<

Out of the box configuration of a Cisco PIX 501/506e or ASA 5505/5510 with VPN Client access

Published on
25,450 Points
11,450 Views
5 Endorsements
Last Modified:
Approved
Community Pick

Overview

The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium business as firewall and VPN appliances. In this article we will configure these devices as if they are brand new and under the assumption you have an available public/static address to be used on the external interface of the device. From my personal experience, the most common configuration of these devices consists of a public IP on the external interface, a single private IP on the internal interface, firewall and static NAT (network address translation) of public IP addresses to one or more servers.

I'll cover each of these aspects with copy and paste code using the terminal for the majority of the configuration due to the speed, simplicity and personal preference. Using the web interface, or ASDM, can be very clunky and produce unwanted results but it is useful for some aspects of the configuration. I use a Mac or Linux machine when configuring firewalls where the telnet/ssh interface is much cleaner and simpler to use than on Windows based command line interface.

*Note: The names in ALL CAPS within this article can be changed to whatever you choose for your configuration. The lines in italics and in the code fields are copy/paste code.


Plan Your Network Addresses

You'll need a list of addresses you plan to use for your configuration before you begin work on the device. In this tutorial we will use the following network scenario:

the default internal interface address of the appliance will be changed from 192.168.1.1 to 192.168.15.254 (you'll need to choose an address that matches the internal subnet of your network replacing the given address)
private subnet mask of 255.255.255.0
bogus public interface address of 200.199.199.205 (you'll need to replace this address with your given public address)
bogus public gateway address of 200.199.199.199 (you'll need to replace this address with your given public gateway)
public subnet mask of 255.255.255.248
create a pool of VPN client addresses using 192.168.16.1-192.168.16.100 and a subnet mask of 255.255.255.0
an Exchange/email server using the internal address 192.168.15.100 and the NAT address of 200.199.199.200


Preparing to Work

Power up your chosen appliance and connect your standard ethernet cable into a port that allows management:

PIX 501 - Any one of the switch ports 1-4 (not ETH0 or the baby blue console port)
PIX 506e - Ethernet 1 (not Ethernet 0 or the baby blue console port)
ASA 5505 - Switch ports 2-8 (not the first switch port since it's dedicated as the external interface by default)
ASA 5510 - Management port (the management port is dedicated and labeled in yellow)

When you've pulled your IP in the range of 192.168.1.x from DHCP you'll know you're connected and ready to work


Opening the ASDM and Preparing Telnet Connectivity

On the Mac I've had trouble in the past using FireFox to open the ASDM so I use Safari. Just about any browser works on the PC but if you want to be sure just use Internet Explorer:

Open your chosen browser and browse to https://192.168.1.1 to open the ASDM (Active Security Device Manager)
You'll be prompted with certificate errors that you must ignore/accept before receiving your login prompt
The default username and passwords are blank for both prompts you'll receive during the ASDM launch process
Once your ASDM is launched browse to the "Tools" menu and open the "Command Line Interface"
Within the command line interface type:

PIX/ASA 5505 telnet 0 0 inside
ASA 5510 telnet 0 0 management

*Note: "0 0" allows all addresses and this can be changed later on. Since we're going to change the interface address it's simpler to use this method to prevent you from losing connectivity to the appliance during your telnet session
Assuming your command passed successfully to the device you should now be able to open your Terminal (on the Mac or Linux) or Command window (in Windows) and type telnet 192.168.1.1
When prompted, type cisco (without the quotes) as the password
Next, type enable leaving the password blank
Last, conf t (as in Configure Terminal)

*Note: This process enables the device for configuration through the command line. If you do not "enable" or "conf t" you will not be able to pass commands to the appliance.)


Creating Names and Changing the Internal Interface IP

Before the Cisco IOS will allow us to change the IP of the private interface we have to disable DHCP and remove the IP subnet associated with DHCP.

First things first, I like to create names for my addresses so I can copy and paste configs from device to device and easily hand out instructions to fellow technicians. It also helps make sense of the code for those of you who are not familiar with IOS or the Cisco command line interface. All you have to do is change the addresses in the list of names below (and the subnet masks in the commands if yours will be different) and the rest of the code is copy/paste. To create names and change the interface IPs:

Create the Names

name 192.168.15.254 LAN
name 192.168.15.0 LAN_SUBNET
name 192.168.16.0 VPN_SUBNET
name 200.199.199.205 WAN
name 200.199.199.199 GATEWAY
name 192.168.15.100 EXCHSERVER_LAN
name 200.199.199.200 EXCHSERVER_WAN
name 192.168.15.101 DC1_LAN
name 192.168.15.102 MANAGMENT_STATION

Open in new window


Change the Interface IP

1

Type no dhcpd enable inside

*Note: this is not necessary on the ASA 5510 because DHCP is not enabled on the switch ports by default

2

Type no dhcpd address 192.168.1.2-192.168.1.254 inside

*Note: this is not necessary on the ASA 5510 because DHCP is not enabled on the switch ports by default

3

There are a few different commands based on the model you have to change the interface IP:


PIX 501/506e
ip address inside LAN 255.255.255.0

Open in new window

ASA 5505
interface Vlan1
ip address LAN 255.255.255.0

Open in new window

ASA 5510
interface Ethernet0/1
nameif inside
ip address LAN 255.255.255.0

Open in new window


You've now lost connectivity to the device and will have to reconnect to the new IP continue working. Also, now that you've disabled DHCP you may want to re-enable (or, enable if you're using the 5510) DHCP if you plan on your Cisco device providing DHCP for your network:

dhcpd enable inside
dhcpd address 192.168.15.10-192.168.15.99
dhcpd dns 192.168.15.101 192.168.15.100
dhcpd domain company.local

Open in new window


4

You can now connect your Cisco appliance to your internet connection by plugging the ethernet cable from your internet router to:


PIX 501/506e - ETH0/Ethernet 0
ASA 5505/5510 - Switch Port 0

And you can connect your local network into any of the other switch ports on the PIX or ASA 5505. On the ASA 5510 we've configured switch port 1 as the LAN port and the other ports are shutdown/not configured.

Changing the External Interface IP and Adding the Gateway Route

Once you've telnetted back into the appliance on IP 192.168.15.254 (telnet 192.168.15.254) you can begin changing the external interface IP. There's a few methods based on which model you're using (remember, I'm using the names we created above in place of the actual IP addresses and all you need to do is change the subnet mask for the public range if yours is different):


1

Use these commands to change the external interface IP


PIX 501/506e
ip address outside WAN 255.255.255.248

Open in new window

ASA 5505
interface Vlan2
ip address WAN 255.255.255.248

Open in new window

ASA 5510
interface Ethernet0/0
nameif outside
ip address WAN 255.255.255.248

Open in new window

2

All of these devices use the same method for configuring the public gateway route:

route outside 0.0.0.0 0.0.0.0 GATEWAY 1

Open in new window


As soon as you enter your gateway route you should have internet connectivity, assuming you've connected all of your cabling to the correct ports and have properly configured your DHCP with DNS and 192.168.15.254 as your LAN gateway.

IPSec VPN Client Configuration

This is one section where some of you would like to jump into the ASDM and run the VPN Client Wizard and you may have tried to no avail. The Wizard is useless, from my experience, for this particular configuration:

ASA 5505/5510

1

Create the VPN DHCP address pool


ip local pool VPN_POOL 192.168.16.1-192.168.16.100 mask 255.255.255.0

Open in new window

2

Create the access lists for the client NAT and VPN split tunnel


*Note: Some companies would frown on the split tunnel for security reasons but most small businesses prefer to be able to browse the web while connected to the VPN. If this isn't enabled you will not be able to browse the internet while the connection is established.

access-list NO_NAT extended permit ip any VPN_SUBNET 255.255.255.0 
access-list SPLIT_DNS standard permit LAN_SUBNET 255.255.255.0
nat (inside) 0 access-list NO_NAT

Open in new window

3

Create the Crypto Maps, Transform Sets and ISAKMP policies


crypto ipsec transform-set VPN_SET esp-3des esp-sha-hmac 
crypto dynamic-map VPN_DYNMAP 20 set transform-set VPN_SET
crypto map VPN_MAP 20 ipsec-isakmp dynamic VPN_DYNMAP
crypto map VPN_MAP interface outside
crypto isakmp nat-traversal  20
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400

Open in new window

4

Create your VPN group policies (you may want to change the names given in ALL CAPS to suite your environment)
      

group-policy COMPANYVPN internal
group-policy COMPANYVPN attributes
   dns-server value 192.168.15.101 192.168.15.100
   vpn-tunnel-protocol IPSec 
   ipsec-udp enable
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value SPLIT_DNS
   default-domain value company.local
tunnel-group COMPANYVPN type ipsec-ra
tunnel-group COMPANYVPN general-attributes
   address-pool VPN_POOL
   default-group-policy COMPANYVPN
tunnel-group COMPANYVPN ipsec-attributes
   pre-shared-key COMPANYPRESHAREDKEY
   isakmp ikev1-user-authentication none

Open in new window


*NOTE: If you include the last line (isakmp ikev1-user-authentication none) you can skip the next section since you will not need VPN users. If you do not include the last line you will be asked for a secondary authentication that requires the given user to enter their username an password every time they connect to the VPN. This provides much greater security when it's enabled but you may hear a fuss from the folks that have to connect to the VPN regularly.

5

Create users for the ASA secondary authentication (ikev1-user-authentication)


username COMPANYUSER password COMPANYUSERPASSWORD privilege 0
username COMPANYUSER attributes
   vpn-group-policy COMPANYVPN

Open in new window

6

Configure the VPN client software on the computer based on the information above:
Install the Cisco VPN Client software and click the button to create a new connection
The "Connection Entry" field is the name of the connection that will show up in the list in the VPN client window. Enter whatever you want to name the connection entry.
The "host" field is the WAN/External interface address of the appliance. In this case 200.199.199.205 (tip: I like to assign a hostname to this address since small business seem to change ISPs regularly…IE vpn.company.com)
Make sure the "Group Authentication" bullet is selected
The "Name" field is the tunnel-group name and is COMPANYVPN in this case
The password is the pre-shared-key defined in our tunnel-group ipsec attributes…COMPANYPRESHAREDKEY
Save your connection entry and (from an internet connection other than the one connected to the appliance we are configuring) click connect.

*Note: If you've chosen to enable the secondary authentication you will be prompted for that username and password after your tunnel group authentication to the VPN

PIX 501/506e

1

Create the VPN DHCP address pool


ip local pool VPN_POOL 192.168.16.1-192.168.16.100 mask 255.255.255.0

Open in new window

2

Create the access lists for the client NAT and VPN split tunnel


*Note: Some companies would frown on the split tunnel for security reasons but most small businesses prefer to be able to browse the web while connected to the VPN. If this isn't enabled you will not be able to browse the internet while the connection is established.

access-list NO_NAT permit ip any VPN_SUBNET 255.255.255.0 
access-list SPLIT_DNS permit ip LAN_SUBNET 255.255.255.0 any
nat (inside) 0 access-list NO_NAT

Open in new window

3

Create the Crypto Maps, Transform Sets and ISAKMP policies


sysopt connection permit-ipsec
crypto ipsec transform-set VPN_SET esp-3des esp-sha-hmac 
crypto dynamic-map VPN_DYNMAP 20 set transform-set VPN_SET
crypto map VPN_MAP 20 ipsec-isakmp dynamic VPN_DYNMAP
crypto map VPN_MAP interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup COMPANYVPN address-pool VPN_POOL
vpngroup COMPANYVPN dns-server 192.168.15.101 192.168.15.100
vpngroup COMPANYVPN default-domain company.local
vpngroup COMPANYVPN split-tunnel SPLIT_DNS
vpngroup COMPANYVPN idle-time 1800
vpngroup COMPANYVPN password COMPANYPRESHAREDKEY

Open in new window

4

Configure the VPN client software on the computer based on the information above:
Install the Cisco VPN Client software and click the button to create a new connection
The "Connection Entry" field is the name of the connection that will show up in the list in the VPN client window. Enter whatever you want to name the connection entry.
The "host" field is the WAN/External interface address of the appliance. In this case 200.199.199.205 (tip: I like to assign a hostname to this address since small business seem to change ISPs regularly…IE vpn.company.com)
Make sure the "Group Authentication" bullet is selected
The "Name" field is the vpngroup name and is COMPANYVPN in this case
The password is the password defined in our vpngroup…COMPANYPRESHAREDKEY
Save your connection entry and (from an internet connection other than the one connected to the appliance we are configuring) click connect.

Now your VPN Client access should be live and you can ping your servers at 192.168.15.100 and 192.168.15.101 while browsing the web over your split tunnel. If you cannot browse the internet or ping your servers you've missed a step. To troubleshoot you should type "writ t" (Write Terminal) to view the configuration and compare it to the completed configuration below and/or use "debug crypto ipsec"


NAT Your Server's Public IP and Allow TCP Ports Through the Firewall Using Object Groups

1

We need to create the static NAT to allow your server to use one of the public IPs in our block of 5 (this is the same on all devices)

static (inside,outside) EXCHSERVER_WAN EXCHSERVER_LAN netmask 255.255.255.255 0 0 

Open in new window

2

Create the object groups (I personally prefer to use object groups to reduce the number of access lists that need to be created which minimize the number of lines in the CLI. Also, you may not want to allow all of these ports through to your server and I typically do not allow POP or IMAP access)
      
object-group service INBOUND_EXCHANGE tcp
   port-object eq smtp
   port-object eq ldap 
   port-object eq pop3 
   port-object eq www 
   port-object eq 587 
   port-object eq 993 
   port-object eq imap4 
   port-object eq https 
   port-object eq ldaps 

Open in new window


*NOTE: If you use a spam filtering service like Appriver or Postini, or a filtering appliance, you can allow SMTP access from the service or appliance with the following policy (The following are the Appriver Secure Tide filtering servers. Also, if you choose to do this you must remove the "port-object eq smtp" from the above object group or else the SMTP filtering is useless)

object-group network APPRIVER 
   network-object host 69.20.58.226 
   network-object host 69.20.68.133 
   network-object host 207.97.224.142 
   network-object host 212.100.247.159 
   network-object host 69.20.60.122 
   network-object host 69.20.58.234 
   network-object host 207.97.229.125 
   network-object host 207.97.230.34 
   network-object host 207.97.230.54 
   network-object host 207.97.242.51 
   network-object host 74.205.4.52 
   network-object host 72.32.252.16 
   network-object host 92.52.89.74 
   network-object host 72.32.253.10 
   network-object host 72.32.252.97 
   network-object host 120.136.38.138 

Open in new window

3

Create the access lists to allow the traffic to your server



PIX 501/506e
access-list INBOUND permit tcp any host EXCHSERVER_WAN object-group INBOUND_EXCHANGE 
access-list INBOUND permit tcp object-group APPRIVER host EXCHSERVER_WAN eq smtp

Open in new window


ASA 5505/5510
access-list INBOUND extended permit tcp any host EXCHSERVER_WAN object-group INBOUND_EXCHANGE
access-list INBOUND extended permit tcp object-group APPRIVER host EXCHSERVER_WAN eq smtp

Open in new window

4

Enable the access group


access-group INBOUND in interface outside

Open in new window

Your traffic should now be flowing on the ports you've chosen to your server. Also, you can verify the address NAT to your server by browsing to http://whatismyip.com. If your address shows as your addressed named EXCHSERVER_WAN your static NAT is working and you can try browsing to your server using a web browser. You should now type "writ mem" to save your configuration. Otherwise, when the device is power cycled your configuration will be erased.


Finished Configuration

You should now have your Cisco appliance configured with internet access for all your workstations (all traffic allowed out), IPSec VPN access with the Cisco VPN Client and a mail server with all of the necessary ports allowed through the firewall. Attached are the full finished configurations for the PIX 501/506e, ASA 5505 and ASA 5510. REMEMBER TO WRITE MEM!


Resetting Passwords

You never want to leave your firewall with the default passwords so we'll reset the Telnet/SSH/HTTPS password and the enable password (this process is common between each of these devices).

Reset the Telnet/SSH/HTTPS Password passwd YOURPASSWORDHERE
Reset the Enable Password password YOURPASSWORDHERE


Opening up for Remote Support

If you ever perform remote support for customers or you often train other technicians and have to help configure firewalls from remote locations you may want to open up management for the outside interface of your Cisco appliance.

Enabling SSH
Enabling SSH requires generating an RSA key that will be entered into your known_hosts file when connecting. The methods for creating the RSA key differs between the PIX and the ASA. Also, this key is attached to the hostname of the appliance so you may want to change the hostname if you prefer it to have a name other than "ciscoasa" or the default name associated with your specific appliance.

PIX 501/506e
Change the Hostname - hostname COMPANY-CISCO
Generate the RSA Key (this process may take several minutes) - ca generate rsa key 2048
Save the RSA Key Once It's Generated - ca save all

ASA 5505/5510
Change the Hostname - hostname COMPANY-CISCO
Generate the RSA Key (this process may take several minutes) - crypto key generate rsa modulus 2048
Save the RSA Key Once It's Generated - writ mem

Enable SSH (Examples)
Inside for a Single Management Computer at 192.168.15.102 - ssh MANAGEMENT_STATION 255.255.255.255 inside
Insdie for the LAN Subnet - ssh LAN_SUBNET 255.255.255.0 inside
inside for all Addresses - ssh 0 0 inside
Outside for access from a specific IP - ssh 201.199.199.201 255.255.255.255 outside
Outside for a Public Subnet - ssh 201.199.199.199 255.255.255.248 outside
Outside for all Addresses - ssh 0 0 outside

Accessing the CLI with SSH
From your chosen terminal type (pix is the default username common to all of these appliances) - ssh pix@192.168.15.254

Disable SSH/Telnet/HTTPS
You can disable these protocols by simply preceding your SSH or Telnet line with a "no"

no ssh MANAGEMENT_STATION 255.255.255.255 inside
no telnet 0 0 inside

*Note: to close or open access to telnet the above commands are applicable by replacing "ssh" with "telnet" and there is no need to generate the RSA key to enable telnet access. You cannot telnet to the lowest security interface, or the outside interface in this example, you must use SSH to gain terminal access from the outside.

Enable ASDM Access for VPN Clients and Outside Interface

VPN Client access - management-access inside
Outside interface access - management-access outside

*Note: Enabling access to the ASDM for the outside interface should only be a temporary change for security reasons


Limiting Access for the LAN Clients

1

Create the Access Group (allowing only access to website on port 80 and port 443)

object-group service CLIENTS_OUTBOUND tcp
   port-object eq www
   port-object eq https

Open in new window

2

Create the Access List (limit clients 192.168.15.1-62 using the allowed ports to any host)

access-list OUTBOUND extended permit object-group CLIENTS_OUTBOUND 192.168.15.0 0.0.0.63 any

Open in new window

3

Enable the Access List on the Inside Interface

access-group CLIENTS_OUTBOUND in interface inside

Open in new window


Static PAT Using the Public Interface

One of the drawbacks of not having a block of public IP's is the need to PAT your public interface of your appliance. If you have a load of ports to pass through the firewall your configuration will get a bit clunky. To create the static PAT on the interface you need to create a static PAT line for each port you want to translate.

static (inside,outside) tcp interface smtp EXCHSERVER_LAN smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https EXCHSERVER_LAN https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ldap EXCHSERVER_LAN ldap netmask 255.255.255.255 0 0

Open in new window


Once your PAT statements are in place (actually it doesn't matter what order you do this in) you can insert your access lists to allow the traffic through the outside interface. Notice, this is the same line as above with host EXCHANGE_WAN being replaced with interface outside.

access-list INBOUND permit tcp any interface outside object-group INBOUND_EXCHANGE 

Open in new window


One of the major issues I see when using the interface of the appliance as the primary public address is when the entire outside interface is configured as a static NAT to an internal address. DO NOT DO THE FOLLOWING.

static (inside,outside) interface EXCHSERVER_LAN netmask 255.255.255.255 0 0

Open in new window


Creating the static NAT for your outside interface will render any other duties the interface would perform inoperable. This is due to the interface address traffic being passed completely to the EXCHSERVER_LAN in this case. So, if you intend to use any VPN services this is saying you want your Exchange server to authenticate the client requests or to establish your site-site. If you think you have your IPSec remote access VPN configured correctly and you're getting errors that the interface is not responding, this is often the reason why.

Links

Configuring the PIX Firewall for SSH Access
Using and Configuring PIX/ASA/FWSM Object Groups
Configuring the ASA Firewall for SSH Access
IPsec Troubleshooting: Understanding and Using debug Commands


Closing

Here's a tip for those of you who have a separate internet connection/gateway for servers or some clients and do not use the VPN appliance we just configured for their gateway. When the VPN clients connect these machines that do not use the Cisco VPN appliance as their gateway the server or clients do not have a route back to the appliance and the VPN clients will not be able to communicate with these machines. In this case there is a simple workaround by creating a persistent route in the command line on each server:

Windows: route add 192.168.16.0 mask 255.255.255.0 192.168.15.254 -p. The process for creating a persistent route on a Mac is a little more in depth and I've covered that in another article, but, here is the command for creating a temporary route: sudo route add -net 192.168.16.0 -netmask 255.255.255.0 -gateway 192.168.15.254

This information has been compiled over several years and the templates have been generated from multiple working configurations and the given full configurations can not be tested due the bogus public addresses. If you should find any typos or have any recommendations for making this article easier to follow your comments/suggestions are welcome.

ASA-5505.txt ASA-5510.txt PIX-501-506E.txt
5
Comment
  • 2
3 Comments
 

Expert Comment

by:itsgroupinc
Thanks for the quick response.

A quick question; in this string is this an lower case L or a 1

If I use L it errors, one it accepts

Dan
0
 

Expert Comment

by:itsgroupinc
nevermind!

I read the next line LOL

Dan
0
 
 

Administrative Comment

by:Eric AKA Netminder
renazone,

Congratulations! Your article has been published, and I have awarded it Community Pick status as well.

ericpete
Page Editor
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Join & Write a Comment

Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month