Setting up a CISCO ASA 5505 VLAN & VPN

Setup basic 2 party VLAN (inside, outside) to my ASA can play MITM between an xDSL router and the internal network of desktops. also try to use security best practice with respect to CISCO networking devices i.e. dont use default vlan, and a few other basic things i know.

ASDM

note: wanted to set this up as most CISCO documentation relies on this guy to make config easier.. but f##k me just getting java and browsers to figure it the f##k out was f##king tedious! and then trying to get these EOL application images from the CISCO download site requires a customer contract. sure, maybe its out of date and you guys dont want to be responsible for it, i’d just be happy to get a copy of the software anyway and sign a waiver. long story short, CISCO outside of being a corp customer w/ an account = waste of time.

hostname(config)# crypto key generate rsa modulus 1024 # generate crypto keys for HTTPS
hostname(config)# write mem
hostname(config)# http server enable # turn http server on
hostname(config)# http 10.0.1.0 255.255.255.0 inside # all 10.0.1.x users can hit it from the inside.

VLAN 10 (inside) & 20 (outside)

VPN# conf t

VPN(config)# interface vlan 10
VPN(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
VPN(config-if)# ip address 10.0.1.1 255.255.255.0
VPN(config-if)# no shut

VPN(config-if)# interface vlan 20
VPN(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
VPN(config-if)# ip address dhcp
VPN(config-if)# no shut

SWITCHPORT ACCESS VLAN all interfaces

move et0/0 to the outside vlan, and the rest of the interfaces to the inside (vlan 10)

VPN(config-if)# switchport access vlan 10
VPN(config-if)# int et0/2
VPN(config-if)# switchport access vlan 10
VPN(config-if)# int et0/3
VPN(config-if)# switchport access vlan 10
VPN(config-if)# int et0/4
VPN(config-if)# switchport access vlan 10
VPN(config-if)# int et0/5
VPN(config-if)# switchport access vlan 10
VPN(config-if)# int et0/6
VPN(config-if)# switchport access vlan 10
VPN(config-if)# int et0/7
VPN(config-if)# switchport access vlan 10

HTTP server ASDM module DHCPD

VPN(config)# http server enable

# option 1 - anyone from anywhere can hit the ASDM
VPN(config)# http 0.0.0.0 0.0.0.0 outside
VPN(config)# http 0.0.0.0 0.0.0.0 inside

# option 2 - only people from the "inside" network can hit ASDM
VPN(config)# http 10.0.1.0 255.255.255.0 inside

make sure you asdm file exists and configured in config file

VPN# sh flash
Initializing disk0: cache, please wait.......Done.
-#- --length-- -----date/time------ path
  6 8515584    Feb 21 2009 13:12:28 asa724-k8.bin
  7 4181246    Feb 21 2009 13:12:50 securedesktop-asa-3.2.1.103-k9.pkg
  8 398305     Feb 21 2009 13:13:06 sslclient-win-1.1.0.154.pkg
  9 6514852    Feb 21 2009 13:13:54 asdm-524.bin
 12 0          Aug 10 2010 23:39:42 crypto_archive
 13 393696     Aug 10 2010 23:39:42 crypto_archive/crypto_arch_1.bin
 14 14635008   Apr 13 2009 13:07:34 asa803-k8.bin
 15 6851212    Apr 13 2009 13:08:28 asdm-603.bin

VPN(config)# asdm image disk0:/asdm-603.bin

note: asdm gave me the ‘error 404 /admin/index.html not found’ grief for asdm-603.bin so i tried VPN(config)# asdm image disk0:/asdm-524.bin instead and was able to get the right page to load

setup DHCPD for “inside”

VPN(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
VPN(config)# dhcpd enable inside

> setup SSH

VPN(config)# crypto key generate rsa modulus 2048
Keypair generation process begin. Please wait...

VPN(config)# ssh 10.0.1.0 255.255.255.0 inside

VPN(config)# aaa authentication ssh console LOCAL

Troubleshooting:

Error: Unable to negotiate with 10.0.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Why: cos sha1

Fix (temporary):

$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected]

Error: (debug logs on ASA) user authen method is ‘no AAA’, aaa server group ID = 0 SSH2 0: authentication failed for username

Why: no AAA setup on ASA

Fix:

VPN(config)# aaa authentication ssh console LOCAL

References