A while back, I picked up a Cisco ASA 5505 for cheap on eBay. This is where I’ll be putting my notes on configuring, updating, et cetera…
Over the next few days at least, I’ll probably be updating this entry frequently, as I continue to experiment with the 5505, and learn what I need to do and how to do it.
Serial port settings, by default: 9600, 8N1, no flow control.
Wiping and restoring configuration (assuming you know the password or the unit doesn’t have one):
copy run start
Remember: Interfaces that aren’t explicitly on a VLAN, are on VLAN 1, as access ports (basically like every switch ever). With the default config, this means eth0/0 is on the external VLAN, and all others are on the internal VLAN.
Cisco ASA Default Config
- ciscoasa# sh run
- : Serial Number: 1234567890
- Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
ASA Version 8.2(5)57
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
switchport access vlan 2
ip address 192.168.1.1 255.255.255.0
ip address dhcp setroute
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
- threat-detection basic-threat
- threat-detection statistics access-list
- no threat-detection statistics tcp-intercept
- class-map inspection_default
- match default-inspection-traffic
- policy-map type inspect dns preset_dns_map
- message-length maximum client auto
- message-length maximum 512
- policy-map global_policy
- class inspection_default
- inspect dns preset_dns_map
- inspect ftp
- inspect h323 h225
- inspect h323 ras
- inspect rsh
- inspect rtsp
- inspect esmtp
- inspect sqlnet
- inspect skinny
- inspect sunrpc
- inspect xdmcp
- inspect sip
- inspect netbios
- inspect tftp
- inspect ip-options
- service-policy global_policy global
- prompt hostname context
Note that since the default enable password is blank, I’m okay with listing it above; you’ll obviously want to change it on your unit.
Once the unit is powered up, plug into the network (any port except eth0/0). You can then browse to the device on its default IP, at https://192.168.1.1/ .
The default credentials to download the ASDM client are empty (when prompted for user and pass, just click OK).
Similarly, after you’ve installed the ASDM client on your desktop, enter the same IP (192.168.1.1) and blank user/pass to log in.
There’s a very handy ASDM wizard, that will help you with basic configuration, if you prefer a GUI to the Cisco CLI (and having a desk full of extra cables to get into it via serial port).
Firmware Updates for Fun and Profit
UPDATED: This section originally referred to a Cisco bug from February 2016. Now, it refers to a security exploit from January 2018, so you can get even newer firmware.
Cisco discovered a major security issue in the ASA software. Note well this page:
First, because it describes the issue. Second, because it’s your loophole to a one-time free software update, even if you got your device second-hand and it’s not under support. Cisco is just cool like that. Contact Cisco TAC, ask for the appropriate update, and refer them to the above Web page as your authorization for a one-off even though you’re not paying for their support. You’ll probably get the “9.1.7 Interim” release.
(Reminder: If you are using this for anything actually important, get a support contract. Cisco TAC is awesome.)
The RAM in the ASA 5505, at least, is standard (if pretty old) DDR RAM. This blog post describes the process needed to upgrade the RAM with simple cheap stuff from Micro Center, or Fry’s, or wherever you buy your parts. It’ll probably void your warranty, but if you’re buying used gear you didn’t have one of those anyway, and considering the locally-sourced RAM is about 20% of the same parts from a Cisco reseller, I think it’s worth it. It’s fine for a lab, or a home edge router.
(Note: I don’t actually have any idea whether there’s any benefit to adding RAM. Or adding disk space — it looks like the “hard drive” is just a CompactFlash card.)