Cisco ASA 5505 Notes

A while back, I picked up a Cisco ASA 5505 for cheap on eBay. This is where I’ll be putting my notes on configuring, updating, et cetera…

Over the next few days at least, I’ll probably be updating this entry frequently, as I continue to experiment with the 5505, and learn what I need to do and how to do it.

Getting Started

Serial port settings, by default: 9600, 8N1, no flow control.

Wiping and restoring configuration (assuming you know the password or the unit doesn’t have one):

enable
conf t
configure factory-default
copy run start
reload

Remember: Interfaces that aren’t explicitly on a VLAN, are on VLAN 1, as access ports (basically like every switch ever). With the default config, this means eth0/0 is on the external VLAN, and all others are on the internal VLAN.

Cisco ASA Default Config

ciscoasa# sh run
Saved
: Serial Number: 1234567890
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
:
ASA Version 8.2(5)57
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxx

end

Note that since the default enable password is blank, I’m okay with listing it above; you’ll obviously want to change it on your unit.

Once the unit is powered up, plug into the network (any port except eth0/0). You can then browse to the device on its default IP, at https://192.168.1.1/ .

The default credentials to download the ASDM client are empty (when prompted for user and pass, just click OK).

Similarly, after you’ve installed the ASDM client on your desktop, enter the same IP (192.168.1.1) and blank user/pass to log in.

There’s a very handy ASDM wizard, that will help you with basic configuration, if you prefer a GUI to the Cisco CLI (and having a desk full of extra cables to get into it via serial port).

Firmware Updates for Fun and Profit

Cisco recently (February 2016) discovered a nasty buffer overflow in their software. Note well this page:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

First, because it describes the bug. Second, because it’s your loophole to a one-time free software update, even if you got your device second-hand and it’s not under support. Contact Cisco TAC, ask for the appropriate update, and refer them to the above Web page as your authorization for a one-off even though you’re not paying for their support.

(Reminder: If you are using this for anything actually important, get a support contract. Cisco TAC is awesome.)

Hardware Hacking

The RAM in the ASA 5505, at least, is standard (if pretty old) DDR RAM. This blog post describes the process needed to upgrade the RAM with simple cheap stuff from Micro Center, or Fry’s, or wherever you buy your parts. It’ll probably void your warranty, but if you’re buying used gear you didn’t have one of those anyway, and considering the locally-sourced RAM is about 20% of the same parts from a Cisco reseller, I think it’s worth it. It’s fine for a lab, or a home edge router.

(Note: I don’t actually have any idea whether there’s any benefit to adding RAM. Or adding disk space — it looks like the “hard drive” is just a CompactFlash card.)

Cisco ASA 5505 Notes

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s