I'm done with FIREWALL and will start my VPN very soon. So I took out my ASA 5505 to test my firewall skills, made a factory default and hooked it up on my lab network.
I did a two network approach using the "inside" and "outside" network since my ASA 5505 has a Base License, which supports only 3 VLANs. I could setup the firewall with a DMZ, but it would only be "restricted." This means that if I add a DMZ network, it can only go out to the outside (Internet) while the inside network can communicate with both the outside and DMZ network.
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
ASA5505(config)# interface vlan 3
ASA5505(config-if)# nameif dmz
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
This scenario fits with my current network topology since I wanted my 871w router to function as the Internet edge router and the ASA 5505 behind it. Another good reason for doing this setup is that NAT is much simpler to configure and mange on a Cisco router.
ciscoasa(config)# hostname ASA_5505
ERROR: Invalid hostname: 'ASA_5505'
INFO: A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen.
ciscoasa(config)# hostname ASA5505
ASA5505(config)# username cisco password cisco privilege 15 // NOT RECOMMENDED IN A PRODUCTION NETWORK
ASA5505(config)# enable password cisco
ASA5505(config)# interface vlan 1
ASA5505(config-if)# ip address 172.16.1.1 255.255.255.0
ASA5505(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA5505(config-if)# interface vlan 2
ASA5505(config-if)# ip address 192.168.1.2 255.255.255.0
ASA5505(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA5505(config-if)# exit
ASA5505(config)# route outside 0 0 192.168.1.1 // STATIC DEFAULT ROUTE TO 871W
ASA5505(config)# interface ethernet0/0 // E0/0 PORT IS USED FOR WAN BY DEFAULT
ASA5505(config-if)# no shutdown
ASA5505(config-if)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA5505(config-if)# exit
ASA5505(config)# http server enable
ASA5505(config)# http 192.168.1.0 255.255.255.0 outside // FOR ASDM ACCESS
ASA5505(config)# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/40 ms
ASA5505(config)# ping www.cisco.com
^
ERROR: % Invalid Hostname
ASA5505(config)# dns ?
configure mode commands/options:
domain-lookup Enable/Disable DNS host-to-address translation
expire-entry-timer Specify DNS entry expire timer
name-server Specify DNS servers
poll-timer Specify dns update interval
retries Configure DNS retries
server-group Configure a DNS server group
timeout Configure DNS query timeout
exec mode commands/options:
update Update FQDN IP addresses
ASA5505(config)# dns domain-lookup ?
configure mode commands/options:
Current available interface(s):
inside Name of interface Vlan1
outside Name of interface Vlan2
ASA5505(config)# dns domain-lookup outside
ASA5505(config)# dns domain-lookup inside
ASA5505(config)# dns server-group DefaultDNS // DNS DOESN'T WORK ON A DIFFERENT DNS GROUP
ASA5505(config-dns-server-group)# name-server 8.8.8.8
ASA5505(config-dns-server-group)# name-server 4.2.2.2
ASA5505(config-dns-server-group)# exit
ASA5505(config)# ping www.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.58.16.170, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/70 ms
ASA5505(config)# object network INSIDE_HOSTS // CREATE NETWORK OBJECT FOR SIMPLIFIED AND CLEAN CONFIG (IOS 8.3+)
ASA5505(config-network-object)# subnet 172.16.0.0 255.255.0.0
ASA5505(config-network-object)# exit
ASA5505(config)# object network INSIDE_LAN
ASA5505(config-network-object)# ?
description Specify description text
fqdn Enter this keyword to specify an FQDN
help Help for network object configuration commands
host Enter this keyword to specify a single host object
nat Enable NAT on a singleton object
no Remove an object or description from object
range Enter this keyword to specify a range
subnet Enter this keyword to specify a subnet
ASA5505(config-network-object)# subnet 172.16.0.0 255.255.0.0
ASA5505(config-network-object)# ?
description Specify description text
fqdn Enter this keyword to specify an FQDN
help Help for network object configuration commands
host Enter this keyword to specify a single host object
nat Enable NAT on a singleton object
no Remove an object or description from object
range Enter this keyword to specify a range
subnet Enter this keyword to specify a subnet
ASA5505(config-network-object)# nat (?
network-object mode commands/options:
Current available interface(s):
any Global address space // ANY KEYWORD IS AVAILABLE ON IOS 8.3+
inside Name of interface Vlan1
outside Name of interface Vlan2
configure mode commands/options:
Current available interface(s):
any Global address space
inside Name of interface Vlan1
outside Name of interface Vlan2
ASA5505(config-network-object)# nat (inside,outside) ?
network-object mode commands/options:
dynamic Specify NAT type as dynamic
static Specify NAT type as static
configure mode commands/options:
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters
ASA5505(config-network-object)# nat (inside,outside) static ?
network-object mode commands/options:
A.B.C.D Mapped IP address
WORD Mapped network object/object-group name
X:X:X:X::X/<0-128> Enter an IPv6 prefix
interface Use interface address as mapped IP
ASA5505(config-network-object)# nat (inside,outside) static INSIDE_HOSTS // IDENTITY NAT
ASA5505(config-network-object)# exit
ASA5505(config)# telnet 172.16.0.0 255.255.0.0 inside // TELNET IS DISALLOWED ON THE OUTSIDE INTERFACE
ASA5505(config)# ssh 192.168.1.0 255.255.255.0 outside
ASA5505(config)# domain-name ?
configure mode commands/options:
WORD Domain names must begin and end with a digit/letter, only letters,
digits, and hyphen are allowed as internal characters, labels are
separated by a dot. A maximum of 63 characters is allowed.
ASA5505(config)# domain-name lagura.com // DOMAIN NAME AND RSA KEYS ARE NEEDED FOR SSH CONNECTION
ASA5505(config)# crypto key generate rsa modulus ?
configure mode commands/options:
1024 1024 bits
2048 2048 bits
512 512 bits
768 768 bits
ASA5505(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA5505(config)# aaa authentication ssh console LOCAL // USE LOCAL DATABASE FOR SSH
ASA5505(config)# ssh timeout 60 // SSH TIMEOUT CAN'T BE DISABLED AND CAN ONLY BE SET TO 60 MINS MAX
I can now remotely access my ASA 5505 firewall via ASDM and with an SSH client on my iPad.
I did a two network approach using the "inside" and "outside" network since my ASA 5505 has a Base License, which supports only 3 VLANs. I could setup the firewall with a DMZ, but it would only be "restricted." This means that if I add a DMZ network, it can only go out to the outside (Internet) while the inside network can communicate with both the outside and DMZ network.
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
ASA5505(config)# interface vlan 3
ASA5505(config-if)# nameif dmz
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
This scenario fits with my current network topology since I wanted my 871w router to function as the Internet edge router and the ASA 5505 behind it. Another good reason for doing this setup is that NAT is much simpler to configure and mange on a Cisco router.
ciscoasa(config)# hostname ASA_5505
ERROR: Invalid hostname: 'ASA_5505'
INFO: A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen.
ciscoasa(config)# hostname ASA5505
ASA5505(config)# username cisco password cisco privilege 15 // NOT RECOMMENDED IN A PRODUCTION NETWORK
ASA5505(config)# enable password cisco
ASA5505(config)# interface vlan 1
ASA5505(config-if)# ip address 172.16.1.1 255.255.255.0
ASA5505(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA5505(config-if)# interface vlan 2
ASA5505(config-if)# ip address 192.168.1.2 255.255.255.0
ASA5505(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA5505(config-if)# exit
ASA5505(config)# route outside 0 0 192.168.1.1 // STATIC DEFAULT ROUTE TO 871W
ASA5505(config)# interface ethernet0/0 // E0/0 PORT IS USED FOR WAN BY DEFAULT
ASA5505(config-if)# no shutdown
ASA5505(config-if)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA5505(config-if)# exit
ASA5505(config)# http server enable
ASA5505(config)# http 192.168.1.0 255.255.255.0 outside // FOR ASDM ACCESS
ASA5505(config)# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/40 ms
ASA5505(config)# ping www.cisco.com
^
ERROR: % Invalid Hostname
ASA5505(config)# dns ?
configure mode commands/options:
domain-lookup Enable/Disable DNS host-to-address translation
expire-entry-timer Specify DNS entry expire timer
name-server Specify DNS servers
poll-timer Specify dns update interval
retries Configure DNS retries
server-group Configure a DNS server group
timeout Configure DNS query timeout
exec mode commands/options:
update Update FQDN IP addresses
ASA5505(config)# dns domain-lookup ?
configure mode commands/options:
Current available interface(s):
inside Name of interface Vlan1
outside Name of interface Vlan2
ASA5505(config)# dns domain-lookup outside
ASA5505(config)# dns domain-lookup inside
ASA5505(config)# dns server-group DefaultDNS // DNS DOESN'T WORK ON A DIFFERENT DNS GROUP
ASA5505(config-dns-server-group)# name-server 8.8.8.8
ASA5505(config-dns-server-group)# name-server 4.2.2.2
ASA5505(config-dns-server-group)# exit
ASA5505(config)# ping www.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.58.16.170, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/70 ms
ASA5505(config)# object network INSIDE_HOSTS // CREATE NETWORK OBJECT FOR SIMPLIFIED AND CLEAN CONFIG (IOS 8.3+)
ASA5505(config-network-object)# subnet 172.16.0.0 255.255.0.0
ASA5505(config-network-object)# exit
ASA5505(config)# object network INSIDE_LAN
ASA5505(config-network-object)# ?
description Specify description text
fqdn Enter this keyword to specify an FQDN
help Help for network object configuration commands
host Enter this keyword to specify a single host object
nat Enable NAT on a singleton object
no Remove an object or description from object
range Enter this keyword to specify a range
subnet Enter this keyword to specify a subnet
ASA5505(config-network-object)# subnet 172.16.0.0 255.255.0.0
ASA5505(config-network-object)# ?
description Specify description text
fqdn Enter this keyword to specify an FQDN
help Help for network object configuration commands
host Enter this keyword to specify a single host object
nat Enable NAT on a singleton object
no Remove an object or description from object
range Enter this keyword to specify a range
subnet Enter this keyword to specify a subnet
ASA5505(config-network-object)# nat (?
network-object mode commands/options:
Current available interface(s):
any Global address space // ANY KEYWORD IS AVAILABLE ON IOS 8.3+
inside Name of interface Vlan1
outside Name of interface Vlan2
configure mode commands/options:
Current available interface(s):
any Global address space
inside Name of interface Vlan1
outside Name of interface Vlan2
ASA5505(config-network-object)# nat (inside,outside) ?
network-object mode commands/options:
dynamic Specify NAT type as dynamic
static Specify NAT type as static
configure mode commands/options:
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters
ASA5505(config-network-object)# nat (inside,outside) static ?
network-object mode commands/options:
A.B.C.D Mapped IP address
WORD Mapped network object/object-group name
X:X:X:X::X/<0-128> Enter an IPv6 prefix
interface Use interface address as mapped IP
ASA5505(config-network-object)# nat (inside,outside) static INSIDE_HOSTS // IDENTITY NAT
ASA5505(config-network-object)# exit
ASA5505(config)# telnet 172.16.0.0 255.255.0.0 inside // TELNET IS DISALLOWED ON THE OUTSIDE INTERFACE
ASA5505(config)# ssh 192.168.1.0 255.255.255.0 outside
ASA5505(config)# domain-name ?
configure mode commands/options:
WORD Domain names must begin and end with a digit/letter, only letters,
digits, and hyphen are allowed as internal characters, labels are
separated by a dot. A maximum of 63 characters is allowed.
ASA5505(config)# domain-name lagura.com // DOMAIN NAME AND RSA KEYS ARE NEEDED FOR SSH CONNECTION
ASA5505(config)# crypto key generate rsa modulus ?
configure mode commands/options:
1024 1024 bits
2048 2048 bits
512 512 bits
768 768 bits
ASA5505(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA5505(config)# aaa authentication ssh console LOCAL // USE LOCAL DATABASE FOR SSH
ASA5505(config)# ssh timeout 60 // SSH TIMEOUT CAN'T BE DISABLED AND CAN ONLY BE SET TO 60 MINS MAX
I can now remotely access my ASA 5505 firewall via ASDM and with an SSH client on my iPad.
Hi John,
ReplyDeleteI am currently doing An Apprentice Network Engineer and i ha bough some routers and switches to build a Home-Lab. I was thinking to buy a ASA 5505 or 5510 to add to my Lab but the question is do i need to buy any license to make them work or i just need to go to CISCO website and download the software???
Thanks
FJunior
Hi,
DeleteThe ASA 5505 and 5510 have already reached their End-of-Life and Cisco doesn't provide further support in terms of hardware and software. As for the license, both ASA 5505 and 5510 have the Base and Security Plus license. Just make sure to get at least the Security Plus license pre-installed if you're doing some labs.