Networking, Security & Cloud Knowledge

Tuesday, February 28, 2012

029 - Configuring Cisco ASA 5505

Configuration example Cisco ASA 5505
Descriptions:
Device has eight 10/100 Ethernet port E0/0 to E0/7, last two port E0/6 & E0/7 are PoE.




Licensing:

  • Base License
    • 3Vlans
    • Support three security zones (inside, outside, dmz) but with communication restriction between DMZ & INSIDE
      (Note: Inside vlan is permited to send traffic to the dmz only, but reverse traffic is not permited.
    • No failover redundancy

  • Security Plus Licens
    • Upto 20 VLANs
    • Failover redundancy


To Verify Serial Number and License type of ASA 5505

ciscoasa# show activation-key
Serial Number: XXXXXXXXXXX
Running Permanent Activation Key: 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
The flash permanent activation key is the SAME as the running permanent key.

Clear configuration on  ASA 5505
ASA5505# write erase

Resetting ASA 5505 to factory default
ASA5505(config)# config factory-default

Note: Factory default setting
  • DHCP is enabled
  • Preconfigured with two VLANs:
    • Vlan 1 - Switchport E0/1 - E0/7 (inside trusted interface)
    • Vlan 2 - Switch port E0/0 ( outside untrusted interface)
  • Internal IP address is now 192.168.1.1


To set Privileged level password (enable password)
ASA5505(config)# enable password mysecretpassword

Configure the private inside interface
ASA5505(config)# interface vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 10.0.0.1 255.255.255.0

ASA5505(config)#interface e0/1
ASA5505(config-if)#switchport access vlan 1

Configure the public outside interface
ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0

ASA5505(config)# inteface e0/0
ASA5505(config-if)# switchport access vlan 2

Configure the  DMZ interface (BASE License)ASA5505(config)# interface vlan 3
ASA5505(config-if)#no forward interface vlan 1
ASA5505(config-if)# nameif dmz
ASA5505(config-if)# security-level 50
ASA5505(config)# ip address 172.10.0.1 255.255.255.0

ASA5505(config)#interface e0/2
ASA5505(config-if)#switchport access vlan 3

If ISP is going to provide ip addess to outside interface then we can configure is as follows:
interface  vlan 2
 nameif outside
 security-level 0
 ip address dhcp setroute

Note: ip address dhcp setroute : gets ip address and also set default ISP as default gateway

interfae e0/0
  swithport access vlan 2

To enable management access to ASA from internal subnet 10.0.0.0 /24
http server enable
http 10.0.0.0 255.255.255.0 inside

Configure static route to reach internal subnet 10.0.0.0/24
route inside 10.10.10.0 255.255.255.0 ethernet 0/1

Configure default route to reach outside (internet)
route outside 0.0.0.0 0.0.0.0 192.168.1.2

Configure static router to DMZ
route dmz 172.16.0.1 255.255.255.0 ethernet 0/2

To configure DHCP pool for inside subnet
dhcpd address 192.168.1.2-192.168.1.50 inside
dhcpd enable inside