Cisco ASA 5505Cisco ASA 5505

Joseph CiceroJoseph CiceroNortheast Wisconsin Technical Northeast Wisconsin Technical

CollegeCollege

Some TerminologySome Terminology

Cisco states in Chapter 3 of the Getting Cisco states in Chapter 3 of the Getting Started Guide:Started Guide: Grouping ports into logical VLANs on the ASA Grouping ports into logical VLANs on the ASA

5505 enables you to segment large private 5505 enables you to segment large private networks and provide additional protection to networks and provide additional protection to critical network segments that may host critical network segments that may host resources such as servers, corporate computers, resources such as servers, corporate computers, and IP phones.and IP phones.

This chapter describes the options of deploying This chapter describes the options of deploying the ASA 5505 in a VLAN configuration and how the ASA 5505 in a VLAN configuration and how to determine how many VLANs you need. It also to determine how many VLANs you need. It also describes allocating ports for each of the VLANS.describes allocating ports for each of the VLANS.

Maximum Number and Maximum Number and Types of VLANsTypes of VLANs

The Cisco ASA 5505 comes pre-configured The Cisco ASA 5505 comes pre-configured with 2 VLANS.with 2 VLANS.

Cisco is basically saying that Port 0 (external Cisco is basically saying that Port 0 (external interface) is one VLAN, and the remaining interface) is one VLAN, and the remaining ports (internal interfaces) are the second ports (internal interfaces) are the second VLAN.VLAN.

You can configure as many as 3 VLANs You can configure as many as 3 VLANs (internal, external and DMZ)(internal, external and DMZ)

The license determines how many active The license determines how many active VLANs you have. We don’t have the Security VLANs you have. We don’t have the Security Plus license so you can not configure full Plus license so you can not configure full DMZ configuration.DMZ configuration.

Hardware SetupHardware Setup Basically the ASA 5505 by default is a Basically the ASA 5505 by default is a

firewall with built in switch. You connect firewall with built in switch. You connect Port 0 (external interface) to the “Internet” Port 0 (external interface) to the “Internet” and all other ports are considered (internal and all other ports are considered (internal interfaces).interfaces).

To begin configuration simply plug Port 0 To begin configuration simply plug Port 0 into the uplink to the Internet and plug your into the uplink to the Internet and plug your system into any of the remaining Ports 1-7.system into any of the remaining Ports 1-7.

You many need to ipconfig /release and You many need to ipconfig /release and /renew before you get the correct ip /renew before you get the correct ip address.address.

Software Setup - ASDMSoftware Setup - ASDM

ASDM – Adaptive Security Device ASDM – Adaptive Security Device ManagerManager GUI configuration utility for the ASA GUI configuration utility for the ASA

The ASA 5505’s internal interface is The ASA 5505’s internal interface is 192.168.1.1 and it is setup by default to 192.168.1.1 and it is setup by default to assign 192.168.1.2-254 dynamically. This assign 192.168.1.2-254 dynamically. This can be problematic if you’re using static can be problematic if you’re using static IP’s on servers/printers etc.IP’s on servers/printers etc.

Configure the device BEFORE you plug it Configure the device BEFORE you plug it into the network!into the network!

Software Setup - ASDMSoftware Setup - ASDM You’ll need to know the following BEFORE you You’ll need to know the following BEFORE you

setup your system.setup your system. HostnameHostname Domain NameDomain Name IP Address of External Interface, Internal Interface and IP Address of External Interface, Internal Interface and

DMZ if it will be setupDMZ if it will be setup IP Address of the host that will have administrative IP Address of the host that will have administrative

access to the ASA 5505.access to the ASA 5505. Privaleged Mode passwordPrivaleged Mode password IP addresses for NAT or PATIP addresses for NAT or PAT IP address range for DHCP serverIP address range for DHCP server IP address for the WINS serverIP address for the WINS server Static routes that may need to be configuredStatic routes that may need to be configured 33rdrd VLAN assigned Ports VLAN assigned Ports Whether or not interfaces should have access to each Whether or not interfaces should have access to each

other & VPN issuesother & VPN issues

Launching the ASDMLaunching the ASDM

The ASDM can be installed onto the The ASDM can be installed onto the workstationworkstation

The ASDM can be run through a The ASDM can be run through a browser that allows Java and browser that allows Java and JavaScript.JavaScript.

Using your browser visit: Using your browser visit: https://192.168.1.1/adminhttps://192.168.1.1/admin

You will then receive “invalid You will then receive “invalid certificate” errors, click through them.certificate” errors, click through them.

ASDM 6.0 ScreenASDM 6.0 Screen

ASDMASDM

You will need to open and run the You will need to open and run the previous clicked on utilities.previous clicked on utilities.

The default Username and Password The default Username and Password fields should be left blank.fields should be left blank.

ASDM InterfaceASDM Interface

ASDM Startup WizardASDM Startup Wizard

ASDM – Step 1 of 9ASDM – Step 1 of 9

ASDM – Step 2 of 9ASDM – Step 2 of 9

ASDM – Step 3 of 9ASDM – Step 3 of 9

ASDM – Step 4 of 9ASDM – Step 4 of 9

ASDM – Step 5 of 9ASDM – Step 5 of 9

ASDM – Step 6 of 9ASDM – Step 6 of 9

ASDM – Step 7 of 9ASDM – Step 7 of 9

ASDM – Step 8 of 9ASDM – Step 8 of 9

ASDM – Step 9 of 9ASDM – Step 9 of 9

ASDM - WizardASDM - Wizard

By default your internal systems By default your internal systems should be able to access external should be able to access external resources now.resources now.

Configuration TabConfiguration Tab

Firewall PropertiesFirewall Properties

Adding/Modifying RulesAdding/Modifying Rules

Services that use TCP & Services that use TCP & UDPUDP

Defined RulesDefined Rules

Restoring Original Restoring Original Config…Config…

Restoring to factory defaults via the Restoring to factory defaults via the ASDM does not work.ASDM does not work.

There is a button on the back of the There is a button on the back of the device that says ‘Reset’. This button device that says ‘Reset’. This button appears to be entirely for looks. appears to be entirely for looks.

Using the Console PortUsing the Console Port Use hyperterminal, click Start, Programs, Accessories, Communications, Use hyperterminal, click Start, Programs, Accessories, Communications,

Hyperterminal, create a connection on Com1 using the terminal settings: Hyperterminal, create a connection on Com1 using the terminal settings: Bits per second: 9600 Bits per second: 9600 Data bits: 8 Data bits: 8 Parity: None Parity: None Stop bits: 1 Stop bits: 1 Flow control: None Flow control: None

After you open your connection, press enter a couple times, and you After you open your connection, press enter a couple times, and you should get a prompt like: ‘ciscoasa>’, or ‘nameofyourdevice>’ should get a prompt like: ‘ciscoasa>’, or ‘nameofyourdevice>’

type ‘ena’ to go to enable mode. Enter the password, or just press enter if type ‘ena’ to go to enable mode. Enter the password, or just press enter if there is no password set. there is no password set.

type ‘config t’ type ‘config t’ type ‘config factory-default’ type ‘config factory-default’ hit spacebar when the ‘more’ thing happens. You want to get back to the hit spacebar when the ‘more’ thing happens. You want to get back to the

prompt that looks like: ‘ciscoasa(config)#’ prompt that looks like: ‘ciscoasa(config)#’ type ‘reload save-config noconfirm’ type ‘reload save-config noconfirm’ make sure that the outside line is plugged into port zero, and your pc is make sure that the outside line is plugged into port zero, and your pc is

plugged into any of the ports 1-7. plugged into any of the ports 1-7. The Cisco ASA has been reset to factory settings. DHCP is enabled on the The Cisco ASA has been reset to factory settings. DHCP is enabled on the

cisco device, and it’s internal IP address is now 192.168.1.1! cisco device, and it’s internal IP address is now 192.168.1.1!

ASDM PitfallsASDM Pitfalls

The following lists some issues you The following lists some issues you may run into should the ASDM web may run into should the ASDM web interface fail to work and how you can interface fail to work and how you can work around them:work around them:

Disable the Windows Firewall.Disable the Windows Firewall. Clear the Java cache from Windows Clear the Java cache from Windows

Control Panel – JavaControl Panel – Java Upgrade/Downgrade your Java Upgrade/Downgrade your Java

version to JRE6u7. version to JRE6u7.

ASDM PitfallsASDM Pitfalls

Reloading the appliance may fix the "1 year Reloading the appliance may fix the "1 year uptime" ASDM java buguptime" ASDM java bug

Verify that http server is running on the Verify that http server is running on the devicedevice cli command:    http server enablecli command:    http server enable

or issue "http server enable XXX" or issue "http server enable XXX" where XXX is a custom port number where XXX is a custom port number

Verify that you can access the device via httpsVerify that you can access the device via https cli command:    http 192.168.1.0 255.255.255.0 cli command:    http 192.168.1.0 255.255.255.0

insideinside where 192.168.1.0 is your LAN network where 192.168.1.0 is your LAN network

ASDM PitfallsASDM Pitfalls Reissue the local keys (SSL Certificate)Reissue the local keys (SSL Certificate)

asa cli : crypto key zeroizeasa cli : crypto key zeroize asa cli : crypto key generate rsa general-keysasa cli : crypto key generate rsa general-keys

Verify the ASDM startup-config pointerVerify the ASDM startup-config pointer cli command:    dircli command:    dir

find the line listing the asdm image filename find the line listing the asdm image filename "asdm-xxx.bin“"asdm-xxx.bin“

cli command:    show runcli command:    show runfind and compare the filename with the asdm find and compare the filename with the asdm load command "asdm image disk0:/asdm-load command "asdm image disk0:/asdm-xxx.bin" xxx.bin"

ASDM PitfallsASDM Pitfalls

Try downloading a new ASDM copy from Try downloading a new ASDM copy from Cisco.Cisco. Upload the new file to the ASA flash memoryUpload the new file to the ASA flash memory Remove the old pointer issuing the commandRemove the old pointer issuing the command

cli command:     no asdm image disk0:/asdm-cli command:     no asdm image disk0:/asdm-xxx.binxxx.bin

Add the new filename to the configurationAdd the new filename to the configurationcli command:    asdm image disk0:/asdm-cli command:    asdm image disk0:/asdm-yyy.bin yyy.bin

CaveatsCaveats

The last time checked there was The last time checked there was over 50 open caveats and hundreds over 50 open caveats and hundreds of resolved caveats with the ASDM. of resolved caveats with the ASDM. Don’t expect it to work perfectly.Don’t expect it to work perfectly.

Questions / CommentsQuestions / Comments