Tricky Bits

Cisco ASA 5505 basic console configuration

You’ve got a Cisco ASA 5505 (firmware version 8.3 or later) and you need to set it up?

I’ll run you through the basics of upgrading firmware, setting up the the interfaces, firewall, NAT, DHCP and more.

Note! This guide is meant for ASA version 8.3 and later. Cisco has changed a lot of the syntax, so if you’re on an older ASA version you should probably upgrade your firmware anyway :)

Things you will need:

Serial cable (I highly recommend you get a USB to Serial adapter)
TFTP server (tftpd32, WinAgents or some such)
A terminal client (like PuTTY for Windows)

Let’s get started

First of all, you will need to connect to the console port of your Cisco ASA.

For reference, the Cisco ASA 5505 default IP is 192.168.1.1 and it’s default login and enable password is -blank-, but that doesn’t matter now since we’re doing this by console.

Place the firmware on your TFTP server.
Jack the serial cable in the ASA console port and boot up the device.
Launch the terminal and watch the ASA starting up.
Once the ASA is booted up, get into config mode.

ciscoasa> enable
ciscoasa# config terminal

What we want to do is set the internal IP-address so that we can lift the new firmware from your TFTP-server (unless your TFTP is already on 192.168.1.0 subnet of course). The easiest way to set new IP is:

ciscoasa(config)# config factory-default 192.168.242.1
ciscoasa(config)# reload save-config noconfirm

Now, the ASA will reboot. You can plug any port from 1 to 7 into your network that has got a TFTP server running. Again, get into config mode (as explained above).

Let’s upload the image to the flash of the ASA.

ciscoasa(config)# copy tftp disk0
Address or name of remote host []? 192.168.242.10
Source filename []? cisco/asa843-k8.bin
Destination filename [disk0]? asa843-k8.bin

Now the new firmware is nicely located on the ASA. If you intend to use ASDM, now is a good time to upload that image as well, same procedure as above.

We need to instruct the ASA to use the new firmware (and the optional ASDM image).

ciscoasa(config)# boot system disk0:/asa843-k8.bin
ciscoasa(config)# asdm image disk0:/asdm-647.bin

To get a brand new and clean config for your ASA, we erase its running config and reboot it. Don’t worry, we will keep the firmware change.

ciscoasa(config)# write erase
ciscoasa(config)# reload noconfirm

Get into config mode again and make sure you’re running the right firmware.

ciscoasa(config)# show version

If all is fine, let’s continue with the actual configuration!

Basic configuration

First off, best practice would be to set a password for enable mode.

ciscoasa(config)# enable password <your password>

Why not give the device a hostname?

ciscoasa(config)# hostname testcisco

Create a user for admin purposes. We will need this for authenticating SSH and ASDM.

testcisco(config)# username admin password <your password> privilege 15

Time to configure the vlans for inside and outside. Let’s say our internal subnet is 192.168.242.0/24 and the external configuration is given by your providers DHCP.

If your outside config is static, you configure it using the same syntax as the inside.

testcisco(config)# interface vlan 1
testcisco(config-if)# ip address 192.168.242.1 255.255.255.0
testcisco(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
testcisco(config-if)# exit
testcisco(config)# interface vlan 2
testcisco(config-if)# ip address 94.246.108.110 255.255.255.0
testcisco(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
testcisco(config-if)# exit

If your outside network is statically configured, you will need to manually set your default gateway.

ttestcisco(config)# route outside 0.0.0.0 0.0.0.0 <your external network gateway IP>

Configure which physical ports belong to inside and outside networks. Let’s make port 0 the WAN interface, and port 1 the LAN interface. We’ll keep the rest deactivated, but you can easily activate more ports and they will be members of VLAN 1 by default.

testcisco(config)# interface ethernet0/0
testcisco(config-if)# switchport access vlan 2
testcisco(config-if)# no shutdown
testcisco(config-if)# exit
testcisco(config)# interface ethernet0/1
testcisco(config-if)# no shutdown
testcisco(config-if)# exit

We’re not there yet, we need to configure the ASA to NAT traffic between LAN and WAN. From ASA version 8.3 and up, this is how you do it.

testcisco(config)# object network obj_any
testcisco(config-network-object)# subnet 0.0.0.0 0.0.0.0
testcisco(config-network-object)# nat (inside,outside) dynamic interface
testcisco(config-network-object)# exit

Now you should be ready for internet access and all traffic should flow nicely, however Ping won’t work as we haven’t allowed that just yet. We’ll get back to that.

Authentication for admin

Let’s create a keypair used for SSH.

testcisco(config)# crypto key generate rsa modulus 1024
Keypair generation process begin. Please wait…

Activate HTTP (for ASDM)

testcisco(config)# http server enable

Activate aaa authentication for SSH and HTTP.

testcisco(config)# aaa authentication ssh console LOCAL
testcisco(config)# aaa authentication http console LOCAL

Allow SSH and HTTP access from the inside.

testcisco(config)# ssh 192.168.242.0 255.255.255.0 inside
testcisco(config)# http 192.168.242.0 255.255.255.0 inside

Setting up NTP

If you want to sync with a time server.

testcisco(config)# ntp server <IP of NTP server> source outside prefer
testcisco(config)# clock timezone <your timezone, for example CEST 1>
testcisco(config)# clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

The DHCP server role

If you want to configure the DHCP server on the ASA, this is how you do it:

testcisco(config)# dhcpd address 192.168.242.100-192.168.242.150 inside
testcisco(config)# dhcpd dns <your dns server>
testcisco(config)# dhcpd domain your-domain.local
testcisco(config)# dhcpd enable inside

If you want to disable dhcpd.

testcisco(config)# no dhcpd enable inside

This is how you check active DHCP leases.

testcisco(config)# show dhcpd binding

Firewall rules

To allow Ping, create an access-list rule for that, and attach the access-list to the outside interface.

This is the way you create firewall rules, but you might want to be more restrictive of what is allowed in and out.

testcisco(config)# access-list OutsideAllowedIn extended permit icmp any any
testcisco(config)# access-group OutsideAllowedIn in interface outside

Logs

Activate and check your logs. This is great for troubleshooting, especially when your access-rules aren’t doing what you want them to.

testcisco(config)# logging buffered 7
testcisco(config)# logging enable
testcisco(config)# show log

Inactivate logging.

testcisco(config)# no logging enable

Port Forwarding

Let’s do some port forwarding! It’s basically a combination of NAT and access-list.

Create a network object for the internal host, let’s say you have an RDP server which you want to be able to reach from the outside. This object will contain the configuration for NAT (note that the NAT rule contains both inside and outside port, and you can specify any port if you wish to conceal the standard RDP port).

After that, create the access-list and attach it to the outside interface (if you haven’t already done that).

testcisco(config)# object network rdpserver
testcisco(config-network-object)# nat (inside,outside) static interface service tcp 3389 3389
testcisco(config-network-object)# exit
testcisco(config)# access-list OutsideAllowedIn extended permit tcp any object rdpserver eq 3389
testcisco(config)# access-group OutsideAllowedIn in interface outside

And that’s all for now. Let me know if you have any questions or feedback on this article :)

Exchange 2007 on Windows Server 2008 R2

A piece of advice for anyone trying to install Exchange 2007 on Windows Server 2008 R2; Don’t do it.

Apparently Microsoft have announced in some obscure blogpost that these two products are not compatible. There will however be a fix released later this year, but in my opinion your best bet is to install Exchange 2010, or revert back to an older OS.

I spent a day on troubleshooting the installation so yes I’m rather pissed off at Microsoft for this epic failure right now :)

VMware ESXi upgrade nonsense

So I’ve spent a large chunk of this Sunday on server maintenance. More specifically, upgrading VMWare ESXi 3.5 to 4.0

This seemed like a trivial task beforehand, but ended up taking 6 hours instead of 1 hour. I’ll share this knowledge so perhaps you won’t have to waste that much time.

Since the 3.5 ESXi server wasn’t a part of our vCenter setup, the usual vCenter upgrade was not an option in this case. vCenter update is the recommended way of executing this upgrade, but there’s also another way using the Host Upgrade Utility.

Some instructions on how to do this procedure is described here.

Anyway, while running the Host Upgrade Utility, after having validated the patch file, all I got was this error message “Input string was not in a correct format”, and the compatibility check kept going on in the background forever.
I tried running the tool on various OS’s, tried to find any helpful information on the support forums, but no success.

In the end I concluded that this problem appears when you’re running your client with regional settings other than US/English. So, short story, before upgrading with the vHUU, set your OS regional settings to US/English.

VMware usually does a great job, but not with this one…

Yah

So let’s give Tumblr a go. Put on your helmets!