Solved

configuring ASA 5505

Posted on 2012-03-12
14
899 Views
Last Modified: 2012-04-07
I have a ASA 5505 ive not got alot of experience with Cisco Kit but need to configure this to work with the network.

when i first got it i didnt know the password so i reset the box following this guide

#############################################

If you don’t have the password and need to reset (which will erase all settings), do this.
 
Connect as above.
 
Power on the device.
 When it prompts to interrupt boot sequence, do so (press space).
 
It should prompt
 
rommon #0>
 
Type in:
 rommon #0> confreg
 
Should show something like:
 
Current Configuration Register: 0×00000001
 Configuration Summary:
 boot default image from Flash
 
Do you wish to change this configuration? y/n [n]:

Press n (don’t change)
 
We can reset the pass by setting register 0×41, so do this:
 
rommon #2> confreg 0×41
 
rommon #2> reboot
 
You now can login as the password has been removed.

#############################################

I then reset the device to factory default following this guide

http://www.mailbeyond.com/restoring-factory-defaults-to-the-cisco-asa5505-firewall-via-the-console#comment-6842

################################################

when i go through the steps i get to the part where i type config factory-default 192.168.1.1 255.255.255.0

after it does its stuff i can then get an IP from the box and surf the web (i cant ping) but then in the guide it says type 'reload save-config noconfirm’ this reboots the box and then once it comes back up i get a 169.254.217.251 please advise where i should go with this next.
0
Comment
Question by:firstnetsupport
  • 9
  • 5
14 Comments
 
LVL 5

Expert Comment

by:BAYCCS
Comment Utility
"reload save-config noconfirm"

Instead of using this command simply do a "copy run stat" this will save the running config to the startup config in flash. Then if you want to reload just type "reload" After the device comes back up it should have saved your new base config.

If that works then you can proceed to setup the unit the the way you need to, and if you need help I/we are here.

After the base config is loaded you can either use the CLI to edit or the ASDM by accessing https://192.168.1.1
0
 

Author Comment

by:firstnetsupport
Comment Utility
I have tried it again with your suggestion of copy run start but after the reload it fails still below is a copy of everything from start to finish with some ping tests inbetween.


any ideas?

CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
 00  01  00   1022   2080  Host Bridge
 00  01  02   1022   2082  Chipset En/Decrypt 11
 00  0C  00   1148   4320  Ethernet           11
 00  0D  00   177D   0003  Network En/Decrypt 10
 00  0F  00   1022   2090  ISA Bridge
 00  0F  02   1022   2092  IDE Controller
 00  0F  03   1022   2093  Audio              10
 00  0F  04   1022   2094  Serial Bus         9
 00  0F  05   1022   2095  Serial Bus         9

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008

Platform ASA5505

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.

Launching BootLoader...
Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa831-k8.bin... Booting...
Platform ASA5505

Loading...
Àdosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 222 files, 30136/62844 clusters
dosfsck(/dev/hda1) returned 0
IO memory 39583744 bytes

Processor memory 382824448, Reserved memory: 62914560 (DSOs: 0 + kernel: 62914560)

Total SSMs found: 0

Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 503d.e5bb.d6ec
88E6095 rev 2 Ethernet @ index 07 MAC: 503d.e5bb.d6eb
88E6095 rev 2 Ethernet @ index 06 MAC: 503d.e5bb.d6ea
88E6095 rev 2 Ethernet @ index 05 MAC: 503d.e5bb.d6e9
88E6095 rev 2 Ethernet @ index 04 MAC: 503d.e5bb.d6e8
88E6095 rev 2 Ethernet @ index 03 MAC: 503d.e5bb.d6e7
88E6095 rev 2 Ethernet @ index 02 MAC: 503d.e5bb.d6e6
88E6095 rev 2 Ethernet @ index 01 MAC: 503d.e5bb.d6e5
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 503d.e5bb.d6ed
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0x0d29c65e 0x5814f5ea 0x28518134 0x86e000c8 0x410327bd

Licensed features for this platform:
Maximum Physical Interfaces    : 8              perpetual
VLANs                          : 3              DMZ Restricted
Dual ISPs                      : Disabled       perpetual
VLAN Trunk Ports               : 0              perpetual
Inside Hosts                   : 10             perpetual
Failover                       : Disabled       perpetual
VPN-DES                        : Enabled        perpetual
VPN-3DES-AES                   : Enabled        perpetual
SSL VPN Peers                  : 2              perpetual
Total VPN Peers                : 10             perpetual
Shared License                 : Disabled       perpetual
AnyConnect for Mobile          : Disabled       perpetual
AnyConnect for Cisco VPN Phone : Disabled       perpetual
AnyConnect Essentials          : Disabled       perpetual
Advanced Endpoint Assessment   : Disabled       perpetual
UC Phone Proxy Sessions        : 2              perpetual
Total UC Proxy Sessions        : 2              perpetual
Botnet Traffic Filter          : Disabled       perpetual
Intercompany Media Engine      : Disabled       perpetual

This platform has a Base license.


Cisco Adaptive Security Appliance Software Version 8.3(1)

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************

Copyright (c) 1996-2010 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

*************************************************************************
**                                                                     **
**  Note that for a failover deployment, both devices in the pair      **
**  must have identical memory.                                        **
**                                                                     **
*************************************************************************
Ignoring startup configuration as instructed by configuration register.

INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201203130822.log'
Type help or '?' for a list of available commands.
ciscoasa> ena
Password:
ciscoasa# config t
ciscoasa(config)# config factory-default 192.168.0.1 255.255.255.0

WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.

Begin to apply factory-default configuration:
Clear all configuration
Executing command: interface Ethernet 0/0
Executing command: switchport access vlan 2
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/1
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/2
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/3
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/4
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/5
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/6
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/7
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface vlan2
Executing command: nameif outside
INFO: Security level for "outside" set to 0 by default.
Executing command: no shutdown
Executing command: ip address dhcp setroute
Executing command: exit
Executing command: interface vlan1
Executing command: nameif inside
INFO: Security level for "inside" set to 100 by default.
Executing command: ip address 192.168.0.1 255.255.255.0
Executing command: security-level 100
Executing command: allow-ssc-mgmt
ERROR: SSC card is not available
Executing command: no shutdown
Executing command: exit
Executing command: object network obj_any
Executing command: subnet 0.0.0.0 0.0.0.0
Executing command: nat (inside,outside) dynamic interface
Executing command: exit
Executing command: http server enable
Executing command: http 192.168.0.0 255.255.255.0 inside
Executing command: dhcpd address 192.168.0.5-192.168.0.36 inside
Executing command: dhcpd auto_config outside
Executing command: dhcpd enable inside
Executing command: logging asdm informational
Factory-default configuration is completed
ciscoasa(config)#

ciscoasa(config)# ping bbc.co.uk
                       ^
ERROR: % Invalid Hostname
ciscoasa(config)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa(config)# ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa(config)# ping 192.168.16.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ciscoasa(config)#


ciscoasa(config)# copy run start

Source filename [running-config]?
Cryptochecksum: eecac0e6 2777df73 adc1b122 45c5169e

1907 bytes copied in 1.520 secs (1907 bytes/sec)
ciscoasa(config)#



ciscoasa(config)# reload
Proceed with reload? [confirm]
ciscoasa(config)#


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down File system



***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting.....

CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
 00  01  00   1022   2080  Host Bridge
 00  01  02   1022   2082  Chipset En/Decrypt 11
 00  0C  00   1148   4320  Ethernet           11
 00  0D  00   177D   0003  Network En/Decrypt 10
 00  0F  00   1022   2090  ISA Bridge
 00  0F  02   1022   2092  IDE Controller
 00  0F  03   1022   2093  Audio              10
 00  0F  04   1022   2094  Serial Bus         9
 00  0F  05   1022   2095  Serial Bus         9

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008

Platform ASA5505

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.

Launching BootLoader...
Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa831-k8.bin... Booting...
Platform ASA5505

Loading...
Àdosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 224 files, 30137/62844 clusters
dosfsck(/dev/hda1) returned 0
IO memory 39583744 bytes

Processor memory 382824448, Reserved memory: 62914560 (DSOs: 0 + kernel: 62914560)

Total SSMs found: 0

Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 503d.e5bb.d6ec
88E6095 rev 2 Ethernet @ index 07 MAC: 503d.e5bb.d6eb
88E6095 rev 2 Ethernet @ index 06 MAC: 503d.e5bb.d6ea
88E6095 rev 2 Ethernet @ index 05 MAC: 503d.e5bb.d6e9
88E6095 rev 2 Ethernet @ index 04 MAC: 503d.e5bb.d6e8
88E6095 rev 2 Ethernet @ index 03 MAC: 503d.e5bb.d6e7
88E6095 rev 2 Ethernet @ index 02 MAC: 503d.e5bb.d6e6
88E6095 rev 2 Ethernet @ index 01 MAC: 503d.e5bb.d6e5
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 503d.e5bb.d6ed
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0x0d29c65e 0x5814f5ea 0x28518134 0x86e000c8 0x410327bd

Licensed features for this platform:
Maximum Physical Interfaces    : 8              perpetual
VLANs                          : 3              DMZ Restricted
Dual ISPs                      : Disabled       perpetual
VLAN Trunk Ports               : 0              perpetual
Inside Hosts                   : 10             perpetual
Failover                       : Disabled       perpetual
VPN-DES                        : Enabled        perpetual
VPN-3DES-AES                   : Enabled        perpetual
SSL VPN Peers                  : 2              perpetual
Total VPN Peers                : 10             perpetual
Shared License                 : Disabled       perpetual
AnyConnect for Mobile          : Disabled       perpetual
AnyConnect for Cisco VPN Phone : Disabled       perpetual
AnyConnect Essentials          : Disabled       perpetual
Advanced Endpoint Assessment   : Disabled       perpetual
UC Phone Proxy Sessions        : 2              perpetual
Total UC Proxy Sessions        : 2              perpetual
Botnet Traffic Filter          : Disabled       perpetual
Intercompany Media Engine      : Disabled       perpetual

This platform has a Base license.


Cisco Adaptive Security Appliance Software Version 8.3(1)

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************

Copyright (c) 1996-2010 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

*************************************************************************
**                                                                     **
**  Note that for a failover deployment, both devices in the pair      **
**  must have identical memory.                                        **
**                                                                     **
*************************************************************************
Ignoring startup configuration as instructed by configuration register.

INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201203130829.log'
Type help or '?' for a list of available commands.
ciscoasa>






ciscoasa> ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
No route to host 192.168.0.1

Success rate is 0 percent (0/1)
ciscoasa> ping 192.168.16.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.1, timeout is 2 seconds:
No route to host 192.168.16.1

Success rate is 0 percent (0/1)
ciscoasa>
0
 

Author Comment

by:firstnetsupport
Comment Utility
can anyone help with this?
0
 
LVL 5

Expert Comment

by:BAYCCS
Comment Utility
It looks like it saved the config
    INFO: MIGRATION - Saving the startup errors to file

I see why you can't ping
     No route to host 192.168.0.1
     No route to host 192.168.16.1


Can you do a sho run and post the config?
0
 

Author Comment

by:firstnetsupport
Comment Utility
ill re run the whole thing and post the show run before it reboots and after
0
 
LVL 5

Expert Comment

by:BAYCCS
Comment Utility
Is the config saving?
0
 

Author Comment

by:firstnetsupport
Comment Utility
Please look at the attached files they are in order from start to finish

I don't think it is saving the config thats where i think my problem is but I'm a novice on Cisco kit... please let me know what you think?
1-load-default-config.txt
2-show-run-after-def-config.txt
3-copy-run-start.txt
4-reload.txt
5-show-run-after-reload.txt
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 5

Expert Comment

by:BAYCCS
Comment Utility
Instead of doing a "copy run start" try the older command "write mem".
0
 

Author Comment

by:firstnetsupport
Comment Utility
ill try it now
0
 

Author Comment

by:firstnetsupport
Comment Utility
no i did the following:

ena
config t
config default-config 192.168.0.1 255.255.255.0
write mem

the show run (which is attached)
6-write-mem.txt
0
 

Author Comment

by:firstnetsupport
Comment Utility
everytime i reload it just stops working..

after the write mem it did load a little slower (which gave me hope for a few seconds)
0
 
LVL 5

Expert Comment

by:BAYCCS
Comment Utility
This is very interesting... I will review all your configs later tonight and give me a little time to think about this one.

In the meantime someone may have another suggestion.
0
 

Accepted Solution

by:
firstnetsupport earned 0 total points
Comment Utility
I have managed to get the device to save the config i give it, I had to break the startup and set the register to back to default which was set to 0×41 as i had to wipe the password but didnt realise i had to change it back..

I now need some help with the configuration on the firewall, im not able to ping through the router and i need to open some ports for remote access to a server on the inside of the network..

If i provide a network map of what im trying to acheive could anyone help me with how i would configure the device to acheive this?
0
 

Author Closing Comment

by:firstnetsupport
Comment Utility
This worked
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now