A while back, I picked up a Cisco ASA 5505 for cheap on eBay. This is where I’ll be putting my notes on configuring, updating, et cetera…
Over the next few days at least, I’ll probably be updating this entry frequently, as I continue to experiment with the 5505, and learn what I need to do and how to do it.
Serial port settings, by default: 9600, 8N1, no flow control.
Wiping and restoring configuration (assuming you know the password or the unit doesn’t have one):
copy run start
Remember: Interfaces that aren’t explicitly on a VLAN, are on VLAN 1, as access ports (basically like every switch ever). With the default config, this means eth0/0 is on the external VLAN, and all others are on the internal VLAN.
Cisco ASA Default Config
- ciscoasa# sh run
- : Serial Number: 1234567890
- Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
ASA Version 8.2(5)57
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
switchport access vlan 2
ip address 192.168.1.1 255.255.255.0
ip address dhcp setroute
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
Note that since the default enable password is blank, I’m okay with listing it above; you’ll obviously want to change it on your unit.
Once the unit is powered up, plug into the network (any port except eth0/0). You can then browse to the device on its default IP, at https://192.168.1.1/ .
The default credentials to download the ASDM client are empty (when prompted for user and pass, just click OK).
Similarly, after you’ve installed the ASDM client on your desktop, enter the same IP (192.168.1.1) and blank user/pass to log in.
There’s a very handy ASDM wizard, that will help you with basic configuration, if you prefer a GUI to the Cisco CLI (and having a desk full of extra cables to get into it via serial port).
Firmware Updates for Fun and Profit
Cisco recently (February 2016) discovered a nasty buffer overflow in their software. Note well this page:
First, because it describes the bug. Second, because it’s your loophole to a one-time free software update, even if you got your device second-hand and it’s not under support. Contact Cisco TAC, ask for the appropriate update, and refer them to the above Web page as your authorization for a one-off even though you’re not paying for their support.
(Reminder: If you are using this for anything actually important, get a support contract. Cisco TAC is awesome.)
The RAM in the ASA 5505, at least, is standard (if pretty old) DDR RAM. This blog post describes the process needed to upgrade the RAM with simple cheap stuff from Micro Center, or Fry’s, or wherever you buy your parts. It’ll probably void your warranty, but if you’re buying used gear you didn’t have one of those anyway, and considering the locally-sourced RAM is about 20% of the same parts from a Cisco reseller, I think it’s worth it. It’s fine for a lab, or a home edge router.
(Note: I don’t actually have any idea whether there’s any benefit to adding RAM. Or adding disk space — it looks like the “hard drive” is just a CompactFlash card.)