Skip to main content

Setting up a CISCO ASA 5505 VLAN & VPN

Setup basic 2 party VLAN (inside, outside) to my ASA can play MITM between an xDSL router and the internal network of desktops. also try to use security best practice with respect to CISCO networking devices i.e. dont use default vlan, and a few other basic things i know.

Cisco Adaptive Security Device Manager (ASDM)#

Note: wanted to set this up as most CISCO documentation relies on this guy to make config easier.. but f##k me just getting java and browsers to figure it the f##k out was f##king tedious! and then trying to get these EOL application images from the CISCO download site requires a customer contract. sure, maybe its out of date and you guys dont want to be responsible for it, i'd just be happy to get a copy of the software anyway and sign a waiver. long story short, CISCO outside of being a corp customer w/ an account = waste of time. {: .notice--warning}

hostname(config)# crypto key generate rsa modulus 1024 # generate crypto keys for HTTPShostname(config)# write memhostname(config)# http server enable # turn http server onhostname(config)# http 10.0.1.0 255.255.255.0 inside # all 10.0.1.x users can hit it from the inside.

Setup VLAN 10 & 20#

  • VLAN 10 is the "inside" network
  • VLAN 20 is the "outside" network
VPN# conf t
VPN(config)# interface vlan 10VPN(config-if)# nameif insideINFO: Security level for "inside" set to 100 by default.VPN(config-if)# ip address 10.0.1.1 255.255.255.0VPN(config-if)# no shut
VPN(config-if)# interface vlan 20VPN(config-if)# nameif outsideINFO: Security level for "outside" set to 0 by default.VPN(config-if)# ip address dhcpVPN(config-if)# no shut

SWITCHPORT ACCESS VLAN all interfaces#

move et0/0 to the outside vlan, and the rest of the interfaces to the inside (vlan 10)

VPN(config-if)# switchport access vlan 10VPN(config-if)# int et0/2VPN(config-if)# switchport access vlan 10VPN(config-if)# int et0/3VPN(config-if)# switchport access vlan 10VPN(config-if)# int et0/4VPN(config-if)# switchport access vlan 10VPN(config-if)# int et0/5VPN(config-if)# switchport access vlan 10VPN(config-if)# int et0/6VPN(config-if)# switchport access vlan 10VPN(config-if)# int et0/7VPN(config-if)# switchport access vlan 10

Enable the HTTP server#

VPN(config)# http server enable
# option 1 - anyone from anywhere can hit the ASDMVPN(config)# http 0.0.0.0 0.0.0.0 outsideVPN(config)# http 0.0.0.0 0.0.0.0 inside
# option 2 - only people from the "inside" network can hit ASDMVPN(config)# http 10.0.1.0 255.255.255.0 inside

make sure you asdm file exists and configured in config file

VPN# sh flashInitializing disk0: cache, please wait.......Done.-#- --length-- -----date/time------ path  6 8515584    Feb 21 2009 13:12:28 asa724-k8.bin  7 4181246    Feb 21 2009 13:12:50 securedesktop-asa-3.2.1.103-k9.pkg  8 398305     Feb 21 2009 13:13:06 sslclient-win-1.1.0.154.pkg  9 6514852    Feb 21 2009 13:13:54 asdm-524.bin 12 0          Aug 10 2010 23:39:42 crypto_archive 13 393696     Aug 10 2010 23:39:42 crypto_archive/crypto_arch_1.bin 14 14635008   Apr 13 2009 13:07:34 asa803-k8.bin 15 6851212    Apr 13 2009 13:08:28 asdm-603.bin
VPN(config)# asdm image disk0:/asdm-603.bin
note

asdm gave me the 'error 404 /admin/index.html not found' grief for asdm-603.bin so i tried VPN(config)# asdm image disk0:/asdm-524.bin instead and was able to get the right page to load.

Setup DHCPD for "inside"#

VPN(config)# dhcpd address 10.0.1.101-10.0.1.110 insideVPN(config)# dhcpd enable inside

Setup SSH#

VPN(config)# crypto key generate rsa modulus 2048Keypair generation process begin. Please wait...
VPN(config)# ssh 10.0.1.0 255.255.255.0 inside
VPN(config)# aaa authentication ssh console LOCAL

Troubleshooting#

Error: Unable to negotiate with 10.0.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1#

Why: cos sha1

Fix (temporary):

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected]

Error: (debug logs on ASA) user authen method is 'no AAA', aaa server group ID = 0 SSH2 0: authentication failed for username#

Why: no AAA setup on ASA

Fix:

VPN(config)# aaa authentication ssh console LOCAL

References#