Cisco ASA 5505 Notes

A while back, I picked up a Cisco ASA 5505 for cheap on eBay. This is where I’ll be putting my notes on configuring, updating, et cetera…

Over the next few days at least, I’ll probably be updating this entry frequently, as I continue to experiment with the 5505, and learn what I need to do and how to do it.

Getting Started

Serial port settings, by default: 9600, 8N1, no flow control.

Wiping and restoring configuration (assuming you know the password or the unit doesn’t have one):

conf t
configure factory-default
copy run start

Remember: Interfaces that aren’t explicitly on a VLAN, are on VLAN 1, as access ports (basically like every switch ever). With the default config, this means eth0/0 is on the external VLAN, and all others are on the internal VLAN.

Cisco ASA Default Config

ciscoasa# sh run
: Serial Number: 1234567890
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
ASA Version 8.2(5)57
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside
threat-detection basic-threat


threat-detection statistics access-list


no threat-detection statistics tcp-intercept






class-map inspection_default


match default-inspection-traffic






policy-map type inspect dns preset_dns_map




message-length maximum client auto


message-length maximum 512


policy-map global_policy


class inspection_default


inspect dns preset_dns_map


inspect ftp


inspect h323 h225


inspect h323 ras


inspect rsh


inspect rtsp


inspect esmtp


inspect sqlnet


inspect skinny


inspect sunrpc


inspect xdmcp


inspect sip


inspect netbios


inspect tftp


inspect ip-options




service-policy global_policy global


prompt hostname context




Note that since the default enable password is blank, I’m okay with listing it above; you’ll obviously want to change it on your unit.

Once the unit is powered up, plug into the network (any port except eth0/0). You can then browse to the device on its default IP, at .

The default credentials to download the ASDM client are empty (when prompted for user and pass, just click OK).

Similarly, after you’ve installed the ASDM client on your desktop, enter the same IP ( and blank user/pass to log in.

There’s a very handy ASDM wizard, that will help you with basic configuration, if you prefer a GUI to the Cisco CLI (and having a desk full of extra cables to get into it via serial port).

Firmware Updates for Fun and Profit

UPDATED: This section originally referred to a Cisco bug from February 2016. Now, it refers to a security exploit from January 2018, so you can get even newer firmware.

Cisco discovered a major security issue in the ASA software. Note well this page:

First, because it describes the issue. Second, because it’s your loophole to a one-time free software update, even if you got your device second-hand and it’s not under support. Cisco is just cool like that. Contact Cisco TAC, ask for the appropriate update, and refer them to the above Web page as your authorization for a one-off even though you’re not paying for their support. You’ll probably get the “9.1.7 Interim” release.

(Reminder: If you are using this for anything actually important, get a support contract. Cisco TAC is awesome.)

Hardware Hacking

The RAM in the ASA 5505, at least, is standard (if pretty old) DDR RAM. This blog post describes the process needed to upgrade the RAM with simple cheap stuff from Micro Center, or Fry’s, or wherever you buy your parts. It’ll probably void your warranty, but if you’re buying used gear you didn’t have one of those anyway, and considering the locally-sourced RAM is about 20% of the same parts from a Cisco reseller, I think it’s worth it. It’s fine for a lab, or a home edge router.

(Note: I don’t actually have any idea whether there’s any benefit to adding RAM. Or adding disk space — it looks like the “hard drive” is just a CompactFlash card.)

Cisco ASA 5505 Notes