Out of the box configuration of a Cisco PIX 501/506e or ASA 5505/5510 with VPN Client access
Published:
Browse All Articles > Out of the box configuration of a Cisco PIX 501/506e or ASA 5505/5510 with VPN Client access
Overview
The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium business as firewall and VPN appliances. In this article we will configure these devices as if they are brand new and under the assumption you have an available public/static address to be used on the external interface of the device. From my personal experience, the most common configuration of these devices consists of a public IP on the external interface, a single private IP on the internal interface, firewall and static NAT (network address translation) of public IP addresses to one or more servers.I'll cover each of these aspects with copy and paste code using the terminal for the majority of the configuration due to the speed, simplicity and personal preference. Using the web interface, or ASDM, can be very clunky and produce unwanted results but it is useful for some aspects of the configuration. I use a Mac or Linux machine when configuring firewalls where the telnet/ssh interface is much cleaner and simpler to use than on Windows based command line interface.
*Note: The names in ALL CAPS within this article can be changed to whatever you choose for your configuration. The lines in italics and in the code fields are copy/paste code.
Plan Your Network Addresses
You'll need a list of addresses you plan to use for your configuration before you begin work on the device. In this tutorial we will use the following network scenario:
the default internal interface address of the appliance will be changed from 192.168.1.1 to 192.168.15.254 (you'll need to choose an address that matches the internal subnet of your network replacing the given address)
private subnet mask of 255.255.255.0
bogus public interface address of 200.199.199.205 (you'll need to replace this address with your given public address)
bogus public gateway address of 200.199.199.199 (you'll need to replace this address with your given public gateway)
public subnet mask of 255.255.255.248
create a pool of VPN client addresses using 192.168.16.1-192.168.16.10
0 and a subnet mask of 255.255.255.0
an Exchange/email server using the internal address 192.168.15.100 and the NAT address of 200.199.199.200
Preparing to Work
Power up your chosen appliance and connect your standard ethernet cable into a port that allows management:
PIX 501 - Any one of the switch ports 1-4 (not ETH0 or the baby blue console port)
PIX 506e - Ethernet 1 (not Ethernet 0 or the baby blue console port)
ASA 5505 - Switch ports 2-8 (not the first switch port since it's dedicated as the external interface by default)
ASA 5510 - Management port (the management port is dedicated and labeled in yellow)
When you've pulled your IP in the range of 192.168.1.x from DHCP you'll know you're connected and ready to work
Opening the ASDM and Preparing Telnet Connectivity
On the Mac I've had trouble in the past using FireFox to open the ASDM so I use Safari. Just about any browser works on the PC but if you want to be sure just use Internet Explorer:
Open your chosen browser and browse to
https://192.168.1.1 to open the ASDM (Active Security Device Manager)
You'll be prompted with certificate errors that you must ignore/accept before receiving your login prompt
The default username and passwords are blank for both prompts you'll receive during the ASDM launch process
Once your ASDM is launched browse to the "Tools" menu and open the "Command Line Interface"
Within the command line interface type:
PIX/ASA 5505 telnet 0 0 inside
ASA 5510 telnet 0 0 management
*Note: "0 0" allows all addresses and this can be changed later on. Since we're going to change the interface address it's simpler to use this method to prevent you from losing connectivity to the appliance during your telnet session
PIX/ASA 5505 telnet 0 0 inside
ASA 5510 telnet 0 0 management
*Note: "0 0" allows all addresses and this can be changed later on. Since we're going to change the interface address it's simpler to use this method to prevent you from losing connectivity to the appliance during your telnet session
Assuming your command passed successfully to the device you should now be able to open your Terminal (on the Mac or Linux) or Command window (in Windows) and type
telnet 192.168.1.1
When prompted, type
cisco (without the quotes) as the password
Next, type
enable leaving the password blank
Last,
conf t (as in Configure Terminal)
*Note: This process enables the device for configuration through the command line. If you do not " enable" or " conf t" you will not be able to pass commands to the appliance.)
*Note: This process enables the device for configuration through the command line. If you do not " enable" or " conf t" you will not be able to pass commands to the appliance.)
Creating Names and Changing the Internal Interface IP
Before the Cisco IOS will allow us to change the IP of the private interface we have to disable DHCP and remove the IP subnet associated with DHCP.First things first, I like to create names for my addresses so I can copy and paste configs from device to device and easily hand out instructions to fellow technicians. It also helps make sense of the code for those of you who are not familiar with IOS or the Cisco command line interface. All you have to do is change the addresses in the list of names below (and the subnet masks in the commands if yours will be different) and the rest of the code is copy/paste. To create names and change the interface IPs:
Create the Names
name 192.168.15.254 LAN
name 192.168.15.0 LAN_SUBNET
name 192.168.16.0 VPN_SUBNET
name 200.199.199.205 WAN
name 200.199.199.199 GATEWAY
name 192.168.15.100 EXCHSERVER_LAN
name 200.199.199.200 EXCHSERVER_WAN
name 192.168.15.101 DC1_LAN
name 192.168.15.102 MANAGMENT_STATION
Change the Interface IP
1
Type no dhcpd enable inside*Note: this is not necessary on the ASA 5510 because DHCP is not enabled on the switch ports by default
2
Type no dhcpd address 192.168.1.2-192.168.1.254 inside*Note: this is not necessary on the ASA 5510 because DHCP is not enabled on the switch ports by default
3
There are a few different commands based on the model you have to change the interface IP:PIX 501/506e
ip address inside LAN 255.255.255.0
interface Vlan1
ip address LAN 255.255.255.0
interface Ethernet0/1
nameif inside
ip address LAN 255.255.255.0
You've now lost connectivity to the device and will have to reconnect to the new IP continue working. Also, now that you've disabled DHCP you may want to re-enable (or, enable if you're using the 5510) DHCP if you plan on your Cisco device providing DHCP for your network:
dhcpd enable inside
dhcpd address 192.168.15.10-192.168.15.99
dhcpd dns 192.168.15.101 192.168.15.100
dhcpd domain company.local
4
You can now connect your Cisco appliance to your internet connection by plugging the ethernet cable from your internet router to:PIX 501/506e - ETH0/Ethernet 0
ASA 5505/5510 - Switch Port 0
And you can connect your local network into any of the other switch ports on the PIX or ASA 5505. On the ASA 5510 we've configured switch port 1 as the LAN port and the other ports are shutdown/not configured.
Changing the External Interface IP and Adding the Gateway Route
Once you've telnetted back into the appliance on IP 192.168.15.254 (telnet 192.168.15.254) you can begin changing the external interface IP. There's a few methods based on which model you're using (remember, I'm using the names we created above in place of the actual IP addresses and all you need to do is change the subnet mask for the public range if yours is different):1
Use these commands to change the external interface IPPIX 501/506e
ip address outside WAN 255.255.255.248
interface Vlan2
ip address WAN 255.255.255.248
interface Ethernet0/0
nameif outside
ip address WAN 255.255.255.248
2
All of these devices use the same method for configuring the public gateway route:route outside 0.0.0.0 0.0.0.0 GATEWAY 1
As soon as you enter your gateway route you should have internet connectivity, assuming you've connected all of your cabling to the correct ports and have properly configured your DHCP with DNS and 192.168.15.254 as your LAN gateway.
IPSec VPN Client Configuration
This is one section where some of you would like to jump into the ASDM and run the VPN Client Wizard and you may have tried to no avail. The Wizard is useless, from my experience, for this particular configuration:
ASA 5505/5510
1
Create the VPN DHCP address poolip local pool VPN_POOL 192.168.16.1-192.168.16.100 mask 255.255.255.0
2
Create the access lists for the client NAT and VPN split tunnel*Note: Some companies would frown on the split tunnel for security reasons but most small businesses prefer to be able to browse the web while connected to the VPN. If this isn't enabled you will not be able to browse the internet while the connection is established.
access-list NO_NAT extended permit ip any VPN_SUBNET 255.255.255.0
access-list SPLIT_DNS standard permit LAN_SUBNET 255.255.255.0
nat (inside) 0 access-list NO_NAT
3
Create the Crypto Maps, Transform Sets and ISAKMP policiescrypto ipsec transform-set VPN_SET esp-3des esp-sha-hmac
crypto dynamic-map VPN_DYNMAP 20 set transform-set VPN_SET
crypto map VPN_MAP 20 ipsec-isakmp dynamic VPN_DYNMAP
crypto map VPN_MAP interface outside
crypto isakmp nat-traversal 20
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
4
Create your VPN group policies (you may want to change the names given in ALL CAPS to suite your environment)group-policy COMPANYVPN internal
group-policy COMPANYVPN attributes
dns-server value 192.168.15.101 192.168.15.100
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_DNS
default-domain value company.local
tunnel-group COMPANYVPN type ipsec-ra
tunnel-group COMPANYVPN general-attributes
address-pool VPN_POOL
default-group-policy COMPANYVPN
tunnel-group COMPANYVPN ipsec-attributes
pre-shared-key COMPANYPRESHAREDKEY
isakmp ikev1-user-authentication none
*NOTE: If you include the last line (isakmp ikev1-user-authentication none) you can skip the next section since you will not need VPN users. If you do not include the last line you will be asked for a secondary authentication that requires the given user to enter their username an password every time they connect to the VPN. This provides much greater security when it's enabled but you may hear a fuss from the folks that have to connect to the VPN regularly.
5
Create users for the ASA secondary authentication (ikev1-user-authenticationusername COMPANYUSER password COMPANYUSERPASSWORD privilege 0
username COMPANYUSER attributes
vpn-group-policy COMPANYVPN
6
Configure the VPN client software on the computer based on the information above:
Install the Cisco VPN Client software and click the button to create a new connection
The "Connection Entry" field is the name of the connection that will show up in the list in the VPN client window. Enter whatever you want to name the connection entry.
The "host" field is the WAN/External interface address of the appliance. In this case 200.199.199.205 (tip: I like to assign a hostname to this address since small business seem to change ISPs regularly…IE vpn.company.com)
Make sure the "Group Authentication" bullet is selected
The "Name" field is the tunnel-group name and is COMPANYVPN in this case
The password is the pre-shared-key defined in our tunnel-group ipsec attributes…COMPANYPRESHARE
DKEY
Save your connection entry and (from an internet connection other than the one connected to the appliance we are configuring) click connect.
*Note: If you've chosen to enable the secondary authentication you will be prompted for that username and password after your tunnel group authentication to the VPN
PIX 501/506e
1
Create the VPN DHCP address poolip local pool VPN_POOL 192.168.16.1-192.168.16.100 mask 255.255.255.0
2
Create the access lists for the client NAT and VPN split tunnel*Note: Some companies would frown on the split tunnel for security reasons but most small businesses prefer to be able to browse the web while connected to the VPN. If this isn't enabled you will not be able to browse the internet while the connection is established.
access-list NO_NAT permit ip any VPN_SUBNET 255.255.255.0
access-list SPLIT_DNS permit ip LAN_SUBNET 255.255.255.0 any
nat (inside) 0 access-list NO_NAT
3
Create the Crypto Maps, Transform Sets and ISAKMP policiessysopt connection permit-ipsec
crypto ipsec transform-set VPN_SET esp-3des esp-sha-hmac
crypto dynamic-map VPN_DYNMAP 20 set transform-set VPN_SET
crypto map VPN_MAP 20 ipsec-isakmp dynamic VPN_DYNMAP
crypto map VPN_MAP interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup COMPANYVPN address-pool VPN_POOL
vpngroup COMPANYVPN dns-server 192.168.15.101 192.168.15.100
vpngroup COMPANYVPN default-domain company.local
vpngroup COMPANYVPN split-tunnel SPLIT_DNS
vpngroup COMPANYVPN idle-time 1800
vpngroup COMPANYVPN password COMPANYPRESHAREDKEY
4
Configure the VPN client software on the computer based on the information above:
Install the Cisco VPN Client software and click the button to create a new connection
The "Connection Entry" field is the name of the connection that will show up in the list in the VPN client window. Enter whatever you want to name the connection entry.
The "host" field is the WAN/External interface address of the appliance. In this case 200.199.199.205 (tip: I like to assign a hostname to this address since small business seem to change ISPs regularly…IE vpn.company.com)
Make sure the "Group Authentication" bullet is selected
The "Name" field is the vpngroup name and is COMPANYVPN in this case
The password is the password defined in our vpngroup…COMPANYPRESHAREDK
EY
Save your connection entry and (from an internet connection other than the one connected to the appliance we are configuring) click connect.
Now your VPN Client access should be live and you can ping your servers at 192.168.15.100 and 192.168.15.101 while browsing the web over your split tunnel. If you cannot browse the internet or ping your servers you've missed a step. To troubleshoot you should type " writ t" (Write Terminal) to view the configuration and compare it to the completed configuration below and/or use " debug crypto ipsec"
NAT Your Server's Public IP and Allow TCP Ports Through the Firewall Using Object Groups
1
We need to create the static NAT to allow your server to use one of the public IPs in our block of 5 (this is the same on all devices)static (inside,outside) EXCHSERVER_WAN EXCHSERVER_LAN netmask 255.255.255.255 0 0
2
Create the object groups (I personally prefer to use object groups to reduce the number of access lists that need to be created which minimize the number of lines in the CLI. Also, you may not want to allow all of these ports through to your server and I typically do not allow POP or IMAP access)object-group service INBOUND_EXCHANGE tcp
port-object eq smtp
port-object eq ldap
port-object eq pop3
port-object eq www
port-object eq 587
port-object eq 993
port-object eq imap4
port-object eq https
port-object eq ldaps
*NOTE: If you use a spam filtering service like Appriver or Postini, or a filtering appliance, you can allow SMTP access from the service or appliance with the following policy (The following are the Appriver Secure Tide filtering servers. Also, if you choose to do this you must remove the "port-object eq smtp" from the above object group or else the SMTP filtering is useless)
object-group network APPRIVER
network-object host 69.20.58.226
network-object host 69.20.68.133
network-object host 207.97.224.142
network-object host 212.100.247.159
network-object host 69.20.60.122
network-object host 69.20.58.234
network-object host 207.97.229.125
network-object host 207.97.230.34
network-object host 207.97.230.54
network-object host 207.97.242.51
network-object host 74.205.4.52
network-object host 72.32.252.16
network-object host 92.52.89.74
network-object host 72.32.253.10
network-object host 72.32.252.97
network-object host 120.136.38.138
3
Create the access lists to allow the traffic to your serverPIX 501/506e
access-list INBOUND permit tcp any host EXCHSERVER_WAN object-group INBOUND_EXCHANGE
access-list INBOUND permit tcp object-group APPRIVER host EXCHSERVER_WAN eq smtp
ASA 5505/5510
access-list INBOUND extended permit tcp any host EXCHSERVER_WAN object-group INBOUND_EXCHANGE
access-list INBOUND extended permit tcp object-group APPRIVER host EXCHSERVER_WAN eq smtp
4
Enable the access groupaccess-group INBOUND in interface outside
Finished Configuration
You should now have your Cisco appliance configured with internet access for all your workstations (all traffic allowed out), IPSec VPN access with the Cisco VPN Client and a mail server with all of the necessary ports allowed through the firewall. Attached are the full finished configurations for the PIX 501/506e, ASA 5505 and ASA 5510. REMEMBER TO WRITE MEM!Resetting Passwords
You never want to leave your firewall with the default passwords so we'll reset the Telnet/SSH/HTTPS password and the enable password (this process is common between each of these devices).
Reset the Telnet/SSH/HTTPS Password
passwd YOURPASSWORDHERE
Reset the Enable Password
password YOURPASSWORDHERE
Opening up for Remote Support
If you ever perform remote support for customers or you often train other technicians and have to help configure firewalls from remote locations you may want to open up management for the outside interface of your Cisco appliance.Enabling SSH
Enabling SSH requires generating an RSA key that will be entered into your known_hosts file when connecting. The methods for creating the RSA key differs between the PIX and the ASA. Also, this key is attached to the hostname of the appliance so you may want to change the hostname if you prefer it to have a name other than "ciscoasa" or the default name associated with your specific appliance.
PIX 501/506e
Change the Hostname -
hostname COMPANY-CISCO
Generate the RSA Key (this process may take several minutes) -
ca generate rsa key 2048
Save the RSA Key Once It's Generated -
ca save all
ASA 5505/5510
Change the Hostname -
hostname COMPANY-CISCO
Generate the RSA Key (this process may take several minutes) - crypto key generate rsa modulus 2048
Save the RSA Key Once It's Generated - writ mem
Enable SSH (Examples)
Inside for a Single Management Computer at 192.168.15.102 -
ssh MANAGEMENT_STATION 255.255.255.255 inside
Insdie for the LAN Subnet -
ssh LAN_SUBNET 255.255.255.0 inside
inside for all Addresses -
ssh 0 0 inside
Outside for access from a specific IP -
ssh 201.199.199.201 255.255.255.255 outside
Outside for a Public Subnet -
ssh 201.199.199.199 255.255.255.248 outside
Outside for all Addresses -
ssh 0 0 outside
Accessing the CLI with SSH
From your chosen terminal type (pix is the default username common to all of these appliances) - ssh pix@192.168.15.254
Disable SSH/Telnet/HTTPS
You can disable these protocols by simply preceding your SSH or Telnet line with a " no"
no ssh MANAGEMENT_STATION 255.255.255.255 inside
no telnet 0 0 inside
*Note: to close or open access to telnet the above commands are applicable by replacing "ssh" with "telnet" and there is no need to generate the RSA key to enable telnet access. You cannot telnet to the lowest security interface, or the outside interface in this example, you must use SSH to gain terminal access from the outside.
Enable ASDM Access for VPN Clients and Outside Interface
VPN Client access -
management-access inside
Outside interface access -
management-access outside
*Note: Enabling access to the ASDM for the outside interface should only be a temporary change for security reasons
Limiting Access for the LAN Clients
1
Create the Access Group (allowing only access to website on port 80 and port 443)object-group service CLIENTS_OUTBOUND tcp
port-object eq www
port-object eq https
2
Create the Access List (limit clients 192.168.15.1-62 using the allowed ports to any host)access-list OUTBOUND extended permit object-group CLIENTS_OUTBOUND 192.168.15.0 0.0.0.63 any
3
Enable the Access List on the Inside Interfaceaccess-group CLIENTS_OUTBOUND in interface inside
Static PAT Using the Public Interface
One of the drawbacks of not having a block of public IP's is the need to PAT your public interface of your appliance. If you have a load of ports to pass through the firewall your configuration will get a bit clunky. To create the static PAT on the interface you need to create a static PAT line for each port you want to translate.static (inside,outside) tcp interface smtp EXCHSERVER_LAN smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https EXCHSERVER_LAN https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ldap EXCHSERVER_LAN ldap netmask 255.255.255.255 0 0
Once your PAT statements are in place (actually it doesn't matter what order you do this in) you can insert your access lists to allow the traffic through the outside interface. Notice, this is the same line as above with host EXCHANGE_WAN being replaced with interface outside.
access-list INBOUND permit tcp any interface outside object-group INBOUND_EXCHANGE
One of the major issues I see when using the interface of the appliance as the primary public address is when the entire outside interface is configured as a static NAT to an internal address. DO NOT DO THE FOLLOWING.
static (inside,outside) interface EXCHSERVER_LAN netmask 255.255.255.255 0 0
Creating the static NAT for your outside interface will render any other duties the interface would perform inoperable. This is due to the interface address traffic being passed completely to the EXCHSERVER_LAN in this case. So, if you intend to use any VPN services this is saying you want your Exchange server to authenticate the client requests or to establish your site-site. If you think you have your IPSec remote access VPN configured correctly and you're getting errors that the interface is not responding, this is often the reason why.
Links
Configuring the PIX Firewall for SSH AccessUsing and Configuring PIX/ASA/FWSM Object Groups
Configuring the ASA Firewall for SSH Access
IPsec Troubleshooting: Understanding and Using debug Commands
Closing
Here's a tip for those of you who have a separate internet connection/gateway for servers or some clients and do not use the VPN appliance we just configured for their gateway. When the VPN clients connect these machines that do not use the Cisco VPN appliance as their gateway the server or clients do not have a route back to the appliance and the VPN clients will not be able to communicate with these machines. In this case there is a simple workaround by creating a persistent route in the command line on each server:Windows: route add 192.168.16.0 mask 255.255.255.0 192.168.15.254 -p. The process for creating a persistent route on a Mac is a little more in depth and I've covered that in another article, but, here is the command for creating a temporary route: sudo route add -net 192.168.16.0 -netmask 255.255.255.0 -gateway 192.168.15.254
This information has been compiled over several years and the templates have been generated from multiple working configurations and the given full configurations can not be tested due the bogus public addresses. If you should find any typos or have any recommendations for making this article easier to follow your comments/suggestions are welcome.
ASA-5505.txt ASA-5510.txt PIX-501-506E.txt
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (2)
Commented:
A quick question; in this string is this an lower case L or a 1
If I use L it errors, one it accepts
Dan
Commented:
I read the next line LOL
Dan