in the following, items in italics are examples. So you should replace
Commands: After connecting to the console, you will see the router> prompt where "router" is replaced with the name of the device. Use the enable command to enter EXEC mode. The password is empty by default (just press enter). The prompt should change to router#
And the first thing you must do is delete the factory default configuration...
no really... Type:
and then confirm by pressing enter. Then reload so the new (non) configuration can take effect:
and press enter to confirm. After a rather long time, you will eventually get the (default) ciscoasa> prompt. Enter enable and confirm the empty password again.
To go into configuration mode, at the ciscoasa# prompt, type conf
Enter configuration commands, one per line. End with CNTL/Z or type exit.
The router responds with a new prompt showing the mode. To exit, enter Ctrl+Z
ciscoasa(config)# hostname yourasa
yourasa(config)# username youruser password yourpass privilege 15
Setup your internal network. We use vlan 1 here, but you can do that either way. Remember to replace the network address with whatever address you want as the address of the router. This will be your gateway address for internal devices. Notice the security level is set to 100.
yourasa(config)# interface vlan 1
yourasa(config-if)# ip address 192.168.0.1 255.255.255.0
yourasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
Setup your external network. This is where you specify the IP address and netmask you were assigned by your ISP. This is your public IP address.
Note: If your ISP assigns addresses via DHCP, use ip address dhcp setroute instead, and skip the route outside command.
Note: Most ISP modems will NOT recognize a new device until they are reset. In some cases, that doesn't even happen with a power cycle; e.g. they must be reset by the ISP before they will talk to a new firewall/router in which case you must find someone on the ISP side who is available and know how to do that. This issue has caused volumns of frustration because it can easily be mistaken for an error in firewall configuration. e.g. "the new firewall doesn't allow any traffic when I put it in place, I must have set it up wrong".
To avoid that, you can set the MAC address of your new router to the MAC address of the old router. This is probably a violation of the master rules of the internet (or something) but it works, and allows you to quickly switch back and forth between the old and new routers at will. Very useful when you didn't have the new router setup as well as you thought you did... This is applied in the vlan interface setup. The command is yourasa(config-if)# mac-address H.H.H where H.H.H is the hex values of the MAC reformatted in sets of 2 bytes / 4 digits with periods between and lower case letters. E.g. 68:7F:74:95:A8:3A becomes 687f.7495.a83a and 01:18:F8:F9:64:AE is 0118.f8f9.64ae
yourasa(config)# interface vlan 2
yourasa(config-if)# ip address 126.96.36.199 255.255.255.248
yourasa(config-if)# nameif outside
INFO: Security level for outside set to 0 by default.
Setup a manual route to the ISP's gateway from all internal addresses. Note: skip this for ISP's that use DHCP.
yourasa(config)# route outside 0.0.0.0 0.0.0.0 188.8.131.52
Make one of the ports your interface to the ISP's modem. Typically this is 0/0
yourasa(config)# interface ethernet0/0
yourasa(config-if)# switchport access vlan 2
yourasa(config-if)# no shutdown
And setup the other ports for inside access. You don't need to specify the vlan because it defaults to vlan 1
yourasa(config)# interface ethernet0/1
yourasa(config-if)# no shutdown
Repeat the above for all the ports you want on the inside.
And now to make internet work from your inside network we have to configure NAT.
yourasa(config)#object network inside-net
yourasa(config-network)#subnet 192.168.0.0 255.255.255.0
yourasa(config-network)#nat (inside, outside) dynamic interface
Note this is the synax for the newer device firmware. Older devices may need
the following from
1st you make a global interface to where all the addresses from the inside need to be translated to.
yourasa(config)# global (outside) 10 interface
INFO: outside interface address added to PAT pool
The number 10 in that line of configuration is a identifier. This way you can tell the NAT on the inside to wich outside IP address they should translate to. The interface part means that you use your interface IP address to translate to. In this case the outside interface. Next we need to make a NAT rule for the inside network.
yourasa(config)# nat (inside) 10 192.168.0.0 255.255.255.0
As you can see I also used the number 10 in this rule. This links the inside network to the outside global. The subnet behind that states that the network 192.168.0.0/24 is allowed to be translated to the outside IP address.
And now to setup admin access via the network, so you can unplug your laptop
and put away the console cable. You probably already have an RSA key, but
crypto key generate rsa modulus 1024
For SSH to the CLI
yourasa(config)# aaa authentication ssh console LOCAL
yourasa(config)# ssh 192.168.0.0 255.255.255.0 inside
To setup ASDM access via the browser or ASDM java app.
yourasa(config)# http server enable
yourasa(config)# aaa authentication http console LOCAL
yourasa(config)# http 192.168.0.0 255.255.255.0 inside
yourasa(config)# write mem
Move on to setting up Access Control Lists
|file: /Techref/inet/cisco5500setup.htm, 9KB, , updated: 2016/2/11 15:34, local time: 2017/10/23 05:08,
|©2017 These pages are served without commercial sponsorship. (No popup ads, etc...).Bandwidth abuse increases hosting cost forcing sponsorship or shutdown. This server aggressively defends against automated copying for any reason including offline viewing, duplication, etc... Please respect this requirement and DO NOT RIP THIS SITE. Questions?|
<A HREF="http://www.piclist.com/techref/inet/cisco5500setup.htm"> Cisco ASA 5505 / 5500 Series Setup</A>
|Did you find what you needed?|
PICList 2017 contributors:
o List host: MIT, Site host massmind.org, Top posters @20171023 RussellMc, Van Horn, David, James Cameron, Sean Breheny, IVP, alan.b.pearce, Neil, David C Brown, Bob Blick, Denny Esterline,
* Page Editors: James Newton, David Cary, and YOU!
* Roman Black of Black Robotics donates from sales of Linistep stepper controller kits.
* Ashley Roll of Digital Nemesis donates from sales of RCL-1 RS232 to TTL converters.
* Monthly Subscribers: Gregg Rew. on-going support is MOST appreciated!
* Contributors: Richard Seriani, Sr.
Welcome to www.piclist.com!