please dont rip this site

Cisco (internet) ASA 5505 / 5500 Series Setup


Syntax / Example

in the following, items in italics are examples. So you should replace

Commands: After connecting to the console, you will see the router> prompt where "router" is replaced with the name of the device. Use the enable command to enter EXEC mode. The password is empty by default (just press enter). The prompt should change to router#

router> enable

And the first thing you must do is delete the factory default configuration... no really... Type:
router#write erase
and then confirm by pressing enter. Then reload so the new (non) configuration can take effect:
and press enter to confirm. After a rather long time, you will eventually get the (default) ciscoasa> prompt. Enter enable and confirm the empty password again.

To go into configuration mode, at the ciscoasa# prompt, type conf t:
ciscoasa#conf t
Enter configuration commands, one per line. End with CNTL/Z or type exit.

The router responds with a new prompt showing the mode. To exit, enter Ctrl+Z

ciscoasa(config)# hostname yourasa

yourasa(config)# username youruser password yourpass privilege 15

Setup your internal network. We use vlan 1 here, but you can do that either way. Remember to replace the network address with whatever address you want as the address of the router. This will be your gateway address for internal devices. Notice the security level is set to 100.

yourasa(config)# interface vlan 1
yourasa(config-if)# ip address
yourasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.

Setup your external network. This is where you specify the IP address and netmask you were assigned by your ISP. This is your public IP address.

Note: If your ISP assigns addresses via DHCP, use ip address dhcp setroute instead, and skip the route outside command.

Note: Most ISP modems will NOT recognize a new device until they are reset. In some cases, that doesn't even happen with a power cycle; e.g. they must be reset by the ISP before they will talk to a new firewall/router in which case you must find someone on the ISP side who is available and know how to do that. This issue has caused volumns of frustration because it can easily be mistaken for an error in firewall configuration. e.g. "the new firewall doesn't allow any traffic when I put it in place, I must have set it up wrong".

To avoid that, you can set the MAC address of your new router to the MAC address of the old router. This is probably a violation of the master rules of the internet (or something) but it works, and allows you to quickly switch back and forth between the old and new routers at will. Very useful when you didn't have the new router setup as well as you thought you did... This is applied in the vlan interface setup. The command is yourasa(config-if)# mac-address H.H.H where H.H.H is the hex values of the MAC reformatted in sets of 2 bytes / 4 digits with periods between and lower case letters. E.g. 68:7F:74:95:A8:3A becomes 687f.7495.a83a and 01:18:F8:F9:64:AE is 0118.f8f9.64ae

yourasa(config)# interface vlan 2
yourasa(config-if)# ip address

yourasa(config-if)# nameif outside
INFO: Security level for outside set to 0 by default.
yourasa(config-if)# exit

Setup a manual route to the ISP's gateway from all internal addresses. Note: skip this for ISP's that use DHCP.

yourasa(config)# route outside

Make one of the ports your interface to the ISP's modem. Typically this is 0/0

yourasa(config)# interface ethernet0/0
yourasa(config-if)# switchport access vlan 2
yourasa(config-if)# no shutdown

And setup the other ports for inside access. You don't need to specify the vlan because it defaults to vlan 1

yourasa(config)# interface ethernet0/1
yourasa(config-if)# no shutdown

Repeat the above for all the ports you want on the inside.

And now to make internet work from your inside network we have to configure NAT.

yourasa(config)#object network inside-net
yourasa(config-network)#nat (inside, outside) dynamic interface

Note this is the synax for the newer device firmware. Older devices may need the following from

1st you make a global interface to where all the addresses from the inside need to be translated to.

yourasa(config)# global (outside) 10 interface
INFO: outside interface address added to PAT pool

The number 10 in that line of configuration is a identifier. This way you can tell the NAT on the inside to wich outside IP address they should translate to. The interface part means that you use your interface IP address to translate to. In this case the outside interface. Next we need to make a NAT rule for the inside network.

yourasa(config)# nat (inside) 10

As you can see I also used the number 10 in this rule. This links the inside network to the outside global. The subnet behind that states that the network is allowed to be translated to the outside IP address.

Remote Admin:

And now to setup admin access via the network, so you can unplug your laptop and put away the console cable. You probably already have an RSA key, but if not,
crypto key generate rsa modulus 1024

For SSH to the CLI

yourasa(config)# aaa authentication ssh console LOCAL
yourasa(config)# ssh inside

To setup ASDM access via the browser or ASDM java app.

yourasa(config)# http server enable
yourasa(config)# aaa authentication http console LOCAL
yourasa(config)# http inside

Save configuration

yourasa(config)# write mem

Move on to setting up Access Control Lists

See also:

file: /Techref/inet/cisco5500setup.htm, 9KB, , updated: 2016/2/11 15:34, local time: 2017/10/23 05:08,

 ©2017 These pages are served without commercial sponsorship. (No popup ads, etc...).Bandwidth abuse increases hosting cost forcing sponsorship or shutdown. This server aggressively defends against automated copying for any reason including offline viewing, duplication, etc... Please respect this requirement and DO NOT RIP THIS SITE. Questions?
Please DO link to this page! Digg it! / MAKE! / 

<A HREF=""> Cisco ASA 5505 / 5500 Series Setup</A>

After you find an appropriate page, you are invited to your to this massmind site! (posts will be visible only to you before review) Just type in the box and press the Post button. (HTML welcomed, but not the <A tag: Instead, use the link box to link to another page. A tutorial is available Members can login to post directly, become page editors, and be credited for their posts.

Link? Put it here: 
if you want a response, please enter your email address: 
Attn spammers: All posts are reviewed before being made visible to anyone other than the poster.
Did you find what you needed?

  PICList 2017 contributors:
o List host: MIT, Site host, Top posters @20171023 RussellMc, Van Horn, David, James Cameron, Sean Breheny, IVP, alan.b.pearce, Neil, David C Brown, Bob Blick, Denny Esterline,
* Page Editors: James Newton, David Cary, and YOU!
* Roman Black of Black Robotics donates from sales of Linistep stepper controller kits.
* Ashley Roll of Digital Nemesis donates from sales of RCL-1 RS232 to TTL converters.
* Monthly Subscribers: Gregg Rew. on-going support is MOST appreciated!
* Contributors: Richard Seriani, Sr.

Welcome to!