Cisco ASA 5505 – Interface Configuration

The Cisco ASA 5505 is the lowest-end ASA. Small footprint, good price point for SoHo environments. The material differences between the 5505 and its larger brethren are really price, traffic capacity and physical expansion (number of ports, add-on cards etc).

Typical scenarios where I’ve deployed 5505 models:

  • Firewall for small businesses that need packet filtering and VPN capability for remote users. Usually just a simple topology that can be divided into LAN/DMZ/Public.
  • Firewall for branch offices that need to have a site-to-site VPN with the main office.
  • Firewall for remote users’ home offices so that they can establish a site-to-site VPN with the main office.
  • Firewall for customer rack at a colo so that the redundant servers at the colo can establish a site-to-site VPN with the main office.

In larger businesses with hub-and-spoke VPN topologies, I tend to deploy the higher-end ASA models at the main office (the hub), and only use the 5505 model at the remote offices (the spokes). The deciding factors are usually price and capacity. If the customer’s asking for failover and content checking or IPS, then we’re already looking at a network with more traffic than a 5505 can handle.

Configuration of the 5505′s interfaces is a wee bit different from the bigger models because the 5505 is basically a switch with VLANs. There are 8 FastEthernet switch ports that forward traffic at Layer 2. You assign the switch ports to logical VLAN interfaces. Switch ports on the same VLAN can communicate with each other. If the traffic needs to go to another VLAN, the ASA applies the security policies (ACLs, interface security levels etc) to decide whether or not to forward the traffic to the destination VLAN.

Factory Default Settings on the ASA 5505

Out of the box, or with the configure factory-default command, the ASA 5505 is configured thusly:

VLAN Interface Name Security Level IP Address State
1 E0/1
E0/2
E0/3
E0/4
E0/5
E0/6
E0/7
inside 100 192.168.1.1 Enabled
2 E0/0 outside 0 Not Configured Enabled

With a blank config (i.e. without the factory default), all switch ports are in VLAN 1. Nothing else is configured on the interfaces.

Configuring VLAN Interfaces

In order for any VLAN to pass traffic, it needs:

  • A VLAN ID (configured with the interface vlan command)
  • A name (configured with the nameif command)
  • A security level (configured with the security-level command)
  • A static IP address or be configured as a DHCP client (configured in routed mode only, with the ip address command)
  • To be enabled (configured with the no shutdown command)

If you name a VLAN outside or inside, it automatically gets assigned a security level of 0 (outside) or 100 (inside).

Optionally, you can configure any VLAN interface with:

  • no forward interface vlan [VLAN_ID] command to prevent it from forwarding traffic to the specified VLAN.
  • management-only command to set it act as a management interface and not pass other traffic.
  • mac-address to configure a unique MAC address on it.

Configuring Switch Ports

To configure any switch port as an access port (i.e. assigned to only one VLAN), it needs to be:

  • Assigned to a VLAN (via the switchport access vlan [VLAN-ID] command)
  • Enabled (configured with the no shutdown command)

If you have a Security Plus license, you can set any switch port as a trunk port (i.e. it can carry multiple VLANs using 802.1Q tagging). This trunk port needs to be:

  • Assigned a native VLAN (via the switchport trunk native vlan [VLAN_ID] command). Packets on the native VLAN are not modified when sent over the trunk. All other packets that leave the port are modified with an 802.1Q header. Packets which have no 802.1Q header are put into the native VLAN when they enter this port. Each port can only have one native VLAN, but multiple ports can be assigned the same native VLAN.
  • Configured with the VLANs permitted to pass traffic (via the switchport trunk allowed vlan [VLAN_ID or VLAN_RANGE] command)
  • Configured as a trunk port (via the switchport mode trunk command)
  • Enabled (configured with the no shutdown command)

Additionally, you can configure any switch port (no matter if it’s a access port or trunk port) with these optional commands:

  • switchport protected to prevent a port from communicating with other protected ports in the same VLAN. These protected ports can communicate with other VLANs, just not with other protected ports in the same VLAN)
  • speed (the default is auto-negotiate)
  • duplex (the default is auto-negotiate)

Configuration Example

Quick and dirty example to configure an ASA 5505 with:

  • Outside interface with port E0/0 and getting it’s IP address as a DHCP client.
  • Inside interface with ports E0/1 to E0/7 and configured with a static IP address of 5.5.5.1

So let’s start out with a blank startup config. Do a write erase and reload the ASA.

ciscoasa(config)# wr er
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa(config)# sh start
No Configuration
ciscoasa(config)# reload
System config has been modified. Save? [Y]es/[N]o:  y
Proceed with reload? [confirm]

When the ASA comes back up, answer no to exit out of the startup config script.

Pre-configure Firewall now through interactive prompts [yes]? n

Get into enable mode. The config’s gone, so we’re back to the default enable password, which is blank.

ciscoasa> en
Password:
ciscoasa#

Have a look at what’s configured on the interfaces with the show run interface command. Should be nothing there. Nothing on show run ip either.

ciscoasa# sh ru interface
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
ciscoasa# sh ru ip
ciscoasa#

Have a look at the VLANs with a show switch vlan command. All we see is VLAN 1, with all the ports assigned to it.

ciscoasa# sh switch vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -----------------------------
1    -                                down      Et0/0, Et0/1, Et0/2, Et0/3
                                                Et0/4, Et0/5, Et0/6, Et0/7

Now for the config. Let’s start with VLAN 1 for the inside network. VLAN 2 for the outside network

ciscoasa# conf t
ciscoasa(config)# interface vlan 1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 5.5.5.1 255.255.255.0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# interface vlan 2
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# ip address dhcp
ciscoasa(config-if)# no shut

Now we have 2 VLANs but none of the interfaces are passing traffic. If you do a show switch vlan and a show run interface, you see that the VLANs are configured, but the switch ports are not yet set up correctly. What we need to do is assign E0/0 to VLAN 2, and enable all the switch ports. A show run ip shows that only the inside interface has an IP address, but the outside interface does not.

ciscoasa(config-if)# sh switch vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -----------------------------
1    inside                           down      Et0/0, Et0/1, Et0/2, Et0/3
                                                Et0/4, Et0/5, Et0/6, Et0/7

2    outside                          down
ciscoasa(config-if)# sh ru int
!
interface Vlan1
nameif inside
security-level 100
ip address 5.5.5.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
ciscoasa(config-if)# sh ru ip
!
interface Vlan1
nameif inside
security-level 100
ip address 5.5.5.1 255.255.255.0
!

So let’s assign e0/0 to the outside interface, which is VLAN 2:

ciscoasa(config-if)# int e0/0
ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shut

As soon as you do that, the outside interface is up and it starts sending out DHCP Discover packets.

Now we see that all the switch ports are assigned correctly, but only VLAN 1 is up:

ciscoasa(config-if)# sh sw v
VLAN Name                             Status    Ports
---- -------------------------------- --------- -----------------------------
1    inside                           down      Et0/1, Et0/2, Et0/3, Et0/4
                                                Et0/5, Et0/6, Et0/7
2    outside                          up        Et0/0

Now, to pass traffic through VLAN 1, all we need to do is enable the switch ports in that VLAN. As long as at least one switch port in VLAN 1 is connected and enabled, show switch vlan reports that VLAN 1 is up.

ciscoasa(config-if)# int e0/1
ciscoasa(config-if)# no shut
ciscoasa(config-if)# sh sw v
VLAN Name                             Status    Ports
---- -------------------------------- --------- -----------------------------
1    inside                           up        Et0/1, Et0/2, Et0/3, Et0/4
                                                Et0/5, Et0/6, Et0/7
2    outside                          up        Et0/0

And the VLAN interfaces are up and pingable.

Additional Information:

configure factory-default command in the Cisco ASA 8.4 and 8.5 Command Reference.

interface vlan command in the Cisco ASA 8.4 and 8.5 Command Reference.

nameif command in the Cisco ASA 8.4 and 8.5 Command Reference.

security-level command in the Cisco ASA 8.4 and 8.5 Command Reference.

ip address command in the Cisco ASA 8.4 and 8.5 Command Reference.

ip address dhcp command in the Cisco ASA 8.4 and 8.5 Command Reference.

forward interface vlan command in the Cisco ASA 8.4 and 8.5 Command Reference.

management-only command in the Cisco ASA 8.4 and 8.5 Command Reference.

mac-address command in the Cisco ASA 8.4 and 8.5 Command Reference.

switchport access vlan command in the Cisco ASA 8.4 and 8.5 Command Reference.

switchport trunk command in the Cisco ASA 8.4 and 8.5 Command Reference.

switchport mode command in the Cisco ASA 8.4 and 8.5 Command Reference.

shutdown command in the Cisco ASA 8.4 and 8.5 Command Reference.

switchport protected command in the Cisco ASA 8.4 and 8.5 Command Reference.

speed command in the Cisco ASA 8.4 and 8.5 Command Reference.

duplex command in the Cisco ASA 8.4 and 8.5 Command Reference.

reload command in the Cisco ASA 8.4 and 8.5 Command Reference.

write erase command in the Cisco ASA 8.4 and 8.5 Command Reference.

enable command in the Cisco ASA 8.4 and 8.5 Command Reference.

show run interface command in the Cisco ASA 8.4 and 8.5 Command Reference.

show run ip address command in the Cisco ASA 8.4 and 8.5 Command Reference.

show switch vlan command in the Cisco ASA 8.4 and 8.5 Command Reference.

This entry was posted in geek, mecha, v4vendetta and tagged , , , , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.
  • Kurt

    Many thanks for this guide.
    I just got an ASA 5505 for my home-office and was pulling my hair out trying to understand the Cisco docs.

  • Anonymous

    You’re welcome! Glad you found it useful.

  • 2ybilrho

    Hi,
    nice & helpful documentation, … furthermore same questions:
    how can I configure PPOE on VLAN2 outside interface?
    substitute ip address dhcp with: outside – ip address pppoe setroute,

    and how you will configure NAT / PAT for inside / outside to get Internet access from inside?
    kind regrads,
    birlho

  • Warren sullivan

    @2ybilrho
    for Nat;
    ASA5505(config)# nat (inside) 1 0.0.0.0 0.0.0.0
    ASA5505(config)# global (outside) 1 interface
    INFO: outside interface address added to PAT pool
    All inside addresses will be translated to the ouside interface IP address……

  • pravin

    We wants to change vlan 1 ip address
    how to change