Etudes 03- Cisco ASA 5505
This is a simple guide to setting up an ASA 5505 Firewall, using only the command line. This guide is designed for folks with little to no experience with the 5505, but who are familiar with networking.
We are going to set up our device to function as the primary network device for a simple cyber defense competition. To that end, we will create three networks- a management network, a competition network, and an external network.
Accessing the device
Access to the firewall’s configuration information can be done in one of four ways
- Via a console cable
- Via Telnet on a properly configured port
- Via SSH on a properly configured port
- Via HTTP on a properly configured port.
Since all but the first of these require the device to be first configured, we will focus our attention (for now) on using the console cable.
Connect one end of the console cable to the console port on the device. The second end is an RS-232 adapter. Most older computers contain one or more RS-232 ports, and the cable can simply be connected. Most newer computers do not have an RS-232 port, and so require an RS-232 to USB adapter. These are available at a good electronics store (e.g. Baynesville Electronics).
When using a native RS-232 port, you need to know which COM port you are using; usually this is COM1 or possible COM2 (if your machine is old enough to have more than one RS-232 ports). When using the RS-232 to USB adapter, the device will simulate another COM port, usually COM3 depending on the hardware driver your device uses.
Once the device is physically connected to your computer, you need appropriate software to connect. The best choice (for a windows machine) is PuTTY.
Start PuTTY, and in the “Basic options for your PuTTY session” select “Serial”. For the “Serial line” speciy the COM port above- usually COM1 for a native RS-232 equipped computer and COM3 for a computer using RS-232 to USB. For the “Speed” option, you can leave the default value of 9600. Open the connection.
Once PuTTY opens the connection, you will be presented with blank terminal window. Tap the enter key once of twice to receive a command prompt.
Simply accessing the device does not give you privileges to change the settings on the device. The lowest level of privilege is called “exec” mode, and very little interaction is permitted with the device. In this mode, the command prompt is simply the name of the device followed by “>”. In my example, we start with a device named “ciscoasa” so the command prompt is
It should be noted that, when using a serial cable, you must manually log out from various privileged modes. If you do not, then later users will be presented with the same session and privileges of the last user.
From the basic command prompt, run the command
ciscoasa> show version
to see basic information about the system, including
- The name of the boot configuration file
- System up time
- Inerface names
- List of licensed features
To begin working in privileged mode, run the command
and then enter the password.
In privileged mode, the prompt changes, and is now the host name followed by “#”. In our example where the host name is “ciscoasa”, the prompt in privileged mode is
From privileged mode, one can enter configuration mode by running the command
ciscoasa# configure terminal
In configuration mode, the prompt changes again, and now is the hostname followed by “(config)#”. In our example where the hostname is “ciscoasa”, we obtain the prompt
To proceed with this demonstration, we begin by setting the ASA to a blank configuration. We do so by running the command
ciscoasa(config)# clear configure all
from configuration mode.
Though we have changed the configuration, this change will not persist across a reboot. The ASA keeps two configuration files- the running-config and the startup-config. When the device is booted, it loads and uses the startup-config. Any changes subsequently made are made to the running-config. To save the running-config as the startup-config, simply run the command
ciscoasa# copy running-config startup-config
from privileged mode.
Though we have changed the network settings, we have not changed the hostname, domain name, or password settings. We can do this as follows:
ciscoasa(config)# hostname <<HOSTNAME>> ciscoasa(config)# domain-name <<DOMAINNAME>> ciscoasa(config)# passwd <<PASSWORD>> ciscoasa(config)# enable password <<PASSWORD>>
At this point, our ASA is essentially blank, with all of its interfaces shut down and the passwords, hostname, and domain name set as we wished.
Configuring the interfaces
Decisions about how traffic passes through the device are made on the basis of the different VLANs. Our first job then, is to configure the various VLANs
By default, the ASA 5505 can use only three VLANs.
Our first VLAN will be used for device management; we create it and call it vlan 100:
ciscoasa(config)# interface vlan 100
Note that we now pass to a sub-configuration mode, which is noted by the change in the prompt to
Let’s give this vlan the name mgmt
ciscoasa(config-if)# nameif mgmt
The system sets the security level for this vlan to 0 by default. The security level is a number between 0 and 100, with higher levels associated with more secure networks. There is an implicit rule that allows traffic to pass from a higher level security interface to the same or a lower level one. Given this, we want this interface to be maximally protected, so we set its security level to 100.
ciscoasa(config-if)# security-level 100
Next, we set the ip address and netmask of this vlan
ciscoasa(config-if)# ip address 10.10.1.1 255.255.255.0
Finally, we enable the vlan
ciscoasa(config-if)# no shutdown
Next we create a VLAN for the various teams to work in; let us call it vlan 200. To create it we execute
ciscoasa(config) interface vlan 200
This command can also be executed from a previous sub-configuration prompt.
Let’s give this vlan the name teams
ciscoasa(config-if)# nameif teams
We want this at a middle security level- we set it to 50
ciscoasa(config-if)# security-level 50
Set the IP address and netmask; we use a large address space.
ciscoasa(config-if)# ip address 10.0.1.1 255.255.0.0
Enable the VLAN
ciscoasa(config-if)# no shutdown
We set the final VLAN for the outside; call it vlan300. To create it, we execute
ciscoasa(config-if)# interface vlan300
Now we do not want traffic to pass from the external interface to the management interface:
ciscoasa(config-if)# no forward interface vlan 100
Name this interface as the outside interface
ciscoasa(config-if)# nameif outside
We retain the default security level of zero, and we use DHCP to set the address for the external interface
ciscoasa(config-if)# ip address dhcp
With the VLANs configured, now we need to configure the different physical interfaces.
We set interface 0 (Ethernet0/0) to use the management VLAN. First we select the interface
ciscoasa(config)# interface ethernet0/0
Tell it to use VLAN 100
ciscoasa(config-if)# switchport access vlan 100
And activate it…
ciscoasa(config-if)# no shutdown
For interfaces 1, 2, 3, and 4 we configure them to use VLAN 200.
ciscoasa(config-if)# interface ethernet0/1 ciscoasa(config-if)# switchport access vlan 200 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# interface ethernet0/2 ciscoasa(config-if)# switchport access vlan 200 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# interface ethernet0/3 ciscoasa(config-if)# switchport access vlan 200 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# interface ethernet0/4 ciscoasa(config-if)# switchport access vlan 200 ciscoasa(config-if)# no shutdown
We configure interface 5 for the external interface
ciscoasa(config-if)# interface ethernet0/5 ciscoasa(config-if)# switchport access vlan 300 ciscoasa(config-if)# no shutdown
This way the PoE interfaces (6 and 7) are left unused and unconfigured for future use.
Let us check our status:
ciscoasa(config-if)# show interface ip brief Interface IP-Address OK? Method Status Protocol Internal-Data0/0 unassigned YES unset up up Internal-Data0/1 unassigned YES unset up up Internal-Data0/2 unassigned YES unset up up Vlan100 10.10.1.1 YES CONFIG up up Vlan200 10.0.1.1 YES CONFIG up up Vlan300 unassigned YES DHCP down down Virtual0 127.0.0.1 YES unset up up Vlan4091 unassigned YES unset up up Vlan4092 127.0.1.1 YES unset up up Ethernet0/0 unassigned YES unset up up Ethernet0/1 unassigned YES unset up up Ethernet0/2 unassigned YES unset down down Ethernet0/3 unassigned YES unset down down Ethernet0/4 unassigned YES unset down down Ethernet0/5 unassigned YES unset down down Ethernet0/6 unassigned YES unset administratively down down Ethernet0/7 unassigned YES unset administratively down down
From this we see that Ethernet0/0 and VLAN 100 are up and that Ethernet0/1 and VLAN 200 are also up; we also see that Ethernet0/2, 0/3, 0/4 are down, as is Ethernet0/5 and VLAN 300. This occurs in this example because there is an active ethernet cable plugged into port 0 and port 1 (that I am using for testing), but no active connection on ports 2, 3, 4, and 5. These interfaces are down because they are not receiving traffic, but unlike Ethernet 0/6, or 0/7 they are not administratvely down,
as they have been properly configured.
If we want to see the security levels assigned, we can find them by running
ciscoasa(config)# show running config
Finally, we save our running config as our starting config.
ciscoasa# copy running-config startup-config
Setting up DHCP
We want to set up a DHCP server to run for the teams; it should pass out addresses only in the 10.0.250.0/24 subnet. This subnet is easily distinguished from other subnets, and lets us give a full statically defined /24 to each team.
Keep in mind the limits on the number of IP addresses allowed by the ASA license, and run
ciscoasa# show local-host
We first create the address pool for the DHCP server
ciscoasa(config)# dhcpd address 10.0.250.1-10.0.250.128 teams
The default license restricts us to 128 addresses in the DHCP pool, hence the choice made above.
We can configure
- the DNS server
ciscoasa(config)# dhcpd dns IP1 IP2
- the WINS server
ciscoasa(config)# dhcpd wins IP
- the lease time (in sec)
ciscoasa(config)# dhcpd lease TIME
- the ping timeout (in ms)
ciscoasa(config)# dhcpd ping_timeout TIME
- the default domain name
ciscoasa(config)# dhcpd domain example.com
that the DHCP server will use.
Now we enable the DHCP server on the teams interface
ciscoasa(config)# dhcpd enable teams
To see the results, you can use the status commands
ciscoasa# show dhcpd binding IP address Hardware address Lease expiration Type 10.0.250.1 0100.2618.70e4.3d 3119 seconds Automatic ciscoasa# show dhcpd state Context Configured as DHCP Server Interface mgmt, Not Configured for DHCP Interface teams, Configured for DHCP SERVER Interface outside, Configured for DHCP CLIENT ciscoasa# show dhcpd statistic DHCP UDP Unreachable Errors: 0 DHCP Other UDP Errors: 0 Address pools 1 Automatic bindings 1 Expired bindings 0 Malformed messages 0 Message Received BOOTREQUEST 0 DHCPDISCOVER 2 DHCPREQUEST 1 DHCPDECLINE 0 DHCPRELEASE 0 DHCPINFORM 2 Message Sent BOOTREPLY 0 DHCPOFFER 2 DHCPACK 3 DHCPNAK 0
Once we are satisfied, we copy the running config to the startup config as we have done in the past.
At this point, we have only scratched the surface of what we can do with our ASA. Heck, we have not yet even started writing filtering rules, or fired up the web management interface.
Time permitting, I will come back to those issues in an updated version…