preconfigured with two VLANs:
- Vlan 1 - Switchport E0/1 - E0/7 (inside trusted interface)
- Vlan 2 - Switch port E0/0 ( outside untrusted interface)
- Internal IP address is now 192.168.1.1
To set Privileged level password (enable password)
ASA5505(config)# enable password mysecretpassword
Configure the private inside interface
ASA5505(config)# interface vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 10.0.0.1 255.255.255.0
ASA5505(config)#interface e0/1
ASA5505(config-if)#switchport access vlan 1
Configure the public outside interface
ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0
ASA5505(config)# inteface e0/0
ASA5505(config-if)# switchport access vlan 2
Configure the DMZ interface (BASE License)ASA5505(config)# interface vlan 3
ASA5505(config-if)#no forward interface vlan 1
ASA5505(config-if)# nameif dmz
ASA5505(config-if)# security-level 50
ASA5505(config)# ip address 172.10.0.1 255.255.255.0
ASA5505(config)#interface e0/2
ASA5505(config-if)#switchport access vlan 3
If ISP is going to provide ip addess to outside interface then we can configure is as follows:
interface vlan 2
nameif outside
security-level 0
ip address dhcp setroute
Note: ip address dhcp setroute : gets ip address and also set default ISP as default gateway
interfae e0/0
swithport access vlan 2
To enable management access to ASA from internal subnet 10.0.0.0 /24
http server enable
http 10.0.0.0 255.255.255.0 inside
Configure static route to reach internal subnet 10.0.0.0/24
route inside 10.10.10.0 255.255.255.0 ethernet 0/1
Configure default route to reach outside (internet)
route outside 0.0.0.0 0.0.0.0 192.168.1.2
Configure static router to DMZ
route dmz 172.16.0.1 255.255.255.0 ethernet 0/2
To configure DHCP pool for inside subnet
dhcpd address 192.168.1.2-192.168.1.50 inside
dhcpd enable inside