Home

AboutMe

Bio

LatestPosts

Tutorials

CV

Studying

Home Latest News *How To* Configure and get started with Cisco ASA5505

*How To* Configure and get started with Cisco

ASA5505
Posted on August 18, 2012 by Michael in Latest News, Tutorials

Recent Posts
Active Directory 2003 to 2012 R2 Migration
Part 3 Deploying, Prepping and Promoting
2012 R2 DC
Active Directory 2003 to 2012 R2 Migration
Part 2 AD Health & PreRequisites
Active Directory 2003 to 2012 R2 Migration
Part 1 Introduction
Editing UAG Invalid IP Address or Failed to
add TMG Access Rule Troubleshooting
Force SYSVOL / NETLOGON Replication on a
problematic Domain Controller

Welcome back, I know its been a while since my last tutorial but ill be adding many over the
coming month whilst I revise for the CCNA Security exam, so should have plenty to keep you busy.
In this latest tutorial im going to go through the steps required to perform the following:
Setup Cisco ASA 5505 with outside access (internet access)
Setup Cisco ASA5505 as a DHCP server for your inside network
Setup Cisco ASA5505 with access to the ASDM
Right lets get to it then.
For this example, Ethernet 0/0 will be used as the outside connection (192.168.5.66),ethernet 0/1
will be the inside LAN (192.168.10.0/24)
Lets start by firing up the unit and connecting up via your console lead. (Im using TeraTerm to
configure (http://hp.vector.co.jp/authors/VA002416/teraterm.html)
As this ASA is brand new out the box there will be no default config and no default password so
logging to the ASA is fairly straight forward. Type enable and then simply press enter when it
prompts you for a password.

Archives
SelectMonth

Categories
Certifications
IT Basics
Latest News
Studying
Troubleshooting
Tutorials

Disclaimer
Any views or opinions expressed here are
strictly my own. I am solely responsible for
all content published here. This is a
personal blog, not a company blog. Content
published here is not read, reviewed, or
approved in advance by my employer and
does not necessarily represent or reflect the

What Im going to show you next is to configure the very minimum config (via command line) to get

views or opinions of my employer or any of

you up and running, and then finish by enabling access to the ADSM via https.

its divisions, subsidiaries, or business

partners.

So to start with lets set the hostname and the configure up the interfaces. Now unlike routers (which
you may be used to configuring), the ports on the back of the ASA 5505 are not actual ports like you
would expect to find on the back of cisco routers. Instead they follow the same configuration method
as the Cisco 800/877s etc.
Rather than configure an IP to an interface, the ports on the back are switchports. So if you wish the
ethernet interface to have an IP address you must create a VLAN with an IP address and then assign
the switchport to that VLAN.

In the above you can see:

1) Set Ethernet 0/0 switchport to no shutdown, and make it a member of VLAN 1
2) Configure VLAN 1 with an IP of 192.168.5.66, add a description and call it outside with a
security level of 0 (I will cover security levels in a moment)
3) Unshut the interface and then exit
If we do a quick show run you will see the following:

Now I mentioned security levels earlier, this is a simple way of controlling access between interfaces.
Think of it like being a water drop on a steep hill. Security level 0 at the bottom. Security level 100
at the top. If you are at the top of the hill (100) you can flow down to 0 (inside > outside), but if you
are at the bottom of the hill trying to get access to an interface with a security level of 100 you cant
as you cant get up the hill. (outside > inside). Obviously this is not the be all and end all but for
basic configuration thats all we need to know right now.
Now lets configure the inside interface and vlan 10

That should work right? Notice anything Ive missed?

If youd said I hadnt assigned Ethernet 0/1 to VLAN 10 then youd be right!
Lets add Ethernet 0/1 to VLAN 10 and then we are good to go.

Now we have the inside and outside interfaces setup, lets throw in a default route quickly so we can
get access out to the internet.

Quickly make sure you can ping your default gateway, then add the route and make sure you can
ping something on the internet (I use googles DNS server 8.8.8.8)
Now Im going to configure a quick DHCP pool on the inside interface so my client PC can be handed
an IP address as currently clients have no access.

This really isnt enough is it? Sure we can now get an IP address but weve not specified DNS Server,
so our clients are still going to assume there is no outside connectivity. Lets add these to the scope.

That should be all right? Lets try an ipconfig /renew on the client machine.

We now have an IP address, default gateway and DNS Server. Surely we should be able to ping google
then. Lets try

Oh dear, I guess not. How can this be though? The ASA can get to google OK. So what gives? Maybe
its our good old friend NAT.
Lets try adding in a NAT rule and seeing what happens. Here we are simply saying use NAT
totranslateeverything on the inside interface, and using the global (outside) 1 interface command
to say this is the interface to be added to the PAT pool. (so we are using the outside interface of the
firewall for PATing)

Hummm still cant ping anything. But does that mean we dont have outside access? Try opening up a
browser

We magically get google, yet pings are failing, strange. Well lets consider what weve not done so
far. (Hint starts with Access).
Thats right ACLs. But we can configure them later on, for now this guide is just about getting the
ASA up and running and getting you outside access, which you are now able to do.
Not so hard after all was it?
Well now thats the hard part out the way, lets configure the ASA so you can get your hands on
the ASDM (GUI).
Now everyone will have their own opinion on the GUI, some love it, some hate it, some swear by
it, others swear at it. Personally it is a nice addition, BUT the main reason Im not a massive fan of

using it is it adds in so many additional lines of code to your config it can make troubleshooting your
device a nightmare.
Sure, you can create VPNs in minutes, but what happens if the VPN isnt working? Well then its over
to the command line to troubleshoot, so why not just use the command line from the start!
But Ill let you make up your own minds, anyway to enable access we simply need to allow HTTP
access from the inside lan, as well as creating a username and password we can use to authenticate
against. In this example I will store the username and password on the device itself (local).

Creating the user is straight forward, we are then telling the device for HTTP access authenticate
using the LOCAL user group.
Finally http server enable (enables HTTP access) and http 192.168.10.0 255.255.255.0 inside tell the
device to only allowing incoming connections from this IP range.
Once done, browse to the gateway of the ASA (https://192.168.10.254), enter your username and
password and there you have it, basic connectivity and access to the ASDM.
If its your first time using the ASDM, then you can install the client once done fire it up and login.