Lab part 1: Initial ASA Configuration

At the end of this post you can see the complete topology of what this lab series covers (I couldn't really find another more practical way of cramming everything in, I usually use GNS3 just to create a clean topology quickly).  In the first post of the lab, we are going to start with getting an ASA up and running so that ASDM can be used to connect to it.  This lab starts with a wiped ASA, and rather then following the CLI startup wizard, it will be configured manually.  I think this is the best way to learn as to what is taking place.

Lab Objectives

This lab assumes an ASA 5505 with no initial configuration.  These are the requirements for the configuration:

• Outside interface, assigned to VLAN 10, security level 0 with an IP of 207.100.100.1/27
• Inside interface, assigned to VLAN 100, security level 100, with an IP of 172.16.100.1/24
• Interface eth0/0 should be mapped to the outside 
• Interface eth0/1 should be reserved for a future DMZ config
• Interface eth0/2 should be assigned to the inside
• Host with an IP address of 172.16.100.10 should be able to use ASDM to connect to the ASA

ASA Setup

As you can see, we are starting from scratch with no configuration, and the ASA has prompted to pre-configure the firewall following the interactive prompts.  We'll say no and continue with the configuration.

Configure Credentials

Now moving to enable mode you'll notice it asks for a password.  By default, there is no password, so just press enter to continue.

The first thing we will do is add an enable password, and create an admin user for the ASA.  Note that the ASA uses the command enable password vs the traditional enable secret in IOS devices.  However if you check the configuration, you will see that the password is encrypted.  Use a password of your choice, and you can use the following commands:

ciscoasa(config)# enable password cisco

ciscoasa(config)# username admin password cisco privilege 15

Another thing that I noticed was interesting was the placement of the command privilege behind the configuration of the password.  Normally it seems you configure the privilege first and then the password.

Configure Interfaces

Now since the ASA 5505 model uses switchports for its 8 interfaces, we need to accomplish any IP address assignment by creating SVIs-switched virtual interfaces.  If you've ever setup a switch before and configured it with a management IP address-then you have created an SVI.  On an ASA 5505, we create VLANs, assign them IP addresses, configure the name and security level, and then move into the switchport configuration and assign them to the corresponding VLANs.

We will start by creating the SVIs for the outside and inside interfaces.  The two differences here between a switch SVI and a ASA SVI, is that we also need to define a name using the nameif command, and we need to define a security level using the security-level <100-0> command.  By default, an ASA will only allow traffic to flow from higher security level interfaces, down to lower security level interfaces.  Traffic from lower security levels (using the default rules-and this will be explained in detail in a later post), cannot access higher security level zones unless it was initiated from a higher security zone-this is the stateful, default behavior.  I use the following commands to setup my inside and outside interfaces:

ciscoasa# conf t
ciscoasa(config)# int vlan 10
ciscoasa(config)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 207.100.100.1 255.255.255.224
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
ciscoasa(config)# int vlan 100
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 172.16.100.1 255.255.255.0
ciscoasa(config-if)# no shut

ciscoasa(config-if)# exit

Now that we have our inside and outside interfaces, we need to assign the correct switchports to them.  This is done exactly like one would be used to when working with a switch.  Except that the switchport names are slightly different, they are "ethernet x/x", and by default, the switchports are shut down.  So you can use et for shorthand here.  These are the commands that I use now to assign my switchports to their SVI interfaces.

ciscoasa(config)# int et0/0
ciscoasa(config-if)# switchport access vlan 10
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
ciscoasa(config)# int et0/2
ciscoasa(config-if)# switchport access vlan 100
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit

Configure Access to ASDM

If you check back in the list, you see that we need to configure the ASA so that it can be reached via ASDM.  To do so, we need to start the HTTPS server, and add the IP address for the management workstation to a special management access list.  By default, the ASA will deny access from any IP to its HTTPS server.  The commands used to do this are:

ciscoasa(config)# http server enable
ciscoasa(config)# http 172.16.100.10 255.255.255.255 inside

Now you might be thinking-wait, that says HTTP, not HTTPS.  Not to worry, the command will only allow the ASA to be reached via HTTPS.  For some reason that I do not know, the command is HTTP.
The second line allows a management machine to access the ASA at the inside interface.  Also, wildcards are not generally used in the configuration of the ASA, instead it is the normal subnet mask format.


You should now be able to access the ASA via the ASDM by opening a browser and typing in https://172.16.100.1 (or whichever IP you have picked for your inside address)  The certificate will be untrusted by the browser since it is a self signed cert.

 After you continue through you'll see the option to download the ASDM and install it on your local machine.  Alternatively, you can launch the ASDM using java webstart, and run it off the ASA's flash memory

  .  I will cover the ASDM in the next part of my lab.


At this point, we have met all of our required goals!