How to Setup a New Cisco ASA 5505

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys what's going on my name is a wools and burano imagine putting this this mini video together as I mentioned during the first meetup that we have for the Cisco's network with meetup group I'll let you trying to put together well I'll transfer to get a video how to do it out of the box a sa 5505 setup teleporter bachelor agenda um you can see here that we had earlier but because of time and because my new work schedule it's a little hard to do these meetups and have them as long as I like them so I kind of thought to myself why not you know why not make these videos when I'm available and post them on YouTube in this way you know when it comes time for the real Meetup we actually have on this Friday this way it's it's I can kind of cut a lot of stuff out and make them me up a little bit shorter a little bit more to the point so with that anybody who's actually viewing this video off of youtube as I mentioned my name is bull Zambrano a little bit about myself here if you haven't check out our meetup page definitely do go me up comm slash disco - networkers from our media pages where we have our calendars and all like the upcoming meetups that are coming up so definitely check that out also my contact info down here if you guys want to shoot me an email or shoot me a Skype or shoot me a text so just without further ado let me jump down to what I want to cover uh during our meetup I kind of ran out of time it's out about the box installation so I'm assuming at this point you guys already have a console cable into your AAA 5505 I'm assuming it's code 83 or better that's what we're we're focusing at least with the new CCNA security and I actually got one right here so I got a console cable already in here as you can see I'm actually doing this I'm cut unscripted I already have wrong way I already actually have some information on this guy already so if I do show run might die hi I do have some info on here so I will lose connectivity when I do an erase I should not erase things like factory wouldn't it restore a config factory here we go so we use this command here it's kind of like people calling a bomb okay like you're a startup in our iOS so I'm going to go ahead and go I'm nervous to go ahead and do that and starts clearing things out its space bar help it along now this kind of selector this is my production 5505 so I actually kind of to get this working before I leave today or else I have no internet at home so now if I do a show run and notice I could do a show run from any mode it's not like iOS what yet they do do command bare-bones there's something on here this is literally the factory defaults there's nothing on here if I do my show into IP B or a show interface IP brief I got nothing except for the default values okay so as I mentioned I'm assuming you guys already have this out of the box you get your console cable in there you know get your power cable and put it into the power slot I'm actually going to configure this all from the CLI right now and one of the first things that you want to do is to find your inside/outside interfaces and the where which one is going to be your inside-outside interface in my case and i'm actually looking at mine right now my 0 0 could be my outside interface and i got 0 1 and 0 2 I think I had yeah well yeah I do I have some inside my pcs in here you can see decides it up and up for these and these are the ones I'm not really doing anything with you can see they're down down so the constant with 5505 s over the 55 tens 20s etc we don't actually apply IP addresses to the interfaces we applied the IP addresses to a VLAN and in turn we apply that VLAN to an interface so I'm gonna go ahead and actually do that right now so I'll do it VLAN and it's a best practice no but in a production you don't wanna do this but this is my own home my home a sa so I don't mind I'll give it a name name if question mark and you can give it a name now you clean this whatever you want this is whatever your instant network is 99% of the time I've seen your insight network hole inside Cisco documentation has it set up that way and I think let me see think every company I've been to calls it inside I mean if you want be creative you can but just for the sake of argument just make it easy just call it inside so called it inside next step that you want to do under this inter VLAN interface is the security level so aces have a concept of security levels from junipers have zones and I figure out what checkpoint has on but basically this is the idea of the higher the number the more trusted the lower the number the least or less trusted so in this case secure level 100 it's like you can think of it as like 100% trustful like i 100% believe in this interface anything that comes out of here I trust the lower the number like say when we get to the outside I'll give it a security level of zero so that's my least trusted I zero percent trust in this guy or this this network or whatever it behind this VLAN and yeah and that's I also put my IP address as I mentioned before one I to wants to say I'll be 10.1 and I'll just give it a slash 24 um oh yeah I gotta get rid of a th e people that's the default that's in there so do a show run DCPD and ASA's you got put a D at the end so I'm just gonna kill this kill this line of config I'll say no T that and I want to go back to my V 9 1 I'll talk in the IP address again yeah now it should take kind of sitting there for bits you'll notice that when it does that with the ASA's hangs it for a little bit okay so I'm in so I got that set up so if I do a show run just to see what I have actually added out of the box by default um zero zero is already in v92 so right now that's a TV set up actually I've named if outside um look at this was done for me already because as you guys just saw I did a factory reset on this guy so maybe felt secure level 100 I pee a dress and this actually this year is key so we configure this here but it looks like the factory configuration did this part for us already and while I do that let make sure a version I have ok got version 84 so how the box will have our two interfaces VLAN one VLAN - we're going to as I mentioned before is go be our outside so you see here name if outside secure level 100 a security level zero so I'm trusting this the least and unlike the last command where I actually put in a hardcore IP address chances are if you're watching this video you're probably have a residential internet so you probably don't have the luxury of having a couple public IPS lying around so in my case I don't so what I have to do is get an IP address from my provider this is what this is basically doing saying pull an IP address from the provider which if I had if you had your regular you know Verizon cable vision time water modem sitting in there it will be pulling that public of that IP and this command here set route is basically good at almost pre creating a default it's going to be creating a default route on your a si to point to the whatever like the the IP of the other ranges of the AAA so if I do a short route and that's not in here yet but I'm curious give me pay me I don't know feel yeah not yet okay so we still have to do a couple more things in here um but yeah that's one of the key commands in here that we need to do it's like I mentioned it's almost like kind of put like a default gateway on the a si so that part's done we define our inside and outside interfaces check now you also want to go ahead and define object networks or I think I had this backward Network objects so that's basically a way that we can kind of think of it like almost like cream like a folder or container where you're going to say that for instead of saying like you know IP address subnet 1x 1 6 8 10 dot 0 slash 24 in this case as you kind of saw with them are where are we by our entry lens ASA's like to name things we have to name our subnet or range or our host so I'm going to go ahead and do that I think Network question mark it's going to ask for a word I'm going to call mine inside summit you'll see why the second one we need to do this at least bare minimums we got to define what our inside network is hey question mark I can see here I can specify that one host I can do nap which I'll do in a second I can do a range or a particular subnet so in this case I want to subnet and I want to specify on the question mark I can specify my I think actually no I don't think it needs a something mask oh yeah it does okay okay and also what to do is kind of down here I'm kind of jumping around a little bit but I also want to define net and now we're actually good at define it inside that object object Network so do not question mark this is kind of a little confusing looking I you know I don't go by this for the help I just know that it could be um nine percent of time when we go inside outside question mark dynamic because I don't know what the public IP of that other end is and I'll do interface so it's going to say whatever that outside IP is just just use that as your insight now outside interface IP so I Renault my inside is which is this guy right here my inside subnet when I too want to say ten zero because I called it name if inside and for my outside interface that's where I get my net commands I don't know what it is because it's just dynamic using DHCP so I pull here dynamic and whatever that interface IP is that's it now that's pretty simple um okay so that's that so we did the object Network at least bare minimum like I mentioned you're going to go and one ahead and specify the inside subnet also one thing that I like to do and he made it close to its like is I'll create an object group and here you can specify certain protocol services this isn't that I'd like to do it to ping my a si so at least I know that I can get to it from the public Internet it's also the ICMP type and I'll say allow ping or even better ly ICMP or specific question mark so I'm going to go ahead and configure an ICP object is I want to allow and heat my things and generally I want to my echo reply uh what I want to do my time stamps time exceeded uh trace routes which are pretty helpful unreachable and think that's pretty much it when you can do an echo as well but echo reply usually like when I think I want you to be allowed this a say to reply back to that so I'll do go reply who else I said time see dude I said unreachable if I can't ping them for whatever reason and tray so if I need to trace route to Maya a si nice so let's run this looking I should get rid of I don't need this don't wipe put in there as the pulse let's see peeking object see if this works here we go um so here we got my inside subnet I got my a group which is allowing the pings and funny enough I don't know why they do this but the object network even though it's we configured it under the same sub configuration mode it's also showing to me down here that NAT command is in a different section I'm not sure kind of why they do that's a little confusing they kind of move it around but technically was down here where I'm highlighting that net interface but they kind of split it I'm guessing they want you to I guess they want to do is just show your own the NAT section down here and only the IP from a up here okay okay so that's that define a clac ACL for pings we did that already which is good but Kennison looks like an access list almost it's like just because we create this object group it doesn't mean anything we have to bind it to our outside interface so let me go ahead and actually create that access list we have to tie that together that object group plus the access list to our interface okay so I'll call it access list I'll say inbound question mark I'm going to permit ICMP ICMP from any source because I don't know from where I'm coming from in the internet and will serve any destination we'll make it simple and then here I can see object group so I'm just specify and use object group and what I say allow ping was it a lot ICMP okay so I'm making that I access this to permit anybody from anywhere um filter or kind of run it against that access list that or that object loop that I made which is the pings and now we could actually apply it to a brick apply to an interface so it was like access group in iOS same thing here and we'll say specify inbound and of course I want him coming inbound to my a si so I'll say in question mark interface is no interest they give us and I'm going to apply to my outside interface or my VLAN to interface okay so now I should be able to ping outside whatever IP I get and speak it out let me do a show IP um fortunately I'm not yet getting a public I pee you can notice you that the method is DHCP when you do get an IP address this pops up here as what the IP address is sometimes you gotta do a reboot but we'll see can we do that next up we're going to want to do is define HTTP SSH and telnet on your a sa so of course realistically we can have our I can have a console table plugged into that a sa constantly will be nice if you could manage it using you know ssh telnet or HTTP if we want to eventually start using that a SDM which is the GUI for the aasa' so kind of similar to the to the iOS in order to do that we'll say ssh will say uh what networks you want to permit so generally in a production environment you're going to want to put in at least outside IP so if you know a certain range that you're expecting people to come in from you'll put in that range or that prefix in there generally you don't want to put 0 0 0 like I'm doing right now so basically everybody to come in from the inside and everybody to come in from the outside typically you don't want to do that because that means anybody can get from anywhere but like I said this is a lab I may be a friend's house I may be a hotel whatever um I don't mind if people try to get into that so I don't have anything important on my network anyway so this come I will not take effect until the interface outside has may configure an ipv4 address which is fine because it's as we did our show IP commend nothing yet for outside to face ok so we could tell that's the same deal instead of doing as a central state telnet same commands I'll just hit hit these guys again I'll say inside outside nothing crazy there now for HTTP is a little bit different but as I mentioned similar to iOS we'll do the HTTP command what range or what source you're expecting these HTTP commands to come in from my case like I said I don't care any range I'll do inside network and I'll do outside network so these people can try to pull up the ASTM from the a SA and if one thing that actually is a little bit different with HTTP you're going to want to actually turn the light switch on for this guy so you want to enable it so down here at the last you see this server enable HTTP server required to run the device manager the ASTM and I want to enable it let's take care of these three guys right here and finally you may or may not want to do this I personally to do this just in case I have a PC or laptop I plug in there off you're like giving it a static IP generally most machines will have static IPS on my network but for that random laptop or whatever I plug in there and just give it an IP we can go ahead and get your chips right now GCPD but I'll configure outside all right so let's just leave that there for now should make a difference here um let's say DCPD you gotta make sure to put that little D at the end for that to work address so I'll say from saying 100 to better 20 I mean I highly I don't have enough ports so I'll say 10 I only got like forks and forth on a si so it doesn't make too much of difference now I'll say service the inside so anybody on that VLAN one will pull an IP address from that pool and you can actually have some of the options here as well you can do DNS you can do a give it a domain name just like you know what you want to domain name to be for this guy you can specify the lease the wins my case I just always do DNS I'll give that for two to two range and I want you to service the insider interface I'm a kodak it both ways and just to leave it all at defaults uh and soul into my DHCP I want to enable him our light turn that light switch on on the inside network should be inside network yeah and I think that should be it so let me do a show run a VLAN oh by the way guys a VLAN one here all these other ports are by default our nav line one so I'm let me see here yeah I don't have a my laptop's actually over IP c-- actually connected to this ACA right now so everybody else is in V naught 1 by default any other eelain's you have the specific we specify so 0 0 is going to be by outside interface let's see if I have anything here but let's check everything else I got my inside some that I got my access list allowing pings from the outside I specify what kind of things I want allowed in here what am I forgetting here then that command is fine the ACL that binds the ACL to the outside to face my HTTP settings which others I can get rid of this is just like a extra good idea to always review your config before eh as troubleshoot and see what's working what's not working DHCP ok let's so do all right let's save this guy one thing that I forgot to mention uh we're gonna have to specify which I don't think it is the ASTM file that we're going to use for the GUI yes/no HTM so I please a SEM image so I say where this image is located flash and I want to do this image here let me go to slash there you go so that's nothing to do as well you want specify what bin file that you want to use for your a essay you also got to make sure that the ACE the ACM image that you have is compatible with your actual a si code that you're running I'll do right let's see did get an IP no I didn't that's making me a bit nervous because means I don't have a look internet when I leave the house today to get into my PC another thing to with this though if you do have and something I may end up having to do I will have to actually call my provider and tell them to clear their arc table or every so often for themselves they really do a review of the cache or the IP so if you're having issues trying to pull an IP from your provider you have the call unfortunately : their tech support and kind of walk them through telling them to do a release three new IP on whatever modem that they have on-site at your home and that generally fixes a problem for me when I've had a call my provider and I and tell them to release renew the IP or clear the OP cache and I've always been able to get an IP in the beginning was always a hassle getting this working many calls to Verizon but it's been good so far but now that I did a factory restart to do this video I may end up having to call them again but either way let's wait till this guy boots up make sure if I can actually get an IP the only difference is for people who actually have static IPS you have it much much easier all you have to do is go into that does it go back far back yeah so instead of putting this command in here for your VLAN to or whatever your outside be line is I just put in the public IP address that you're going to be using and just make sure you can pin your your gateway version to say was running not working I guess if I picked the version I had version 9 of the code here you didn't pick up until now I'll just pause this wait till boots up I don't want you guys can't just watch this and actually I really wait too long it was the same thing password whatever hmm this is interesting a password for version 9 and before was always blank let me see what we got for a default password for the aasa' all right so one thing that I did forgot to mention guys which kind of bit me a little bit in the behind um completely forgot about it was actually set by using a password and enable password um so this is actually really similar to what we did with iOS username question mark cisco password cisco enable password beat you and you know password will called Cisco - so I actually kind of locked myself out of easa so I just had to go in there and put this information in there and that's that part done uh that really completes the set up only issue is that I will probably have to give a call to rising because I'm not getting an IP from them this is kind of going to be a hassle because now the Cole home and kind of fight with them a little bit but at least you know I kind of showed you guys that's the basic setup a rundown inside outside two faces object networks nat dhcp the passwords ACL and as i mentioned if you do have a public IP this process will be pretty much done in this case but if you're trying to do this with a dhcp generally generally requires a call to your provider to give you or to release an IP for you so with that if you guys have any questions about this configuration feel free you know here's my eyes mentioned my contact info give me sugar text shoot me an email i can show you i can send you the show run of this and that's it that's kind of her level of mine i'm going to try making next video uh demo demo me out what I did during the last CCNA security meetup which was our VPN point-to-point L between our two aces that I had working the other day I know in the you know in interest for time I kind of rushed through it but I do want to go over the process with you guys so I'll make another mini video about that I posted on the media page and now that's it thanks for uh thanks for watching guys hey guys just want to quickly add this to the end of that uh that a sa video I gave a call to Verizon they did a release renew on the IP address uh you know depending on who you get it's generally a quick process took me like five minutes so now if I show you guys that in v12 saying configure as we had before name if outside IP address DHCP sever out so now if I do my show IP I can see that i go ahead and i have my public IP from the outside using DHCP so now I can go ahead and paint my four two two two looks beautiful and as I try to show you get before now I do happen there that default route going out to my provider in this case it's seven one seven seven dot one whereas before it's that before glaze the gate waiver last resort is not set in this case now I'm seeing a gateway so I just want to show you guys that after I did give a cold surprising that it is possible to set up and as I mentioned any questions you know there's my contact info feel free to reach out to me alright thanks for watching

Info

Channel: NYC Networkers

Views: 202,590

Rating: 4.7015986 out of 5

Keywords: ASA ASA 5505 CCNA Security Setup Configure Cisco PIX Technology Cisco Systems, Inc. (Organization) Meetup

Id: hdgFBfs6xu4

Channel Id: undefined

Length: 30min 23sec (1823 seconds)

Published: Tue Nov 05 2013