Howto: configure a Cisco ASA 5505 Part 1 – how to connect to a cable modem with DHCP

For my home Internet connection I have a 10Mb/s cable modem connection to my local cable company. They give me a public IP via DHCP. (This comes in handy for accessing my home network remotely – more on this in future posts.) Because I’m a major Cisco nerd I have installed a Cisco ASA 5505 at my house. Over the next few posts (as time permits) I hope to build on a simple ASA 5505 config to show how to set one up for this type of connection and also add a few “bells and whistles” on as we go.

First off, Cisco has a very nice Adaptive Security Device Manager (ASDM) GUI that can be used for configuring the Cisco ASAs. If you are looking for assistance in using the ASDM, you’ve come to the wrong place. I’m “old school” and I do everything from the console. I don’t have much experience with the ASDM GUI… sorry. Out of the box the ASA comes with a simple configuration on it. I always console into the device and blow away that config (perform a “write erase”) and reboot the box so I don’t have too much of Cisco’s “canned” configuration left, so everything I post assumes you have a fresh, essentially blank ASA without any configuration on it.

Below is a script that can be copied and pasted onto a blank ASA and apply a simple config that will get you surfing the Internet. I’ve inserted comments occasionally to explain some commands that I feel aren’t very self explanatory. My comments are in italics.

!
hostname go0se-asa1
domain-name go0se.local
!
enable password enablepassword
passwd telnetpassword
!
!
!In the above two statements, replace “enablepassword” with your actual enable password and replace “telnetpassword” with your actual telnet password.
!
!
interface Vlan1
description to outside interface (DHCP Cablemodem)
nameif outside
security-level 0
ip address dhcp setroute
!
!
!The setroute keyword in the above statement causes the ASA to set it’s default route to whatever gateway is passed to the ASA via DHCP.
!
!
interface Vlan10
description to inside VLAN
nameif inside
security-level 100
ip address 192.168.241.1 255.255.255.0
!
!
!The subnet of 192.168.241.0/24 above is my “inside” (internal) subnet. Feel free to change this to any private subnet of your choice.
!
!
interface Ethernet0/0
description physical connection to Cox Cablemodem
switchport access vlan 1
no shutdown
!
interface Ethernet0/1
no desc
switchport access vlan 10
no shutdown
!
interface Ethernet0/2
switchport access vlan 10
no shutdown
!
interface Ethernet0/3
switchport access vlan 10
no shutdown
!
interface Ethernet0/4
switchport access vlan 10
no shutdown
!
interface Ethernet0/5
switchport access vlan 10
no shutdown
!
interface Ethernet0/6
switchport access vlan 10
no shutdown
!
interface Ethernet0/7
switchport access vlan 10
no shutdown
!
banner motd
banner motd +——————————————————————-+
banner motd | |
banner motd | *** Unauthorized Use or Access Prohibited *** |
banner motd | |
banner motd | For Authorized Official Use Only |
banner motd | You must have explicit permission to access or |
banner motd | configure this device. All activities performed |
banner motd | on this device may be logged, and violations of |
banner motd | this policy may result in disciplinary action, and |
banner motd | may be reported to law enforcement authorities. |
banner motd | |
banner motd | There is no right to privacy on this device. |
banner motd | |
banner motd +——————————————————————-+
banner motd
!
!
!The above “banner motd” statements create a “message of the day” to be displayed to those attempting to remote into the ASA. (It looks really poor above because of the formatting of this blog but it looks good when you SSH into the ASA.)
!

banner motd

!
!
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
!
!
!The above object-group defines the ICMP traffic that I will permit into the outside network. I want to be able to ping out from inside for testing purposes and this object-group will be tied into an access-list (see below) that I will apply to the outside interface (see further below) which all together will allow me to ping out to verify connectivity etc.
!
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name go0se.local
!
!
!
access-list acl_outside extended permit icmp any any object-group DefaultICMP
!
!
!The above access-list statement creates the access list (utilizing the object group above) that I will apply to the outside interface to allow ping replies.
!
!
global (outside) 1 interface
nat (inside) 1 192.168.241.0 255.255.255.0
!
access-group acl_outside in interface outside
!
!
!The above access-group statement applies the “acl_outside” access list created above to the outside interface of the ASA.
!



!
ssh 192.168.241.0 255.255.255.0 inside
ssh timeout 5
!
console timeout 0
!
dhcpd address 192.168.241.100-192.168.241.131 inside
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain go0se.local
dhcpd enable inside
!
!
!The above “dhcpd” commands define a DHCP scope on the ASA that will hand out addresses to clients on the inside interface.
!
!
end
!
write mem
!

That’s it. You should now be able to plug into your cable modem and surf.

NOTE: I am only allowing SSH access, and only from the inside interface. If you attempt to SSH into the ASA, it will prompt you for a username. Notice that I didn’t define any usernames above. In this case you can use the username of “pix” along with the password defined above to remote into the ASA.

The above script, minus the notes, can be downloaded here.

RELATED POSTS:Howto: configure a Cisco ASA 5505 Part 2 – how to configure the ASA for connections from the Cisco VPN Client

-Go0se

Links to my other ASA 5505 configuration guides:
Part 2 – how to configure the ASA for connections from the Cisco VPN Client
Part 3 – how to configure static port translation
Part 4 – how to block traffic to a specific URL

25 comments to Howto: configure a Cisco ASA 5505 Part 1 – how to connect to a cable modem with DHCP

  • For some reason i’m ending up with a blank page whenever i make an effort to post a comment,do you know reasons why its encountering?i’m applying oprea web-browser

  • admin

    I’m not sure – your posts must be approved by me before they will show up – and you were able to post this… not sure what is wrong.

    -Go0se

  • John

    Not that big of a deal in your current as-is configuration — but it is advisable to change the vlan of your outside interface to 2 or something other than 1.

    Should you ever trunk any port on the ASA 5505 (not true with the other ASA models, ASA 5505 switch is “special” to the line) to a switch running a flavor of spanning tree, CDP, or VTP — you risk exposing (as they ride in VLAN 1) them and other attacks. Easiest thing to do is use the ASA 5505′s default VLAN 2 for the outside interface.

    -John

  • Terry Green

    First, love your script. Had to modify some commands for ver 8.3 but easily done. My problem is using the script cannot get an DHCP address from my ISP (Cox) any suggestions?

  • admin

    I’m really not sure. My only thought is that in the past when switching to a different device plugged into my cablemodem I’ve had to unplug it cablemodem for 15 minutes and then power it back on and it will start to work. It seems it locks onto a mac address and the long power down somehow clears it.

    -Go0se

  • Don

    Hello,
    Thank you for some really good info. Do you have the config for a static address from the ISP? I also do not want to do DHCP on the inside network. That will be assigned by a separate DHCP server. Thank you in advance…

  • admin

    You simply set a static IP address on the outside VLAN and then create a default route and point it to the gateway your ISP gives you.

    !
    interface VLAN1
    description To outside
    nameif outside
    security-level 0
    ip address 10.11.12.10 255.255.255.0
    !
    route outside 0.0.0.0 0.0.0.0 10.11.12.1
    !
    if you do not want the ASA to perform as a DHCP server, simply do not include any of the lines that begin with “dhcpd”.

    Thanks,
    Go0se

  • Don

    You are the man! I did not do the static assignments yet but before I contacted you I was having issues accessing the Internet. I used your config and substituted the addresses I needed on the networks I wanted and lo and behold I was on the Internet one shot with no problems! The banner you provided looked great too. I am now going to use your instructions to setup VPN access. I hope all goes well. Thanks again…..

  • Don

    I just wanted to mention the VPN instructions were perfect. I just substituted the network and group statements that I wanted and I was right in no problems. Thank you again for your excellent instructions.

  • Randy

    Thanks for this sample configuration, I’ve been working on this asa for a couple days and having issue and this really made sense of why I was messing everything up :)

  • Nitin Hurkadli

    !
    global (outside) 1 interface
    nat (inside) 1 192.168.241.0 255.255.255.0
    !
    ! is no longer supported on ASA Version 8.3 and above
    !
    ! UPDATED
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    nat (inside, outside) dynamic interface
    !

  • Anthony

    Hey man, thanks a lot … very useful for basic ASA 5505 setup! I juts went through it no problemo.

  • Chris

    Thank you very much for the script. I have modified to my needs and it works perfectly.
    The only question I have now is on the VPN ACL
    !
    !
    nat (inside) 0 access-list nonat
    !
    !

    is not supported now.
    What is the work around? I have tried several things but to no avail.

  • Ivar Thorolfsson

    Nice articles.

    One comment though, instead of creating ACL to permit icmp coming back into the network, why not just add it to inspect instead? No need for the ACL then.

    !
    policy-map global_policy
    class inspection_default
    inspect icmp
    !

  • admin

    Good call. Thanks for the idea.

    -Goose

  • Andrew

    I just upgraded to ASA 9.1.2, now I can’t telnet from remote networks to mine when I want to use RANCID. I’m not sure why…telnet 0.0.0.0 0.0.0.0 inside is turned on.

  • admin

    For security reasons Cisco no longer allows you to telnet to the interface that has the lowest security score. (NOTE: The telnet statement you list above has the “inside” tag on the end, which only allows telnet from inside networks to the inside interface.) To reach your ASA from “remote networks” you would need to configure and enable SSH access – which I believe RANCID supports.

    -Goose

  • Cory

    Goose,

    Would you have any suggestions for a static ip block in this configuration? I have a situation where I have a block of 5 ip’s behind a cable modem. I can assign any of the 5 ip’s to the router external interface but I can’t use any of the other 4 nor can I nat any traffic over the one ip that is assigned to the external interface.

    In the setups i’ve done in the past, i am normally given a WAN ip and then a static block of ip’s that are routed over the wan ip. That configuration makes sense but with Charter, they say that is not what they do.

    Any advice?

    Thanks

  • admin

    I don’t completely understand what you are saying. Why can’t you NAT over the IP on the external interface? If you assign one of the IPs to the outside of the firewall they have no idea if you are NAT’ing or not. Do they require PPPoE or something like that?

    -Goose

  • Cory

    That appears to be my issue, there is no IP provided for the external interface. The block of 5 is all there is so one of those has to be external ip (no dhcp, no static wan ip). Does that make more sense?

  • admin

    You won’t use DHCP. You will need to assign one of those 5 as your external IP address. If it is like Cox (whom I’m accustomed to dealing with) they give you a block of 5 IPs and you are free to use them as you wish. Change the config I provided by editing and then copying and pasting the lines below.

    !
    interface Vlan1
    ip address
    !
    ! (replace and above with the IP and SNM you want to use)
    ! (example: ip address 192.168.1.2 255.255.255.0)
    !
    route outside 0.0.0.0 0.0.0.0
    ! (replace ! (example: route outside 0.0.0.0 0.0.0.0 192.168.1.1
    !

    Thanks,
    Goose

  • Cory

    I follow to that point. In that case, how would you use the other 4 ip’s (say for dmz or static nat)? Also, can you use PAT across the ip assigned to the external interface?

  • Hi. can you email me please? I have a few questions and could really use help programming this ASA 5505. I have all the information I need and have followed tutorials on programming ACL “interesting traffic”, IPSEC transform set, ISAKMP policy. I think that’s about 90% of the configuration, but I just want someone with seasoned eyes to make sure everythings okay before I deploy it.

  • Robert

    You’d need a little 5 port Netgear hub, plug that into the cable modem, plug the ASA into it as well (with a hard coded IP address) and the other devices you want public IP addresses on will also go into the Netgear hub.

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>