I recently acquired a Cisco ASA 5506-X unit to use as my main router for my fibre broadband connection and thought I should detail the basic setup of these units to get you connected.
Occasionaly I delve into the Cisco iOS command line but normally I just use the ASDM management GUI so that’s what i’ll use for the rest of this article.
The first thing to note is that the 5505 and 5506 units have 8 ports, the 5510 has 4 ports. Any port can be configured as a WAN side port or LAN side port or another type of port (failover between 2 units for example).
However, only the 5505 unit can use a set of ports in switching or bridging mode – enabling you to setup 1 port for the WAN connection and 7 ports as a LAN side switch where you can connect all your equipment. For some reason Cisco decided not to include this functionality in the newer 5506 units and there is some consternation about this decision and debate as the whether they can physically include that functionality in a future software release – a lot of people will upgrade to the 5506 to gain gigabit speeds (5505 is a 100mbit unit only) expecting it to function the same as the 5505 but will be disappointed. So for now you have to use the 5506 as a standard router with 1 port for WAN and 1 port for LAN connected to a separate switch (8 port gigabit switch is pretty cheap anyway).
Although you do lose the ability to do switching you do gain in terms of licensing – the basic license for a 5505 unit does not include trunking and failover. It also limits the number of inside hosts to 10. The 5506 units basic licensing includes unlimited inside hosts and trunking via sub-interfaces. You still have to pay extra for failover though.
5505 licensing: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/license.html
5506 licensing: http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/intro-license.html
Connecting to the management interface:
To connect to the router there is a separate management port usually set to IP: 192.168.1.1. To connect, change your network adapters IP address to an IP within that range e.g. 192.168.1.5, with a Class C subnet mask: 255.255.255.0.
In your browser goto the address: https://192.168.1.1 and you will be prompted to download the ASDM software package. Note: you may be prompted for a username and password – enter the standard enable_15 for username and password should be blank if the unit is at factory default (to factory default an ASA unit connect to the console using the console lead supplied and the Putty terminal programme – logon with enable_15, config terminal, configure factory-default). You will need Java runtime installed on your machine in order to use ASDM and you may get problems with newer versions of Java regarding certificates. Usually you can just ignore certificate warnings but if you do get problems Java 7 release 45 is the version that works without any problems.
For more details on this goto the Cisco site: http://www.cisco.com/c/en/us/td/docs/security/asdm/7_3/release/notes/rn73.html See the Java and Browser compatability section.
Or setup a self signed certificate: http://www.cisco.com/c/en/us/td/docs/security/asdm/identity-cert/cert-install.html Which you install into the Java software certificates list.
Setting up the WAN interface:
Most broadband connections will require you authenticate with the ISPs servers using the PPPoE protocol (point-to-point protocol over ethernet: https://en.wikipedia.org/wiki/Point-to-point_protocol_over_Ethernet).
In ASDM goto Configuration, Interface Settings, Interfaces and edit port 1 (GigabitEthernet1/1).
Give the Interface a name – I usually choose ‘outside’ for the WAN link and ‘inside’ for the LAN link but you can choose whatever you like.
Make sure the Security Level is set to zero.
Make sure the interface is enabled.
Under the IP Address section you can choose PPPoE and fill out the relevant details that you would have obtained from your ISP. You may have a different setup to mine and your ISP may use a different method of connecting you e.g. DHCP, in which case choose the method that is relevant to your situation.
Here’s a screenshot:
Scroll down until you see the IP Address and Route Settings button. You don’t need to tick the Store Username and Password in local flash option. Type in the settings according to your ISPs setup (usually you would obtain IP and default gateway information automatically – even if you have a static IP setup with your ISP):
Click on the Advanced tab and check the MTU setting – the default is 1500 but you may need to change this, again depending on your ISPs setup. With BT in the UK I need to set it to 1492 which is the standard setting for PPPoE connections. See here for more info: https://en.wikipedia.org/wiki/Maximum_transmission_unit:
There are obviously loads of other settings here because a Cisco router can basically connect to anything if setup correctly but these should be the only changes you need to make for a standard broadband connection.
If you go back to the Home screen you should see the ‘Outside’ interface changes from Down to Up and the ISPs IP address will appear together with the network mask number. Note: this may take a few seconds to appear.
Setting up the LAN interface:
On the interfaces page choose a port to use as the LAN port – usually port 2 (GigabitEthernet 1/2) and click edit.
Give an interface name – ‘inside’ in my case.
Make sure the security level is set to a higher number than was given for the WAN port – 50 is the default. With the ‘Outside’ interface set to zero this setting will ensure that no traffic will be allowed between the ‘Inside’ and ‘Outside’ interfaces unless explicitly allowed by NAT and Firewall Access rules – by default the router does not allow traffic to pass between higher and lower security levels.
Make sure the enable interface option is ticked.
Choose a static IP and fill in the IP address and Subnet mask – this is a number on your internal network. In my case I use the IP range 192.168.0.1-256 (a class C address range with subnet mask 255.255.255.0) but you can choose any range designated for private use. See: https://en.wikipedia.org/wiki/Private_network. It is also possible to use any valid IP range as these numbers are never routed to the outside world but the convention is to use a private range specifically designated for this purpose.
Note: the number you choose here will be your default gateway for all local connections.
By default the Cisco ASA allows the router to be pinged on the ‘Outside’ interface. If you wish to block this you can do so by adding a Management Access Rule.
Goto Configuration, Device Management, Management Access, ICMP and click Add.
Set the ICMP Type to Any.
Set the Interface to ‘Outide’.
Set the Action to Deny.
Set the IP address and the Mask to Any or 0.0.0.0
By default the Cisco ASA does allow you to ping external addresses (see default Firewall Access Rules below) but will NOT allow the reply from the PING to be routed back. There are two ways of adding this functionality:
First method is by changing the Default Service Policy Rules – goto Configuration, Firewall, Service Policy Rules. There should be a Default Inspection rule listed – hit Edit.
Goto the Rule Actions tab.
Tick the ICMP option and click OK and Apply.
This will now allow the PING replies (or Echo’s) to be routed back.
The second method involves adding a Firewall Access Rule – goto Configuration, Firewall, Access Rules.
Select the ‘Outside’ interface section and click Add.
Select permit for the Action.
Source will by Any.
Destination will be Any.
The services should be set to ‘icmp/echo-reply’.
Again this will now allow the PING replies (or Echo’s) to be routed back.
I prefer the second method as it separates the default rules from the ones you have added and keeps your rules listed under one section in the Firewall Access Rules.
Setting up the DHCP server:
Your next task is to setup the DHCP server which assigns addresses from your local network address range when devices try to connect.
Go to Configuration, Device Management, DHCP, DHCP Server.
This will list the interfaces you have created on the ASA – ‘inside’, ‘outside’ and the ‘management’ interface that was automatically setup (with a DHCP range already allocated to it).
We want to setup a DHCP server for the ‘inside’ interface so select that interface and click Edit.
Tick the ‘Enable DHCP Server’ option and enter an IP range for the pool of addresses the DHCP server should use. In our case I have chosen 192.168.0.10 to 100.
Don’t enter your inside interfaces address (192.168.0.1) as part of the pool – that needs to stay as a static IP.
Cisco routers do not allow address reservation. This is a function on, most consumer broadband routers, that allows you to reserve a particular IP for a device from the DHCP range according to the devices MAC address. This is useful if later on you want to use port forwarding to the device – you need the IP of the device to not change over time otherwise your port forwarding and routing rules, which have been specified for a particular internal IP number, will not work. This is an essential requirement if you want to host a server behind your router – web server, minecraft server etc.
When using Cisco routers you have to set the devices IP statically on the devices themselves – usually in their network adapter settings. I need a number of these static IPs setup – Wi-Fi Access Point, NAS drive, Minecraft server etc. So I have started my address range at 10 so that I can use the IPs 192.168.0.2-9 as static IPs on these devices. If I need any more in future I can change the DHCP range or use the numbers above 100. My DHCP addresses will only be used for roaming devices – mobiles, laptops, iPad’s etc.
You also need to enter the DNS server addresses that your DHCP clients will use. This can be an internal DNS server or more likely your ISPs DNS servers. In my case I use OpenDNS:
Setting up NAT translation:
In order for your devices to be able to communicate to the outside world you need to setup some kind of translation to and from the external IP address and your internal IP addresses. You achieve this using a NAT rule.
The router uses NAT rules to substitute source and destination addresses as required – this enables you to use a single IP address on the ‘outside’ interface and a range of addresses on the ‘inside’ interface.
Goto Configuration, Firewall, NAT Rules and click Add.
Set the source interface to ‘Inside’.
Source address, destination address and service should all be set to ‘any’.
Under the Translated Packet section the Source NAT type should be ‘Dynamic PAT (Hide)’ and source address should be ‘Outside’.
Destination address and service should be set to Original.
Make sure the ‘Enable rule’ box is ticked.
Your NAT screen should look something like the image below. I have added a port forwarding NAT rule just to illustrate where the NAT rule should be positioned – it should always be at the bottom of the list otherwise your port forwarding rule would overide it. For port forwarding rules read my article here: Cisco ASA Port forwarding.
Configuring NAT rules guide: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/cfgnat.html
Setting up Firewall Access Rules:
This NAT rule you added above will translate any ‘inside’ IP addresses to the ‘outside’ address for any service. But the router will still abide by the Firewall Access Rules (Configuration, Firewall, Access Rules).
By default the Cisco ASA will allow all outbound traffic so in reality you don’t need to change anything after adding the NAT rule. But just to check here is the default Access Rules screen:
At the bottom is a Global rule that denies all traffic (hence IP as the service) – both Inbound and Outbound.
The rule under the ‘Inside’ interface allows any IP traffic from the Inside interface to any less secure network i.e. any interface with a lower security level – we set the ‘Outside’ interface to security level 0 and the ‘Inside’ to level 50 so this rule will allow traffic to pass through the ‘Outside’ interface.
You can of course block all outbound traffic by denying access on the ‘Inside’ interface rule. And you can then explicitly allow traffic for invidual services above this rule e.g. add a rule to allow http traffic only – this would allow inside devices to browse to websites on port 80 (http) and nothing else, not even https (port 443).
To allow incoming traffic you would add rules to the ‘Outside’ interface section e.g. allow http (port 80) traffic to an internal web server address (192.168.0.2 for instance – you would also have to setup port forwarding NAT rules for this to work fully – see my Cisco ASA Port Forwarding article).
Time is a critical component for the router so you should make sure the ASA is getting the correct time from the internet.
To set a time server goto Configuration, Device Setup, System Time.
You can set the time under the Clock section.
To set the ntp server goto NTP section and click Add.
I prefer to use the NTP.ORG servers – unfortunately you cannnot put a host name in here, you have to use an IP.
So ping pool.ntp.org first to obtain the correct IP number: 220.127.116.11 in my case, and enter that in the IP address field.
Tick the preferred box.
Set the interface to Outside (you can set it to an internal time server if you wish).
Click OK and Apply.
That’s about it, you now have a fully functioning router that is connecting to your ISP automatically, allowing internal devices to obtain IP numbers, allowing outbound traffic, denying inbound traffic, allowing pinging outbound and allowing pinging externally to the router.
Going forward you should make sure you keep your router up-to-date with the latest firmware and ASDM version. I find it easiest to download the update images from the Cisco server to a local drive and then using the ASDM ‘Upgrade from Local Computer’ option under the Tools menu.
And one final thing – backup your configuration using Tools, Backup Configurations. Do this now and before you do any upgrades.