Cisco ASA 5505 Notes

David Smith, ,

A while back, I picked up a Cisco ASA 5505 for cheap on eBay. This is where I’ll be putting my notes on configuring, updating, et cetera…

Over the next few days at least, I’ll probably be updating this entry frequently, as I continue to experiment with the 5505, and learn what I need to do and how to do it.

Getting Started

Serial port settings, by default: 9600, 8N1, no flow control.

Wiping and restoring configuration (assuming you know the password or the unit doesn’t have one):

enable
conf t
configure factory-default
copy run start
reload

Remember: Interfaces that aren’t explicitly on a VLAN, are on VLAN 1, as access ports (basically like every switch ever). With the default config, this means eth0/0 is on the external VLAN, and all others are on the internal VLAN.

Cisco ASA Default Config

ciscoasa# sh run
Saved
: Serial Number: 1234567890
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
:
ASA Version 8.2(5)57
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!
threat-detection basic-threat

 

threat-detection statistics access-list

 

no threat-detection statistics tcp-intercept

 

webvpn

 

!

 

class-map inspection_default

 

match default-inspection-traffic

 

!

 

!

 

policy-map type inspect dns preset_dns_map

 

parameters

 

message-length maximum client auto

 

message-length maximum 512

 

policy-map global_policy

 

class inspection_default

 

inspect dns preset_dns_map

 

inspect ftp

 

inspect h323 h225

 

inspect h323 ras

 

inspect rsh

 

inspect rtsp

 

inspect esmtp

 

inspect sqlnet

 

inspect skinny

 

inspect sunrpc

 

inspect xdmcp

 

inspect sip

 

inspect netbios

 

inspect tftp

 

inspect ip-options

 

!

 

service-policy global_policy global

 

prompt hostname context

 

Cryptochecksum:xxxx

end

Note that since the default enable password is blank, I’m okay with listing it above; you’ll obviously want to change it on your unit.

Once the unit is powered up, plug into the network (any port except eth0/0). You can then browse to the device on its default IP, at https://192.168.1.1/ .

The default credentials to download the ASDM client are empty (when prompted for user and pass, just click OK).

Similarly, after you’ve installed the ASDM client on your desktop, enter the same IP (192.168.1.1) and blank user/pass to log in.

There’s a very handy ASDM wizard, that will help you with basic configuration, if you prefer a GUI to the Cisco CLI (and having a desk full of extra cables to get into it via serial port).

Firmware Updates for Fun and Profit

UPDATED: This section originally referred to a Cisco bug from February 2016. Now, it refers to a security exploit from January 2018, so you can get even newer firmware.

Cisco discovered a major security issue in the ASA software. Note well this page:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

First, because it describes the issue. Second, because it’s your loophole to a one-time free software update, even if you got your device second-hand and it’s not under support. Cisco is just cool like that. Contact Cisco TAC, ask for the appropriate update, and refer them to the above Web page as your authorization for a one-off even though you’re not paying for their support. You’ll probably get the “9.1.7 Interim” release.

(Reminder: If you are using this for anything actually important, get a support contract. Cisco TAC is awesome.)

Hardware Hacking

The RAM in the ASA 5505, at least, is standard (if pretty old) DDR RAM. This blog post describes the process needed to upgrade the RAM with simple cheap stuff from Micro Center, or Fry’s, or wherever you buy your parts. It’ll probably void your warranty, but if you’re buying used gear you didn’t have one of those anyway, and considering the locally-sourced RAM is about 20% of the same parts from a Cisco reseller, I think it’s worth it. It’s fine for a lab, or a home edge router.

(Note: I don’t actually have any idea whether there’s any benefit to adding RAM. Or adding disk space — it looks like the “hard drive” is just a CompactFlash card.)

Cisco ASA 5505 Notes