I have had my ASA 5505 running for few months now on Virgin Media FTTN (Fibre To The Neighbourhood / Node) connection and thought I’d share my config. When initial configuration was done on ASA it was a royal pain to be honest, moving from ZyXEL ZyWALL 5 device was challenging since Cisco like to do things differently and ASA is no exception. Here’s what I’m currently running software wise:
ASA software version 8.4.3 and ASDM 6.4.7 – both seem fairly stable so far.
You can safely ignore any defined objects, access lists etc. in the config below as you’d need to re-create them based on what’s required by you.
Continue reading →
So I finally managed to replace my aging ZyXeL ZyWALL 5 firewall with ASA 5505 from Cisco. VirginMedia (again, finally!) doubled my speed from 50 to 100Mbps downsteam and ZeXeL just couldn’t cope. In fact my download, when still having 50Mb/s, was around 30Mb/s anyway due to CPU being maxed out. Amount of LAN to WAN traffic (and vice versa) was simply too much for 266MHz Intel IXP422 CPU.
Anyway my ASA has been with me for some time and I didn’t actually do anything with it until last week. Here is my post from June, 10th 2012 talking about upgrading CF card and RAM. It really has been that long!
I started configuring the device and I have most of my stuff already done apart from one thing that became apparent today – my WAN IP is responding to pings! Not good. Quick command to get it fixed:
icmp deny any outside
Now the command above will deny pings on the OUTSIDE (untrusted) interface. In reality you just knocked off any pings that ASA will allow even on the internal interfaces – to fix this you have to allow ICMP as a protocol in default global policy map. Once done ICMP will be allowed back in (from OUTSIDE to INSIDE) because ASA will “know” about the connection that was made in the first place.
Commands (assuming default policy/inspections name):
Here’s an interesting error:
The above comes up when trying to install Cisco VPN Client 5.0.07.0410 on Windows XP SP3 (so far). I didn’t have this issue on Windows 7 SP1.
To get rid of the error message download Fix.mst file and run the .msi against it:
START /WAIT MSIEXEC.EXE /I vpnclient_setup.msi TRANSFORMS=Fix.mst /QUIET
Continue reading →
Some very generous people at work decided to offer me (for free!) Cisco ASA 5505 security appliance. Great isn’t it? Great indeed given ASAs are top class firewall devices.
Appliance itself has unlimited number of users (other options made by Cisco are 10 and 50 users based on internal to external VLAN connections) and its running security plus licensing model. Needless to say that’s about £500 worth of money!
So moving to the ASA itself – model I have shipped with 512MB of RAM and 128MB CF card. Both of them modules can be upgraded to incorporate e-pen (RAM) and more space for historical data i.e. logs (CF card).
I just happen to have spare Integral IN1T1GNSKCX 1GB DD1 PC3200 (400 MHz) stick which, to my surprise, worked straight away! ASA didn’t have any issues detecting the new memory and booted up absolutely fine. There are lots of modules that won’t work full stop and quick search using your favourite search engine reveals that some people had tried 2-3 different sticks with no luck whatsoever. In my case completely random module worked first time. Awesome.
2GB compact flash card has been ordered from eBay and should turn up any day now so I will let you guys know how that goes. 2GB is the maximum that ASA can take, anything above will be most likely seen as 0MB so no point trying (it’s a limitation of FAT16 and cluster size not the ASA itself though). Card I have ordered is made by SanDisk and the exact model reads as ‘Ultra II 2GB 15MB/s’. USB CF card reader is also required so you can copy ASA firmware, ASDM and license file from old card to the new one.
So, for now, my ASA looks like this:
Continue reading →