Tuesday 11 August 2015

Cisco ASA's Part 2: Enabling the HTTP Server and Configuring Interfaces

If you are not doing Cisco as your full time job, the chances are you get rusty around the exact commands that are required to perform even the easiest tasks. Luckily with Cisco ASA's you have the option to manage the device using a graphical user interface, known as the Adaptive Security Device Manager (or ASDM). Although the ASDM is a great tool, it does have it's down falls, the biggest one being that it's developed in Java.
If your ASA does not currently have any operating system you may need to boot the ASA into ROMMON mode, which can be done by breaking the boot sequence using the ESC key when the firewall is booting.
You will also need a TFTP Server, http://tftpd32.jounin.net/tftpd32_download.html
When you get your ASDM and ASA images onto the devices flash you can statically set them as the primary images to set a file called asdm.bin for example as the primary use the command asdm image flash:/asdm.bin and use show asdm image to ensure it has set properly.
Configure the logical VLAN 1 interface;

interface vlan 1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

Enable the HTTP server for ASDM access;

http server enable
http 192.168.1.0 255.255.255.0 inside

Copy the running config to the startup config;
wr mem

Now cable your laptop or computer onto the same physical Layer 2 broadcast domain as the ASA, you will have to manually configure the network interface card with an IP and Subnet Mask on the same logical network as the ASA.
Open a browser and attempt to connect to the ASA's VLAN  1 interface IP via HTTPS. Install the ASDM Launcher, you require valid credentials before it will allow you to download it from here.

By default blank username and password will successfully log you into the ASA.

From the Home screen click, Configuration.

Click Interfaces from under Device Setup, and then click on the Switch Ports tab.

The physical interfaces you are going to use should be Enabled. Clicking Enable SwitchPort is the equivalent of issuing the no shutdown command at the CLI.

Click on the Interfaces tab, and then click Add. Select the physical interface from the Switch Ports list and use the Add button to move it into the Selected Switch Ports list.
Name the Interface, this is the internet facing WAN port so I have named it outside. The Security Level should be the lowest out of all your networks for the internet facing NIC's.


Depending on your ISP, select Obtain Address via DHCP for the WAN IP config, ensure the Obtain default route using DHCP option is selected.