Cisco ASA 5505 Basic Configuration Tutorial
The Cisco ASA 5505 Firewall is the smallest model in the new 5500 Cisco series of hardware appliances. Although this model is suitable for small businesses, branch offices or even home use, its firewall security capabilities are the same as the biggest models (5510, 5520, 5540 etc). The Adaptive Security technology of the ASA firewalls offers solid and reliable firewall protection, advanced application aware security, denial of service attack protection and much more. Moreover, the performance of the ASA 5505 appliance supports 150Mbps firewall throughput and 4000 firewall connections per second, which is more than enough for small networks.
In this article I will explain the basic configuration steps needed to setup a Cisco 5505 ASA firewall for connecting a small network to the Internet. We assume that our ISP has assigned us a static public IP address (e.g 200.200.200.1 as an example) and that our internal network range is 192.168.1.0/24. We will use Port Address Translation (PAT) to translate our internal IP addresses to the public address of the outside interface. The difference of the 5505 model from the bigger ASA models is that it has an 8-port 10/100 switch which acts as Layer 2 only. That is, you can not configure the physical ports as Layer 3 ports, rather you have to create interface Vlans and assign the Layer 2 interfaces in each VLAN. By default, interface Ethernet0/0 is assigned to VLAN 2 and its the outside interface (the one which connects to the Internet), and the other 7 interfaces (Ethernet0/1 to 0/7) are assigned by default to VLAN 1 and are used for connecting to the internal network. Let’s see the basic configuration setup of the most important steps that you need to configure. The diagram below illustrates the network topology for the configuration setup that we will describe. Notice from the diagram that port Ethernet0/0 connects to the Internet, and ports Ethernet0/1 to 7 connect to internal hosts (PC computers etc).
Step1: Configure the internal interface vlan
ASA5505(config)# interface Vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0
ASA5505(config-if)# no shut
Step 2: Configure the external interface vlan (connected to Internet)
ASA5505(config)# interface Vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 200.200.200.1 255.255.255.0
ASA5505(config-if)# no shut
Step 3: Assign Ethernet 0/0 to Vlan 2
ASA5505(config)# interface Ethernet0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shut
Step 4: Enable the rest interfaces with no shut
ASA5505(config)# interface Ethernet0/1
ASA5505(config-if)# no shut
Do the same for Ethernet0/1 to 0/7.
Step 5: Configure PAT on the outside interface
ASA5505(config)# global (outside) 1 interface
ASA5505(config)# nat (inside) 1 0.0.0.0 0.0.0.0
Step 6: Configure default route towards the ISP (assume default gateway is 200.200.200.2)
ASA5505(config)# route outside 0.0.0.0 0.0.0.0 200.200.200.2 1
The above steps are the absolutely necessary steps you need to configure for making the appliance operational. Of course there are much more configuration details that you need to implement in order to enhance the security and functionality of your appliance, such as Access Control Lists, Static NAT, DHCP, DMZ zones, authentication etc.
Download the best configuration tutorial for any Cisco ASA 5500 Firewall model Here.
Related posts:
- How to upgrade the Cisco ASA 5505 software
- Cisco ASA 5505 Network Port Interfaces
- Cisco ASA Redundant Interface Configuration
- IP Phones behind a Cisco ASA 5505 Firewall
- The power of the Show Version command on Cisco ASA
Tagged with: asa 5505 configuration • asa 5505 configuration tutorial • Cisco ASA 5505 • how to configure cisco asa 5505
Filed under: Cisco ASA Configuration
Like this post? Subscribe to my RSS feed and get loads more!
I’ve 2 routers on HSRP need to connect directly to firewall. I think I can use the SVI to avoid using an intermediate switch between rouetr and firewall. IS that right? Any cons if I do this?
Hello there,
Yes you can do that ofcourse since the ASA5505 ports work just like a switch. The ASA will “see” the HSRP virtual address and the routers will “see” the ASA Vlan1 address.
Let me know if you need more clarifications
Harris
Thanks for the quick reply, how about ASA5510
Well, ASA 5510 does not have an embedded switch like the 5505. So you will need to use an extra switch to connect your ASA and routers.
Thanks for the update
I have a vendor who setup a router to router VPN using Cisco ASA5505. At the remote site i cannot ping the server at the main office by ip or computer name. The vendor will not return calls so i am stuck. Server is MS Server 2003 std. Workstation is XP Pro. Are there any configurations necessary to get the XP workstation to talk to the server? XP firewall issue? Need to run RRAS on server? Thank you
No you don’t need to run RRAS on server. Also, its not an XP firewall issue since XP firewall allows outbound pings. It might be a Win2003 firewall issue though. Try to access the server from XP using another service (not ping). Maybe try to open remote desktop or anything else. Do other computers between remote and central site communicate between each other? Maybe your VPN tunnel is down? execute the command “show crypto isakmp sa” to verify that tunnel is up
Hi, is possible to have two offices connected by VPN with the Cisco ASA 5505, and in one of the offices have two ISPs with a Load Balance configured, and grant access to both ISPs request from that office to the VPN connection?
Kev,
I don’t fully understand your question. Will you have a load balancer in front of the ASA firewall or will the ASA have two interfaces connected to two ISPs ? The first case (load balancer) will work, but the second case will not work in my opinion ( I have not seen similar situation before).
I have a 5505 that was configured for us. It was initially set up for our police dept. to allow our mobile data terminals to connect as well as our internal lan.
We have since moved into a new building that includes our city hall. Since we are in the same building, they now want to drop down to one internet connection for both departments.
I tried to set up interface 3 for the city hall to just feed them internet and nothing else, however it’s not working. Is there a 5505 for dummies on how to do this?
Thanks
Bill
Hello Bill,
What you describe is relatively easy to achieve. Check out the following configuration which should work:
—————————————————————-
asa5505(config)#interface Ethernet0/3
asa5505(config-if)#switchport access vlan 3
asa5505(config)#interface vlan 3
asa5505(config-if)#nameif cityhall
asa5505(config-if)#security-level 50
asa5505(config-if)#ip address x.x.x.x 255.255.255.0
global(outside) 1 interface
nat(inside) 1 0 0
nat(cityhall) 1 0 0
—————————————————————————-
The above configuration will provide internet access to cityhall network which I assume that you connect to interface 3
Becareful, if you have a 5505 with base license. The base license lets you have 2 vlans and 1 restricted vlan. The restriction is that you can initiate traffic from the restricted vlan to only one other vlan. When you create a third vlan, the asa will complain that you need to restrict one of the vlans. You’ll have to turn on “no forward interface vlan ” on one of the three vlan interfaces. You’ll need to purchase a Security plus license for your ASA 5505 to unlock this license restriction.
Thanks for the comment. You are totally correct. You can configure for example on Vlan for inside, one vlan for outside and one vlan for DMZ. In this scenario, all vlans can have internet access (inside towards outside and DMZ towards outside) BUT the DMZ vlan can NOT have access to the inside vlan. The scenario that Bill above wanted to implement will work with a base license (i.e provide internet access to two vlan networks)
thanks for the replies. I am using the GUI interface to try to accomplish this as i have no experience with command prompt. Do you know where to go in the gui for this?
Thanks
we have a wireless W20 Ericsson as router which is configured with the LAN IP (Gateway) 192.168.1.1, now we got a Cisco ASA 5505, I am new with cisco, i am using GUI Interface to configure, i wanted to go with factory default for internet connection but i am not getting Internet.
I assume that you want to connect the ASA5505 behind the W20 Ericsson. That is, the outside interface of the ASA will be connected to the LAN interface of the W20. If this is the case, then the factory default configuration of your ASA will not work. The factory default settings for ASA5505 are the following:
Because the ASA outside interface will receive an IP address in the range 192.168.1.x from the W20, this IP range is the same as the inside interface of the ASA. This CAN NOT happen. You must have different IP subnets between inside and outside of the ASA. What you can do is to use ASDM and change the inside IP address range of the ASA and make it for example 192.168.2.0/24.
Thanks for the reply,
I tried to change inside IP address range, was giving error. i found easy to change W20 IP range, i made it now 192.168.0.1,
Do i need to define PAT or with factory default i should get Internet Connection? as ur information now w20 DHCP server is giving 192.168.0.101 IP to ASA, still i didn’t able to ping 192.168.0.1 (w20 gateway)
You do not need to define PAT as it should be already configured by default. Did the W20 assigned a default gateway to the ASA? Try to assign a default route on the ASA using the ASDM (the default route for the ASA must be 192.168.0.1).
Thank you for the reply,
I will try to set the default route, thank you for your Suggestion bcoz It is very helpful for me, all examples and book refers almost same kind of network, and mine i found different had lots of doubts. Thanks once again, i will come with my experience of try.
Using ASDM I found these entries (in Monitoring – Routing – Routes)
Protocol – , Type – d* DEFAULT, Destination IP – (Blank),Net mask -255.255.255.255,Gateway – , Interface – 0.0.0.0 0.0.0.0 [1/0] via 192.168.0.1, AD/ Metric -
even i run all the commands metioned in the tutorial through command interface in ASDM. i am getting outside and inside ip address and up(green). but still i am not able to ping the (w20) my defalt gateway IP – 192.168.0.1, now where i am missing don’t know. waiting for your suggestions.
Regards,
Samuel
Dear BlogAdmin,
I tried to apply NAT rule but translation is not happening, i am not able to ping w20 IP 192.168.0.1, ping is happening through ASDM but not through cmd prompt,
I wanted to know that Cisco ASA 5505 0/0 port (outside)is looking for global IP?? or i can install this ASA in local network.
waiting for ur suggestions.
Regards,
Samuel
Hi there,
Does a 5520 support secondary addresses?
Hello,
Officialy from Cisco you can not have a secondary IP address on an ASA interface. You can do something about it using the proxy ARP feature but I would not recommend it. Search on Google about Cisco ASA secondary IP and you will find some information how to use the proxy arp
I have a setup where we have a BT Boradband line connected to a BT Broadband Wifi router. This then links into our cisco ASA 5505. this then relays the Broadband signal to WIFI hotspots on certain levels. The problem I have is that the WIFI hotspots give out IP addresses and it connects to the wireless network. Unfortunatly there is no internet connection although you are connected to the wireless network. Could this be a problem with the ASA 5505 not routing the broadband signal properly to the WIFI hotspots? If so is there any commands etc.. I can use to sort this?
Thanks
Hello Scott,
You confused me a little bit here. As I understand, you have the following: {Internet-BT Broadband Line}< ------>{BT Broadband WiFi Router}< ----->{ASA5505}< ---->{WiFi Hotspots}. Is that correct? If that is the network topology, are the WiFi hotspots working as routers or as Layer2 bridges? If they work as Layer2 bridge, then the IP addresses assigned by the wifi hotspot must be in the same subnet as the inside IP address subnet of the ASA5505. If the Wifi hostspots work as routers then the IP address of the wired port of the hotspot device must be in the same subnet as the inside address of ASA.
Please clarify the network topology so that I can help you further.
Can we block Team Viewer through ASA5505,
We have a 5505 installed, as soon as we installed it we started having connectivity issues. At Least 3 times a week we will have to power cycle it before we can get online. In the past few weeks we have been monitoring it and it seems to drop the connection every time at 7:15 pm. Is there a setting that we can change to cure this issue.
Hello Eric,
It does not look like a configuration issue. To me it sounds like a hardware problem with your ASA 5505. If there was something wrong with the configuration then the ASA would not work at all. Check the power as the ASA 5505 used to have some issues with it in the past. I would ask for a replacement if I were you.