BONUS TUTORIAL CISCO ASA 5505 CONFIGURAT
BONUS TUTORIAL
CISCO ASA 5505 CONFIGURATION
A LL YOU NEED TO K NOW TO C ONFIGURE AND I MPLEMENT
T HE B EST F IREWALL I N T HE M ARKET
WRITTEN BY: HARRIS ANDREA
MS C E LECTRICAL E NGINEERING AND C OMPUTER S CIENCE
C ISCO C ERTIFIED NETWORK P ROFESSIONAL (CCNP)
C ISCO C ERTIFIED S ECURITY P ROFESSIONAL (CCSP)
http://www.cisco-tips.com
1
ABOUT THE AUTHOR:
Harris Andrea is a Senior Network Security Engineer in a leading Internet Service Provider in
Europe. He graduated from the University of Kansas USA in 1998 with a B.S and M.S degrees in
Electrical Engineering and Computer Science. Since then, he has been working in the Networking
field, designing, implementing and managing large scale networking projects with Cisco products
and technologies. His main focus is on Network Security based on Cisco PIX/ASA Firewalls, Firewall
Service Modules (FWSM) on 6500/7600 models, VPN products, IDS/IPS products, AAA services etc.
To support his knowledge and to build a strong professional standing, Harris pursued and earned
several Cisco Certifications such as CCNA, CCNP, and CCSP. He is also a technology blogger owing
two networking blogs which you can visit for extra technical information and tutorials.
http://www.cisco-tips.com
http://www.ciscoasa.com
2
You do not have resell rights or giveaway rights to this eBook. Only customers that have
purchased this material are authorized to view it.
This eBook contains material protected under International and Federal Copyright Laws and
Treaties. No part of this publication may be transmitted or reproduced in any way without the prior
written permission of the author. Violations of this copyright will be enforced to the full extent of
the law.
LEGAL NOTICE: The information services and resources provided in this eBook are based upon the
current Internet environment as well as the author’s experience. The techniques presented have
been proven to be successful. Because technologies are constantly changing, the services and
examples presented in this eBook may change, cease or expand with time. We hope that the skills
and knowledge acquired from this eBook will provide you with the ability to adapt to inevitable
evolution of technological services. However, we cannot be held responsible for changes that may
affect the applicability of these techniques. The opinions expressed in this book belong to the
author and are not necessarily those of Cisco Systems, Inc.
All product names, logos and artwork are copyrights of their respective owners. None of the owners
have sponsored or endorsed this publication. While all attempts have been made to verify
information provided, the author assumes no responsibility for errors, omissions, or contrary
interpretation of the subject matter herein. Any perceived slights of peoples or organizations are
unintentional. The purchaser or reader of this publication assumes responsibility for the use of
these materials and information. No guarantees of income are made. The author reserves the right
to make changes and assumes no responsibility or liability whatsoever on behalf of any purchaser
or reader of these materials.
3
TABLE OF CONTENTS
About the Author: ..............................................................................................................................................................................2
Bonus Tutorial: ...................................................................................................................................................................................5
Cisco ASA 5505 Fundamentals ...............................................................................................................................................5
ASA 5505 Hardware and Licensing.....................................................................................................................................5
ASA 5505 Default Configuration ...........................................................................................................................................8
ASA 5505 Configuration Examples ...................................................................................................................................11
Configuration Example 1: Internet Access With Dynamic Address From ISP ...........................................11
Configuration Example 2: Dynamic Address From ISP With DMZ Web Server ........................................15
Configuration Example 3: Static Outside Address With DMZ Web and Email Servers .........................19
Configuration Example 4: Cisco ASA 5505 With PPPoE Internet Access .....................................................24
Configuration Example 5: Lan-to-Lan IPSEC VPN Between Cisco ASA 5505 .............................................28
Configuration Example 6: Remote Access IPSEC VPN on Cisco ASA 5505 ..................................................35
4
BONUS TUTORIAL:
CISCO ASA 5505 FUNDAMENTALS
This Tutorial is dedicated to the Cisco ASA 5505 firewall appliance which has some Hardware,
Licensing and Configuration differences compared with the other models. The ASA 5505 provides a
high-performance and flexible upgrade from the older PIX 501 and PIX 506E appliances and is
designed for small offices or remote branches. Below we will describe the basic differences of the
Cisco ASA 5505 compared with the other models and provide several configuration examples that
cover most of the implementation scenarios that are usually found in real networks. The
prerequisite of this Tutorial is to study first the “Cisco ASA Firewall Fundamentals” ebook so that
you grasp the fundamental configuration concepts of Cisco ASA appliances.
ASA 5505 HARDWARE AND LICENSING
Hardware Ports and VLANs
1
2
3
4
5
6
7
8
Power 48VDC
SSC slot
Console Port
Lock Slot
Reset Button
USB 2.0 interfaces
Network Ports 0-5 (10/100)
Network Ports 6-7 (10/100 with Power over Ethernet)
5
Unlike the other Cisco ASA models, the ASA 5505 has a built-in 8-port 10/100 switch as shown on
the figure above.
Starting from right to left, we have Ethernet0/0 up to Ethernet0/7. The last two Ports 6 and 7 are
also Power over Ethernet Ports (PoE), which means that in addition to normal computers, you can
also connect IP Phones (or other PoE devices) which will be powered by the firewall PoE ports. The
eight network interfaces of the ASA 5505 work only as Layer 2 ports, which is the difference of the
5505 from the other ASA models. This means that you cannot configure a Layer 3 IP address
directly on each interface. Instead, you have to assign the interface port in a VLAN, and then
configure all Firewall Interface parameters under the interface VLAN command.
You can divide the eight physical ports into groups, called VLANs, that function as separate
networks. This enables you to improve the security of your business because devices in different
VLANs can only communicate with each other by passing the traffic through the firewall appliance
where relevant security policies can be enforced. Devices in the same VLAN can communicate
between them without Firewall control. Your license determines how many active VLANs you can
have on the ASA 5505.
The ASA 5505 comes preconfigured with two VLANs: VLAN1 and VLAN2. By default, Ethernet
switch port 0 (Ethernet 0/0) is allocated to VLAN2. All other switch ports are allocated by default to
VLAN1.
The factory Default configuration of the network interfaces uses port Ethernet0/0 as the Outside
untrusted interface (connecting to Internet), and the rest of the interfaces (0/1 to 0/7) are
configured as the trusted Inside interfaces connecting to internal hosts. Two Switch Vlan Interfaces
(SVI) exist by default (Interface Vlan 1 and Interface Vlan 2) which can be used to assign the
Layer 3 IP addresses and other interface settings for the Outside zone (Ethernet 0/0) and for the
Inside zone (Ethernet0/1 to 0/7). The default configuration of the Cisco ASA 5505 will be
explained in the next section.
6
Licensing
Although the ASA 5505 comes preconfigured with two VLANs, you can create as many as 20 VLANs,
depending on your license. For example, you could create VLANs for the Inside, Outside, and DMZ
network segments. There are two license options for the ASA 5505:
Base License
Security Plus License
Base License
With the Base License, you can configure up to 3 VLANs, thus segmenting your network into three
security zones (Inside, Outside, DMZ). However there is a communication restriction between
VLANs (zones). Communication between the DMZ VLAN and the Inside VLAN is restricted: the
Inside VLAN is permitted to send traffic to the DMZ VLAN, but the DMZ VLAN is not permitted to
send traffic to the Inside VLAN. Also, you cannot configure firewall failover redundancy with the
Base License. These limitations are removed with the Security Plus license.
To configure a DMZ VLAN on a Base License use the following commands:
asa5505(config)# interface Vlan 3
asa5505(config-if)# no forward interface vlan 1
asa5505(config-if)# nameif DMZ
asa5505(config-if)# security-level 50
asa5505(config-if)# ip address 10.2.2.1 255.255.255.0
7
asa5505(config)# interface Vlan 1
asa5505(config-if)# nameif inside
asa5505(config-if)# security-level 100
asa5505(config-if)# ip address 192.168.1.1 255.255.255.0
asa5505(config)# interface Vlan 2
asa5505(config-if)# nameif outside
asa5505(config-if)# security-level 0
asa5505(config-if)# ip address 100.100.100.1 255.255.255.0
Security Plus License
This license removes all restrictions of the Base license. Up to 20 VLANs can be configured (ports
can be configured as Trunk ports thus supporting multiple VLANs per port). Also there are no
communication restrictions between VLANs. This license supports also Active/Standby (non
stateful) firewall failover redundancy and Backup ISP Connectivity (Dual ISP connection).
ASA 5505 DEFAULT CONFIGURATION
The ASA 5505 is factory configured in such a way as to work right away out of the box. The Internet
Outside Interface (Ethernet 0/0) is configured to obtain IP address automatically from the ISP, and
the Inside Interfaces (Ethernet 0/1 to 0/7) are configured to provide IP addresses to internal hosts
dynamically (DHCP). Specifically, the default ASA 5505 configuration includes the following:
An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. The
VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0.
An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its
IP address using DHCP (from the ISP).
The default route is also derived from DHCP.
All inside IP addresses are translated when accessing the outside using interface PAT.
By default, inside users can access the outside, and outside users are prevented from
accessing the inside.
The DHCP server is enabled on the security appliance, so a PC connecting to the VLAN 1
interface receives an address between 192.168.1.2 and 192.168.1.254.
The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.
Restore the default factory configuration using the configure factory-default command.
8
The Default Configuration consists of the following commands.
interface Ethernet 0/0
switchport access vlan 2 This assigns Ethernet0/0 to Vlan 2
no shutdown
interface Ethernet 0/1
switchport access vlan 1 This assigns Ethernet0/1 to Vlan 1
no shutdown
interface Ethernet 0/2
switchport access vlan 1
no shutdown
interface Ethernet 0/3
switchport access vlan 1
no shutdown
interface Ethernet 0/4
switchport access vlan 1
no shutdown
interface Ethernet 0/5
switchport access vlan 1
no shutdown
interface Ethernet 0/6
switchport access vlan 1
no shutdown
interface Ethernet 0/7
switchport access vlan 1
no shutdown
interface vlan2 Configure all interface parameters under “interface Vlan [number]”
nameif outside
no shutdown
ip address dhcp setroute
interface vlan1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 100
no shutdown
global (outside) 1 interface
nat (inside) 1 0 0
http server enable
9
http 192.168.1.0 255.255.255.0 inside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd auto_config outside Obtain IP address dynamically from the ISP
dhcpd enable inside Assign IP addresses dynamically to internal PCs
logging asdm informational
10
ASA 5505 CONFIGURATION EXAMPLES
CONFIGURATION EXAMPLE 1: INTERNET ACCESS WITH DYNAMIC ADDRESS FROM ISP
In this scenario the 5505 is used for basic internet access using PAT, with a Dynamic IP address
obtained from the ISP via DHCP (Firewall will act as DHCP client for the Outside interface). The
Firewall will act also as a DHCP server for assigning IP addresses to inside hosts. Notice in this
scenario that we don’t need to configure a default route towards the ISP since the default route will
be obtained automatically together with an IP address from the DHCP server of the ISP.
The complete configuration follows below. See the Blue Color comments for clarifications.
11
ASA-5505# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA-5505
domain-name test.com
enable password xxxxxxxxxxxxxxxx encrypted
names
!
! Vlan 1 is assigned by default to all ports Ethernet0/1 to 0/7 which belong to the inside zone.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
! Vlan 2 is assigned to port Ethernet0/0 which belongs to the outside zone.
interface Vlan2
nameif outside
security-level 0
! Get outside address and default gateway from ISP
ip address dhcp setroute
!
! Assign Eth0/0 to vlan 2.
interface Ethernet0/0
switchport access vlan 2
!
! By default, Eth0/1 to 0/7 are assigned to vlan 1. No need to change anything.
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
12
! Create an ACL on the outside that will allow only echo-reply for troubleshooting purposes. Use a
!deny all with log at the end to monitor any attacks coming from outside.
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
! Do PAT using the outside interface address
global (outside) 1 interface
! Translate ALL inside addresses
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
! Configure Local authentication for firewall management (For accessing the Firewall you need to
!use the username/password configured later).
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
! Allow internal hosts to telnet to the device
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
! Allow an external management host to ssh from outside for firewall management
ssh 100.100.100.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
! Assign a DNS server to internal hosts
dhcpd dns 200.200.200.1
!
! Assign IP addresses to internal hosts
dhcpd address 192.168.1.10-192.168.1.40 inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
13
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
! Configure here the username and password for accessing the device
username admin password xxxxxxxxxxxxxx encrypted
prompt hostname context
: end
14
CONFIGURATION EXAMPLE 2: DYNAMIC ADDRESS FROM ISP WITH DMZ WEB SERVER
This is an extension scenario of the previous one. The Cisco ASA 5505 receives an outside IP
address dynamically from the ISP and has three security zones (Inside, Outside, DMZ). The Inside
zone network shall be able to access the Internet and DMZ, and also Internet hosts shall be able to
access the DMZ Web Server. This scenario can work with both Base License and Security Plus
License. However, with a Security Plus license the DMZ public server (whatever that be – FTP,
Email, Web etc) will be able to initiate traffic also to the Inside network zone (with the proper
configuration). Since we have three security zones, we must create also three VLANs. VLAN1
(Inside) will be assigned to ports Ethernet0/2 up to 0/7, VLAN2 (Outside) will be assigned to port
Ethernet 0/0, and VLAN3 (DMZ) will be assigned to Ethernet 0/1.
The complete configuration follows below. See the Blue Color comments for clarifications.
15
ASA-5505# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA-5505
domain-name test.com
enable password xxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
! Get outside address and default gateway from ISP
ip address dhcp setroute
!
interface Vlan3
! Use the following command ONLY if you have a BASE LICENSE
no forward interface vlan 1
nameif DMZ
security-level 50
ip address 10.0.0.1 255.255.255.0
!
! Assign Eth0/0 to vlan 2.
interface Ethernet0/0
switchport access vlan 2
!
! Assign Eth0/1 to vlan 3.
interface Ethernet0/1
switchport access vlan 3
! The rest are by default assigned to vlan 1. No need to change anything.
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
16
!
passwd xxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
! Create an ACL on the outside that will allow access to the DMZ Web Server. Because the outside
!address is dynamic (unknown) we use “any eq 80” for the destination address in the access list.
access-list outside_in extended permit tcp any any eq 80
access-list outside_in extended deny ip any any log
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
! Do PAT on the outside interface
global (outside) 1 interface
! Do PAT on the DMZ interface
global (DMZ) 1 interface
! Translate ALL inside addresses when they access Outside or DMZ zones
nat (inside) 1 0.0.0.0 0.0.0.0
! Create a static redirection for port 80 towards the DMZ web server
static (DMZ,outside) tcp interface 80 10.0.0.10 80 netmask 255.255.255.255
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
! Configure Local authentication for firewall management (For accessing the Firewall you need to
!use the username/password configured later).
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
! Allow internal hosts to telnet to the device
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
! Allow an external management host to ssh from outside for firewall management
ssh 100.100.100.1 255.255.255.255 outside
ssh timeout 5
17
console timeout 0
dhcpd auto_config outside
! Assign a DNS server to internal hosts
dhcpd dns 200.200.200.1
!
! Assign IP addresses to internal hosts
dhcpd address 192.168.1.10-192.168.1.40 inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
! Configure here the username and password for accessing the device
username admin password xxxxxxxxxxxxxx encrypted
prompt hostname context
: end
18
CONFIGURATION EXAMPLE 3: STATIC OUTSIDE ADDRESS WITH DMZ WEB AND EMAIL
SERVERS
This scenario requires a Security Plus License. We have a single static public address assigned to us
(199.1.1.1) which we will use with Port Redirection to access two DMZ public servers (Web and
Email). Any request from the Internet coming to 199.1.1.1 port 80 will be redirected to 10.0.0.10
(web server), and any request coming to 199.1.1.1 port 25 will be redirected to 10.0.0.11 (Email
Proxy Server). The Email Proxy Server will be sending any inbound received email to the Internal
Email Server. Similarly, all outgoing email will be sent by the Internal Email server to the DMZ
Email Proxy for outbound email processing. We will use Static NAT to map the Inside network
(192.168.1.0/24) towards the DMZ for bidirectional communication between the two zones.
The complete configuration follows below. See the Blue Color comments for clarifications.
19
ASA-5505# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA-5505
domain-name test.com
enable password xxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 199.1.1.1 255.255.255.252
!
interface Vlan3
nameif DMZ
security-level 50
ip address 10.0.0.1 255.255.255.0
!
! Assign Eth0/0 to vlan 2.
interface Ethernet0/0
switchport access vlan 2
!
! Assign Eth0/1 to vlan 3.
interface Ethernet0/1
switchport access vlan 3
! The rest are by default assigned to vlan 1. No need to change anything.
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
20
dns server-group DefaultDNS
domain-name test.com
! Create an ACL on the outside that will allow access to the DMZ Web and Email Servers.
access-list outside_in extended permit tcp any host 199.1.1.1 eq 80
access-list outside_in extended permit tcp any host 199.1.1.1 eq 25
access-list outside_in extended deny ip any any log
! Create an ACL on the DMZ that will allow access of the DMZ servers towards Inside and Outside
! The first entry below allows access only from Email Proxy to Internal Email
access-list DMZ_in extended permit tcp host 10.0.0.11 host 192.168.1.11 eq 25
access-list DMZ_in extended deny ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list DMZ_in extended permit tcp host 10.0.0.11 any eq 25
access-list DMZ_in extended permit udp host 10.0.0.11 any eq domain
! Create an ACL on the Inside to allow Internet Access and also access of Internal eMail to Proxy
!eMail
access-list inside_in extended permit tcp host 192.168.1.11 host 10.0.0.11 eq 25
access-list inside_in extended permit tcp host 192.168.1.11 host 10.0.0.11 eq 110
access-list inside_in extended permit tcp 192.168.1.0 255.255.255.0 host 10.0.0.10 eq 80
access-list inside_in extended deny ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_in extended permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
! Do PAT on the outside interface
global (outside) 1 interface
! Translate ALL inside addresses when they access Outside
nat (inside) 1 0.0.0.0 0.0.0.0
! Create static port redirections towards the DMZ web and email servers
static (DMZ,outside) tcp 199.1.1.1 80 10.0.0.10 80 netmask 255.255.255.255
static (DMZ,outside) tcp 199.1.1.1 25 10.0.0.11 25 netmask 255.255.255.255
! Create static NAT of inside network towards the DMZ
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
21
access-group outside_in in interface outside
access-group DMZ_in in interface DMZ
access-group inside_in in interface inside
route outside 0.0.0.0 0.0.0.0 199.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
! Configure Local authentication for firewall management (For accessing the Firewall you need to
!use the username/password configured later).
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
! Allow internal hosts to telnet to the device
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
! Allow an external management host to ssh from outside for firewall management
ssh 100.100.100.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
! Assign a DNS server to internal hosts
dhcpd dns 200.200.200.1
!
! Assign IP addresses to internal hosts
dhcpd address 192.168.1.20-192.168.1.50 inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
22
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
! Configure here the username and password for accessing the device
username admin password xxxxxxxxxxxxxx encrypted
prompt hostname context
: end
23
CONFIGURATION EXAMPLE 4: CISCO ASA 5505 WITH PPPOE INTERNET ACCESS
For Broadband DSL or Cable access connectivity, many ISPs provide Point to Point over Ethernet
(PPPoE) access, as will be described in this example scenario. If the ISP supplies you with a
username/password for internet access, this means that you need to configure your ASA as PPPoE
client. Most often, in this setup the ISP provides you also with a Modem which will bridge the DSL
or Cable connectivity between the Customer Premises Equipment (ASA 5505 in our case) and the
ISP equipment. In the following typical environment the ISP is providing Public IP address to the
ASA via PPPoE.
The complete configuration follows below. See the Blue Color comments for clarifications.
24
ASA-5505# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA-5505
domain-name test.com
enable password xxxxxxxxxxxxxxxx encrypted
names
!
! Vlan 1 is assigned by default to all ports Ethernet0/1 to 0/7 which belong to the inside zone.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
! Vlan 2 is assigned to port Ethernet0/0 which belongs to the outside zone.
interface Vlan2
nameif outside
security-level 0
! Configure this VLAN as PPPoE Client and associate the pppoe group “ATT”
pppoe client vpdn group ATT
ip address pppoe setroute
!
! Assign Eth0/0 to vlan 2.
interface Ethernet0/0
switchport access vlan 2
!
! By default, Eth0/1 to 0/7 are assigned to vlan 1. No need to change anything.
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
25
! Create an ACL on the outside that will allow only echo-reply for troubleshooting purposes. Use a
!deny all with log at the end to monitor any attacks coming from outside.
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
pager lines 24
logging asdm informational
mtu inside 1500
! Configure the outside MTU as 1492 since there is an extra 8-byte overhead for PPPoE
mtu outside 1492
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
! Do PAT using the outside interface address
global (outside) 1 interface
! Translate ALL inside addresses
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
! Configure Local authentication for firewall management (For accessing the Firewall you need to
!use the username/password configured later).
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
! Allow internal hosts to telnet to the device
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
! Allow an external management host to ssh from outside for firewall management
ssh 100.100.100.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
! Next create the “ATT” pppoe group with the ISP connection details
vpdn group ATT request dialout pppoe
vpdn group ATT localname [ENTER ISP USERNAME HERE]
vpdn group ATT ppp authentication chap [or PAP, depends on your ISP settings]
vpdn username [ENTER ISP USERNAME HERE] password [ENTER ISP PASSWORD HERE]
dhcpd auto_config outside
! Assign a DNS server to internal hosts
dhcpd dns 200.200.200.1
!
26
! Assign IP addresses to internal hosts
dhcpd address 192.168.1.10-192.168.1.40 inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
! Configure here the username and password for accessing the device
username admin password xxxxxxxxxxxxxx encrypted
prompt hostname context
: end
27
CONFIGURATION EXAMPLE 5: LAN-TO-LAN IPSEC VPN BETWEEN CISCO ASA 5505
Site-to-Site IPSEc VPN is sometimes called LAN-to-LAN VPN. As the name implies, this VPN type
connects together two distant LAN networks over the Internet. Usually, Local Area Networks use
private addressing as shown on our diagram below. Without VPN connectivity, the two LAN
networks below (LAN-1 and LAN-2) wouldn’t be able to communicate. By configuring a Lan-to-Lan
IPSEc VPN between the two ASA 5505 firewalls, we can establish a secure tunnel over the Internet,
and pass our private LAN traffic inside this tunnel. The result is that hosts in network
192.168.1.0/24 can now directly access hosts in 192.168.2.0/24 network (and vice-versa) as if they
are located in the same LAN. The IPSEc tunnel is established between the Public IP addresses of the
firewalls (100.100.100.1 and 200.200.200.1). The ASA 5505 supports maximum 10 Lan-to-Lan
IPSEc sessions with the Base License and 25 IPSEc sessions with the Security Plus license.
The complete configuration follows below. See the Blue Color comments for clarifications.
28
ASA-1 CONFIGURATION
ASA-1# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA-1
domain-name test.com
enable password xxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 100.100.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
! Select Interesting Traffic to be encrypted
access-list VPN-TO-ASA2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
! Select which traffic must be excluded from NAT.
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
29
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended deny ip any any log
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
! Do not translate Interesting Traffic
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.1.0 255.255.255.0
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 100.100.100.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
! Create a Phase 2 transform set for encryption and authentication protocols.
crypto ipsec transform-set espSHA3DESproto esp-3des esp-sha-hmac
! Create a crypto map for the IPSEC VPN with the ASA-2 firewall
crypto map IPSEC 10 match address VPN-TO-ASA2
crypto map IPSEC 10 set peer 200.200.200.1
crypto map IPSEC 10 set transform-set espSHA3DESproto
! Attach the crypto map to the outside interface
crypto map IPSEC interface outside
crypto isakmp identity address
! Enable also the Phase 1 isakmp to the outside interface
crypto isakmp enable outside
! Create the Phase 1 isakmp policy
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
30
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
username admin password xxxxxxxxxxxxxxx encrypted
! Create a tunnel group for the IPSEC VPN
tunnel-group 200.200.200.1 type ipsec-l2l
tunnel-group 200.200.200.1 ipsec-attributes
pre-shared-key LANtoLANvpnkey
isakmp keepalive threshold 30 retry 5
prompt hostname context
: end
31
ASA-2 CONFIGURATION
ASA-2# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA-2
domain-name test.com
enable password xxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 200.200.200.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
! Select Interesting Traffic to be encrypted
access-list VPN-TO-ASA1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
! Select which traffic must be excluded from NAT.
access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
32
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended deny ip any any log
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
! Do not translate Interesting Traffic
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.2.0 255.255.255.0
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 200.200.200.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
! Create a Phase 2 transform set for encryption and authentication protocols.
crypto ipsec transform-set espSHA3DESproto esp-3des esp-sha-hmac
! Create a crypto map for the IPSEC VPN with the ASA-1 firewall
crypto map IPSEC 10 match address VPN-TO-ASA1
crypto map IPSEC 10 set peer 100.100.100.1
crypto map IPSEC 10 set transform-set espSHA3DESproto
! Attach the crypto map to the outside interface
crypto map IPSEC interface outside
crypto isakmp identity address
! Enable also the Phase 1 isakmp to the outside interface
crypto isakmp enable outside
! Create the Phase 1 isakmp policy
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
33
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
username admin password xxxxxxxxxxxxxxx encrypted
! Create a tunnel group for the IPSEC VPN
tunnel-group 100.100.100.1 type ipsec-l2l
tunnel-group 100.100.100.1 ipsec-attributes
pre-shared-key LANtoLANvpnkey
isakmp keepalive threshold 30 retry 5
prompt hostname context
: end
34
CONFIGURATION EXAMPLE 6: REMOTE ACCESS IPSEC VPN ON CISCO ASA 5505
We will configure here a Remote Access VPN scenario for providing secure connectivity to remote
users over the Internet. Moreover, in this configuration example we will setup the “split-
tunneling” feature which allows remote users to browse the Internet while connected with the
IPSEC VPN. Because “split-tunneling” is not considered safe, it is disabled by default. This means
that once the remote users initiate a Remote Access VPN with the central site, they can ONLY access
the Corporate LAN network and nothing else. In order for the users to simultaneously access
Internet resources and the Corporate LAN, then split-tunneling must be configured.
The remote teleworker user must have a Cisco VPN client software installed on his/her computer in
order to establish the VPN session. Once the VPN is established, the ASA 5505 will assign a private
IP address from pool 192.168.20.0 to the remote user. This will allow the remote user to have full
network connectivity with the internal corporate LAN (192.168.1.0/24).
The complete configuration follows below. See the Blue Color comments for clarifications.
35
ASA-1# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA-1
domain-name test.com
enable password xxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 100.100.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended deny ip any any log
36
! Traffic between internal LAN and Remote Access clients must not be translated
access-list nat0_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
! Remote Access client traffic destined to the internal LAN is permitted for split tunneling (i.e to
!access the Internet simultaneously)
access-list splittunnel standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging trap debugging
mtu outside 1500
mtu inside 1500
! Create a pool of addresses to assign for the remote access clients
ip local pool vpnpool 192.168.20.1-192.168.20.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 100.100.100.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
! Create a dynamic crypto map for the remote VPN clients
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
! Attach the dynamic crypto map to a static crypto map
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
37
! Create a Phase 1 isakmp policy for the remote VPN clients
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
! nat-traversal allows remote clients behind a NAT device to connect without problems.
crypto isakmp nat-traversal 20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
! Configure a group-policy and associate the split tunnel network list configured before
group-policy remotevpn internal
group-policy remotevpn attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
username admin password xxxxxxxxxxxxxxxxxxxx encrypted
38
! Create a tunnel group with type “ipsec-ra” and associate the vpn pool configured before
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool vpnpool
default-group-policy remotevpn
! The group name “remotevpn” and the pre-shared-key value must be configured also on the Cisco
!VPN client software
tunnel-group remotevpn ipsec-attributes
pre-shared-key some-strong-key-here
prompt hostname context
: end
http://www.cisco-tips.com
39
CISCO ASA 5505 CONFIGURATION
A LL YOU NEED TO K NOW TO C ONFIGURE AND I MPLEMENT
T HE B EST F IREWALL I N T HE M ARKET
WRITTEN BY: HARRIS ANDREA
MS C E LECTRICAL E NGINEERING AND C OMPUTER S CIENCE
C ISCO C ERTIFIED NETWORK P ROFESSIONAL (CCNP)
C ISCO C ERTIFIED S ECURITY P ROFESSIONAL (CCSP)
http://www.cisco-tips.com
1
ABOUT THE AUTHOR:
Harris Andrea is a Senior Network Security Engineer in a leading Internet Service Provider in
Europe. He graduated from the University of Kansas USA in 1998 with a B.S and M.S degrees in
Electrical Engineering and Computer Science. Since then, he has been working in the Networking
field, designing, implementing and managing large scale networking projects with Cisco products
and technologies. His main focus is on Network Security based on Cisco PIX/ASA Firewalls, Firewall
Service Modules (FWSM) on 6500/7600 models, VPN products, IDS/IPS products, AAA services etc.
To support his knowledge and to build a strong professional standing, Harris pursued and earned
several Cisco Certifications such as CCNA, CCNP, and CCSP. He is also a technology blogger owing
two networking blogs which you can visit for extra technical information and tutorials.
http://www.cisco-tips.com
http://www.ciscoasa.com
2
You do not have resell rights or giveaway rights to this eBook. Only customers that have
purchased this material are authorized to view it.
This eBook contains material protected under International and Federal Copyright Laws and
Treaties. No part of this publication may be transmitted or reproduced in any way without the prior
written permission of the author. Violations of this copyright will be enforced to the full extent of
the law.
LEGAL NOTICE: The information services and resources provided in this eBook are based upon the
current Internet environment as well as the author’s experience. The techniques presented have
been proven to be successful. Because technologies are constantly changing, the services and
examples presented in this eBook may change, cease or expand with time. We hope that the skills
and knowledge acquired from this eBook will provide you with the ability to adapt to inevitable
evolution of technological services. However, we cannot be held responsible for changes that may
affect the applicability of these techniques. The opinions expressed in this book belong to the
author and are not necessarily those of Cisco Systems, Inc.
All product names, logos and artwork are copyrights of their respective owners. None of the owners
have sponsored or endorsed this publication. While all attempts have been made to verify
information provided, the author assumes no responsibility for errors, omissions, or contrary
interpretation of the subject matter herein. Any perceived slights of peoples or organizations are
unintentional. The purchaser or reader of this publication assumes responsibility for the use of
these materials and information. No guarantees of income are made. The author reserves the right
to make changes and assumes no responsibility or liability whatsoever on behalf of any purchaser
or reader of these materials.
3
TABLE OF CONTENTS
About the Author: ..............................................................................................................................................................................2
Bonus Tutorial: ...................................................................................................................................................................................5
Cisco ASA 5505 Fundamentals ...............................................................................................................................................5
ASA 5505 Hardware and Licensing.....................................................................................................................................5
ASA 5505 Default Configuration ...........................................................................................................................................8
ASA 5505 Configuration Examples ...................................................................................................................................11
Configuration Example 1: Internet Access With Dynamic Address From ISP ...........................................11
Configuration Example 2: Dynamic Address From ISP With DMZ Web Server ........................................15
Configuration Example 3: Static Outside Address With DMZ Web and Email Servers .........................19
Configuration Example 4: Cisco ASA 5505 With PPPoE Internet Access .....................................................24
Configuration Example 5: Lan-to-Lan IPSEC VPN Between Cisco ASA 5505 .............................................28
Configuration Example 6: Remote Access IPSEC VPN on Cisco ASA 5505 ..................................................35
4
BONUS TUTORIAL:
CISCO ASA 5505 FUNDAMENTALS
This Tutorial is dedicated to the Cisco ASA 5505 firewall appliance which has some Hardware,
Licensing and Configuration differences compared with the other models. The ASA 5505 provides a
high-performance and flexible upgrade from the older PIX 501 and PIX 506E appliances and is
designed for small offices or remote branches. Below we will describe the basic differences of the
Cisco ASA 5505 compared with the other models and provide several configuration examples that
cover most of the implementation scenarios that are usually found in real networks. The
prerequisite of this Tutorial is to study first the “Cisco ASA Firewall Fundamentals” ebook so that
you grasp the fundamental configuration concepts of Cisco ASA appliances.
ASA 5505 HARDWARE AND LICENSING
Hardware Ports and VLANs
1
2
3
4
5
6
7
8
Power 48VDC
SSC slot
Console Port
Lock Slot
Reset Button
USB 2.0 interfaces
Network Ports 0-5 (10/100)
Network Ports 6-7 (10/100 with Power over Ethernet)
5
Unlike the other Cisco ASA models, the ASA 5505 has a built-in 8-port 10/100 switch as shown on
the figure above.
Starting from right to left, we have Ethernet0/0 up to Ethernet0/7. The last two Ports 6 and 7 are
also Power over Ethernet Ports (PoE), which means that in addition to normal computers, you can
also connect IP Phones (or other PoE devices) which will be powered by the firewall PoE ports. The
eight network interfaces of the ASA 5505 work only as Layer 2 ports, which is the difference of the
5505 from the other ASA models. This means that you cannot configure a Layer 3 IP address
directly on each interface. Instead, you have to assign the interface port in a VLAN, and then
configure all Firewall Interface parameters under the interface VLAN command.
You can divide the eight physical ports into groups, called VLANs, that function as separate
networks. This enables you to improve the security of your business because devices in different
VLANs can only communicate with each other by passing the traffic through the firewall appliance
where relevant security policies can be enforced. Devices in the same VLAN can communicate
between them without Firewall control. Your license determines how many active VLANs you can
have on the ASA 5505.
The ASA 5505 comes preconfigured with two VLANs: VLAN1 and VLAN2. By default, Ethernet
switch port 0 (Ethernet 0/0) is allocated to VLAN2. All other switch ports are allocated by default to
VLAN1.
The factory Default configuration of the network interfaces uses port Ethernet0/0 as the Outside
untrusted interface (connecting to Internet), and the rest of the interfaces (0/1 to 0/7) are
configured as the trusted Inside interfaces connecting to internal hosts. Two Switch Vlan Interfaces
(SVI) exist by default (Interface Vlan 1 and Interface Vlan 2) which can be used to assign the
Layer 3 IP addresses and other interface settings for the Outside zone (Ethernet 0/0) and for the
Inside zone (Ethernet0/1 to 0/7). The default configuration of the Cisco ASA 5505 will be
explained in the next section.
6
Licensing
Although the ASA 5505 comes preconfigured with two VLANs, you can create as many as 20 VLANs,
depending on your license. For example, you could create VLANs for the Inside, Outside, and DMZ
network segments. There are two license options for the ASA 5505:
Base License
Security Plus License
Base License
With the Base License, you can configure up to 3 VLANs, thus segmenting your network into three
security zones (Inside, Outside, DMZ). However there is a communication restriction between
VLANs (zones). Communication between the DMZ VLAN and the Inside VLAN is restricted: the
Inside VLAN is permitted to send traffic to the DMZ VLAN, but the DMZ VLAN is not permitted to
send traffic to the Inside VLAN. Also, you cannot configure firewall failover redundancy with the
Base License. These limitations are removed with the Security Plus license.
To configure a DMZ VLAN on a Base License use the following commands:
asa5505(config)# interface Vlan 3
asa5505(config-if)# no forward interface vlan 1
asa5505(config-if)# nameif DMZ
asa5505(config-if)# security-level 50
asa5505(config-if)# ip address 10.2.2.1 255.255.255.0
7
asa5505(config)# interface Vlan 1
asa5505(config-if)# nameif inside
asa5505(config-if)# security-level 100
asa5505(config-if)# ip address 192.168.1.1 255.255.255.0
asa5505(config)# interface Vlan 2
asa5505(config-if)# nameif outside
asa5505(config-if)# security-level 0
asa5505(config-if)# ip address 100.100.100.1 255.255.255.0
Security Plus License
This license removes all restrictions of the Base license. Up to 20 VLANs can be configured (ports
can be configured as Trunk ports thus supporting multiple VLANs per port). Also there are no
communication restrictions between VLANs. This license supports also Active/Standby (non
stateful) firewall failover redundancy and Backup ISP Connectivity (Dual ISP connection).
ASA 5505 DEFAULT CONFIGURATION
The ASA 5505 is factory configured in such a way as to work right away out of the box. The Internet
Outside Interface (Ethernet 0/0) is configured to obtain IP address automatically from the ISP, and
the Inside Interfaces (Ethernet 0/1 to 0/7) are configured to provide IP addresses to internal hosts
dynamically (DHCP). Specifically, the default ASA 5505 configuration includes the following:
An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. The
VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0.
An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its
IP address using DHCP (from the ISP).
The default route is also derived from DHCP.
All inside IP addresses are translated when accessing the outside using interface PAT.
By default, inside users can access the outside, and outside users are prevented from
accessing the inside.
The DHCP server is enabled on the security appliance, so a PC connecting to the VLAN 1
interface receives an address between 192.168.1.2 and 192.168.1.254.
The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.
Restore the default factory configuration using the configure factory-default command.
8
The Default Configuration consists of the following commands.
interface Ethernet 0/0
switchport access vlan 2 This assigns Ethernet0/0 to Vlan 2
no shutdown
interface Ethernet 0/1
switchport access vlan 1 This assigns Ethernet0/1 to Vlan 1
no shutdown
interface Ethernet 0/2
switchport access vlan 1
no shutdown
interface Ethernet 0/3
switchport access vlan 1
no shutdown
interface Ethernet 0/4
switchport access vlan 1
no shutdown
interface Ethernet 0/5
switchport access vlan 1
no shutdown
interface Ethernet 0/6
switchport access vlan 1
no shutdown
interface Ethernet 0/7
switchport access vlan 1
no shutdown
interface vlan2 Configure all interface parameters under “interface Vlan [number]”
nameif outside
no shutdown
ip address dhcp setroute
interface vlan1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 100
no shutdown
global (outside) 1 interface
nat (inside) 1 0 0
http server enable
9
http 192.168.1.0 255.255.255.0 inside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd auto_config outside Obtain IP address dynamically from the ISP
dhcpd enable inside Assign IP addresses dynamically to internal PCs
logging asdm informational
10
ASA 5505 CONFIGURATION EXAMPLES
CONFIGURATION EXAMPLE 1: INTERNET ACCESS WITH DYNAMIC ADDRESS FROM ISP
In this scenario the 5505 is used for basic internet access using PAT, with a Dynamic IP address
obtained from the ISP via DHCP (Firewall will act as DHCP client for the Outside interface). The
Firewall will act also as a DHCP server for assigning IP addresses to inside hosts. Notice in this
scenario that we don’t need to configure a default route towards the ISP since the default route will
be obtained automatically together with an IP address from the DHCP server of the ISP.
The complete configuration follows below. See the Blue Color comments for clarifications.
11
ASA-5505# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA-5505
domain-name test.com
enable password xxxxxxxxxxxxxxxx encrypted
names
!
! Vlan 1 is assigned by default to all ports Ethernet0/1 to 0/7 which belong to the inside zone.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
! Vlan 2 is assigned to port Ethernet0/0 which belongs to the outside zone.
interface Vlan2
nameif outside
security-level 0
! Get outside address and default gateway from ISP
ip address dhcp setroute
!
! Assign Eth0/0 to vlan 2.
interface Ethernet0/0
switchport access vlan 2
!
! By default, Eth0/1 to 0/7 are assigned to vlan 1. No need to change anything.
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
12
! Create an ACL on the outside that will allow only echo-reply for troubleshooting purposes. Use a
!deny all with log at the end to monitor any attacks coming from outside.
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
! Do PAT using the outside interface address
global (outside) 1 interface
! Translate ALL inside addresses
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
! Configure Local authentication for firewall management (For accessing the Firewall you need to
!use the username/password configured later).
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
! Allow internal hosts to telnet to the device
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
! Allow an external management host to ssh from outside for firewall management
ssh 100.100.100.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
! Assign a DNS server to internal hosts
dhcpd dns 200.200.200.1
!
! Assign IP addresses to internal hosts
dhcpd address 192.168.1.10-192.168.1.40 inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
13
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
! Configure here the username and password for accessing the device
username admin password xxxxxxxxxxxxxx encrypted
prompt hostname context
: end
14
CONFIGURATION EXAMPLE 2: DYNAMIC ADDRESS FROM ISP WITH DMZ WEB SERVER
This is an extension scenario of the previous one. The Cisco ASA 5505 receives an outside IP
address dynamically from the ISP and has three security zones (Inside, Outside, DMZ). The Inside
zone network shall be able to access the Internet and DMZ, and also Internet hosts shall be able to
access the DMZ Web Server. This scenario can work with both Base License and Security Plus
License. However, with a Security Plus license the DMZ public server (whatever that be – FTP,
Email, Web etc) will be able to initiate traffic also to the Inside network zone (with the proper
configuration). Since we have three security zones, we must create also three VLANs. VLAN1
(Inside) will be assigned to ports Ethernet0/2 up to 0/7, VLAN2 (Outside) will be assigned to port
Ethernet 0/0, and VLAN3 (DMZ) will be assigned to Ethernet 0/1.
The complete configuration follows below. See the Blue Color comments for clarifications.
15
ASA-5505# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA-5505
domain-name test.com
enable password xxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
! Get outside address and default gateway from ISP
ip address dhcp setroute
!
interface Vlan3
! Use the following command ONLY if you have a BASE LICENSE
no forward interface vlan 1
nameif DMZ
security-level 50
ip address 10.0.0.1 255.255.255.0
!
! Assign Eth0/0 to vlan 2.
interface Ethernet0/0
switchport access vlan 2
!
! Assign Eth0/1 to vlan 3.
interface Ethernet0/1
switchport access vlan 3
! The rest are by default assigned to vlan 1. No need to change anything.
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
16
!
passwd xxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
! Create an ACL on the outside that will allow access to the DMZ Web Server. Because the outside
!address is dynamic (unknown) we use “any eq 80” for the destination address in the access list.
access-list outside_in extended permit tcp any any eq 80
access-list outside_in extended deny ip any any log
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
! Do PAT on the outside interface
global (outside) 1 interface
! Do PAT on the DMZ interface
global (DMZ) 1 interface
! Translate ALL inside addresses when they access Outside or DMZ zones
nat (inside) 1 0.0.0.0 0.0.0.0
! Create a static redirection for port 80 towards the DMZ web server
static (DMZ,outside) tcp interface 80 10.0.0.10 80 netmask 255.255.255.255
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
! Configure Local authentication for firewall management (For accessing the Firewall you need to
!use the username/password configured later).
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
! Allow internal hosts to telnet to the device
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
! Allow an external management host to ssh from outside for firewall management
ssh 100.100.100.1 255.255.255.255 outside
ssh timeout 5
17
console timeout 0
dhcpd auto_config outside
! Assign a DNS server to internal hosts
dhcpd dns 200.200.200.1
!
! Assign IP addresses to internal hosts
dhcpd address 192.168.1.10-192.168.1.40 inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
! Configure here the username and password for accessing the device
username admin password xxxxxxxxxxxxxx encrypted
prompt hostname context
: end
18
CONFIGURATION EXAMPLE 3: STATIC OUTSIDE ADDRESS WITH DMZ WEB AND EMAIL
SERVERS
This scenario requires a Security Plus License. We have a single static public address assigned to us
(199.1.1.1) which we will use with Port Redirection to access two DMZ public servers (Web and
Email). Any request from the Internet coming to 199.1.1.1 port 80 will be redirected to 10.0.0.10
(web server), and any request coming to 199.1.1.1 port 25 will be redirected to 10.0.0.11 (Email
Proxy Server). The Email Proxy Server will be sending any inbound received email to the Internal
Email Server. Similarly, all outgoing email will be sent by the Internal Email server to the DMZ
Email Proxy for outbound email processing. We will use Static NAT to map the Inside network
(192.168.1.0/24) towards the DMZ for bidirectional communication between the two zones.
The complete configuration follows below. See the Blue Color comments for clarifications.
19
ASA-5505# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA-5505
domain-name test.com
enable password xxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 199.1.1.1 255.255.255.252
!
interface Vlan3
nameif DMZ
security-level 50
ip address 10.0.0.1 255.255.255.0
!
! Assign Eth0/0 to vlan 2.
interface Ethernet0/0
switchport access vlan 2
!
! Assign Eth0/1 to vlan 3.
interface Ethernet0/1
switchport access vlan 3
! The rest are by default assigned to vlan 1. No need to change anything.
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
20
dns server-group DefaultDNS
domain-name test.com
! Create an ACL on the outside that will allow access to the DMZ Web and Email Servers.
access-list outside_in extended permit tcp any host 199.1.1.1 eq 80
access-list outside_in extended permit tcp any host 199.1.1.1 eq 25
access-list outside_in extended deny ip any any log
! Create an ACL on the DMZ that will allow access of the DMZ servers towards Inside and Outside
! The first entry below allows access only from Email Proxy to Internal Email
access-list DMZ_in extended permit tcp host 10.0.0.11 host 192.168.1.11 eq 25
access-list DMZ_in extended deny ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list DMZ_in extended permit tcp host 10.0.0.11 any eq 25
access-list DMZ_in extended permit udp host 10.0.0.11 any eq domain
! Create an ACL on the Inside to allow Internet Access and also access of Internal eMail to Proxy
access-list inside_in extended permit tcp host 192.168.1.11 host 10.0.0.11 eq 25
access-list inside_in extended permit tcp host 192.168.1.11 host 10.0.0.11 eq 110
access-list inside_in extended permit tcp 192.168.1.0 255.255.255.0 host 10.0.0.10 eq 80
access-list inside_in extended deny ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_in extended permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
! Do PAT on the outside interface
global (outside) 1 interface
! Translate ALL inside addresses when they access Outside
nat (inside) 1 0.0.0.0 0.0.0.0
! Create static port redirections towards the DMZ web and email servers
static (DMZ,outside) tcp 199.1.1.1 80 10.0.0.10 80 netmask 255.255.255.255
static (DMZ,outside) tcp 199.1.1.1 25 10.0.0.11 25 netmask 255.255.255.255
! Create static NAT of inside network towards the DMZ
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
21
access-group outside_in in interface outside
access-group DMZ_in in interface DMZ
access-group inside_in in interface inside
route outside 0.0.0.0 0.0.0.0 199.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
! Configure Local authentication for firewall management (For accessing the Firewall you need to
!use the username/password configured later).
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
! Allow internal hosts to telnet to the device
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
! Allow an external management host to ssh from outside for firewall management
ssh 100.100.100.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
! Assign a DNS server to internal hosts
dhcpd dns 200.200.200.1
!
! Assign IP addresses to internal hosts
dhcpd address 192.168.1.20-192.168.1.50 inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
22
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
! Configure here the username and password for accessing the device
username admin password xxxxxxxxxxxxxx encrypted
prompt hostname context
: end
23
CONFIGURATION EXAMPLE 4: CISCO ASA 5505 WITH PPPOE INTERNET ACCESS
For Broadband DSL or Cable access connectivity, many ISPs provide Point to Point over Ethernet
(PPPoE) access, as will be described in this example scenario. If the ISP supplies you with a
username/password for internet access, this means that you need to configure your ASA as PPPoE
client. Most often, in this setup the ISP provides you also with a Modem which will bridge the DSL
or Cable connectivity between the Customer Premises Equipment (ASA 5505 in our case) and the
ISP equipment. In the following typical environment the ISP is providing Public IP address to the
ASA via PPPoE.
The complete configuration follows below. See the Blue Color comments for clarifications.
24
ASA-5505# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA-5505
domain-name test.com
enable password xxxxxxxxxxxxxxxx encrypted
names
!
! Vlan 1 is assigned by default to all ports Ethernet0/1 to 0/7 which belong to the inside zone.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
! Vlan 2 is assigned to port Ethernet0/0 which belongs to the outside zone.
interface Vlan2
nameif outside
security-level 0
! Configure this VLAN as PPPoE Client and associate the pppoe group “ATT”
pppoe client vpdn group ATT
ip address pppoe setroute
!
! Assign Eth0/0 to vlan 2.
interface Ethernet0/0
switchport access vlan 2
!
! By default, Eth0/1 to 0/7 are assigned to vlan 1. No need to change anything.
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
25
! Create an ACL on the outside that will allow only echo-reply for troubleshooting purposes. Use a
!deny all with log at the end to monitor any attacks coming from outside.
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
pager lines 24
logging asdm informational
mtu inside 1500
! Configure the outside MTU as 1492 since there is an extra 8-byte overhead for PPPoE
mtu outside 1492
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
! Do PAT using the outside interface address
global (outside) 1 interface
! Translate ALL inside addresses
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
! Configure Local authentication for firewall management (For accessing the Firewall you need to
!use the username/password configured later).
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
! Allow internal hosts to telnet to the device
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
! Allow an external management host to ssh from outside for firewall management
ssh 100.100.100.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
! Next create the “ATT” pppoe group with the ISP connection details
vpdn group ATT request dialout pppoe
vpdn group ATT localname [ENTER ISP USERNAME HERE]
vpdn group ATT ppp authentication chap [or PAP, depends on your ISP settings]
vpdn username [ENTER ISP USERNAME HERE] password [ENTER ISP PASSWORD HERE]
dhcpd auto_config outside
! Assign a DNS server to internal hosts
dhcpd dns 200.200.200.1
!
26
! Assign IP addresses to internal hosts
dhcpd address 192.168.1.10-192.168.1.40 inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
! Configure here the username and password for accessing the device
username admin password xxxxxxxxxxxxxx encrypted
prompt hostname context
: end
27
CONFIGURATION EXAMPLE 5: LAN-TO-LAN IPSEC VPN BETWEEN CISCO ASA 5505
Site-to-Site IPSEc VPN is sometimes called LAN-to-LAN VPN. As the name implies, this VPN type
connects together two distant LAN networks over the Internet. Usually, Local Area Networks use
private addressing as shown on our diagram below. Without VPN connectivity, the two LAN
networks below (LAN-1 and LAN-2) wouldn’t be able to communicate. By configuring a Lan-to-Lan
IPSEc VPN between the two ASA 5505 firewalls, we can establish a secure tunnel over the Internet,
and pass our private LAN traffic inside this tunnel. The result is that hosts in network
192.168.1.0/24 can now directly access hosts in 192.168.2.0/24 network (and vice-versa) as if they
are located in the same LAN. The IPSEc tunnel is established between the Public IP addresses of the
firewalls (100.100.100.1 and 200.200.200.1). The ASA 5505 supports maximum 10 Lan-to-Lan
IPSEc sessions with the Base License and 25 IPSEc sessions with the Security Plus license.
The complete configuration follows below. See the Blue Color comments for clarifications.
28
ASA-1 CONFIGURATION
ASA-1# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA-1
domain-name test.com
enable password xxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 100.100.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
! Select Interesting Traffic to be encrypted
access-list VPN-TO-ASA2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
! Select which traffic must be excluded from NAT.
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
29
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended deny ip any any log
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
! Do not translate Interesting Traffic
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.1.0 255.255.255.0
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 100.100.100.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
! Create a Phase 2 transform set for encryption and authentication protocols.
crypto ipsec transform-set espSHA3DESproto esp-3des esp-sha-hmac
! Create a crypto map for the IPSEC VPN with the ASA-2 firewall
crypto map IPSEC 10 match address VPN-TO-ASA2
crypto map IPSEC 10 set peer 200.200.200.1
crypto map IPSEC 10 set transform-set espSHA3DESproto
! Attach the crypto map to the outside interface
crypto map IPSEC interface outside
crypto isakmp identity address
! Enable also the Phase 1 isakmp to the outside interface
crypto isakmp enable outside
! Create the Phase 1 isakmp policy
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
30
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
username admin password xxxxxxxxxxxxxxx encrypted
! Create a tunnel group for the IPSEC VPN
tunnel-group 200.200.200.1 type ipsec-l2l
tunnel-group 200.200.200.1 ipsec-attributes
pre-shared-key LANtoLANvpnkey
isakmp keepalive threshold 30 retry 5
prompt hostname context
: end
31
ASA-2 CONFIGURATION
ASA-2# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA-2
domain-name test.com
enable password xxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 200.200.200.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
! Select Interesting Traffic to be encrypted
access-list VPN-TO-ASA1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
! Select which traffic must be excluded from NAT.
access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
32
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended deny ip any any log
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
! Do not translate Interesting Traffic
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.2.0 255.255.255.0
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 200.200.200.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
! Create a Phase 2 transform set for encryption and authentication protocols.
crypto ipsec transform-set espSHA3DESproto esp-3des esp-sha-hmac
! Create a crypto map for the IPSEC VPN with the ASA-1 firewall
crypto map IPSEC 10 match address VPN-TO-ASA1
crypto map IPSEC 10 set peer 100.100.100.1
crypto map IPSEC 10 set transform-set espSHA3DESproto
! Attach the crypto map to the outside interface
crypto map IPSEC interface outside
crypto isakmp identity address
! Enable also the Phase 1 isakmp to the outside interface
crypto isakmp enable outside
! Create the Phase 1 isakmp policy
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
33
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
username admin password xxxxxxxxxxxxxxx encrypted
! Create a tunnel group for the IPSEC VPN
tunnel-group 100.100.100.1 type ipsec-l2l
tunnel-group 100.100.100.1 ipsec-attributes
pre-shared-key LANtoLANvpnkey
isakmp keepalive threshold 30 retry 5
prompt hostname context
: end
34
CONFIGURATION EXAMPLE 6: REMOTE ACCESS IPSEC VPN ON CISCO ASA 5505
We will configure here a Remote Access VPN scenario for providing secure connectivity to remote
users over the Internet. Moreover, in this configuration example we will setup the “split-
tunneling” feature which allows remote users to browse the Internet while connected with the
IPSEC VPN. Because “split-tunneling” is not considered safe, it is disabled by default. This means
that once the remote users initiate a Remote Access VPN with the central site, they can ONLY access
the Corporate LAN network and nothing else. In order for the users to simultaneously access
Internet resources and the Corporate LAN, then split-tunneling must be configured.
The remote teleworker user must have a Cisco VPN client software installed on his/her computer in
order to establish the VPN session. Once the VPN is established, the ASA 5505 will assign a private
IP address from pool 192.168.20.0 to the remote user. This will allow the remote user to have full
network connectivity with the internal corporate LAN (192.168.1.0/24).
The complete configuration follows below. See the Blue Color comments for clarifications.
35
ASA-1# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA-1
domain-name test.com
enable password xxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 100.100.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended deny ip any any log
36
! Traffic between internal LAN and Remote Access clients must not be translated
access-list nat0_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
! Remote Access client traffic destined to the internal LAN is permitted for split tunneling (i.e to
!access the Internet simultaneously)
access-list splittunnel standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging trap debugging
mtu outside 1500
mtu inside 1500
! Create a pool of addresses to assign for the remote access clients
ip local pool vpnpool 192.168.20.1-192.168.20.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 100.100.100.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
! Create a dynamic crypto map for the remote VPN clients
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
! Attach the dynamic crypto map to a static crypto map
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
37
! Create a Phase 1 isakmp policy for the remote VPN clients
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
! nat-traversal allows remote clients behind a NAT device to connect without problems.
crypto isakmp nat-traversal 20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
! Configure a group-policy and associate the split tunnel network list configured before
group-policy remotevpn internal
group-policy remotevpn attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
username admin password xxxxxxxxxxxxxxxxxxxx encrypted
38
! Create a tunnel group with type “ipsec-ra” and associate the vpn pool configured before
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool vpnpool
default-group-policy remotevpn
! The group name “remotevpn” and the pre-shared-key value must be configured also on the Cisco
!VPN client software
tunnel-group remotevpn ipsec-attributes
pre-shared-key some-strong-key-here
prompt hostname context
: end
http://www.cisco-tips.com
39