Cisco ASA Configuration Fun

August 15, 2012 by Christopher Silvertooth

As part of the myriad of things I deal with, configuring and maintaining a couple of Cisco ASA 5520’s is one of them.  After doing a major network migration from hosted network equipment to in-house equipment I ran into a few issues.  I did have some serious help from a real cisco engineer, thank you Kevin, so I can’t say this was all my expertise but some of it was.

As it turns out I learned quite a few things.  Below is a bulleted list.

1.  Don’t leave old ASA boot files on the ASA after a successful upgrade.  If you happen to have a bad ASA or your ASA decides to reboot it may decide to boot off the old one.  In my case it went from 8.4(3) back to 8.0.  This of course screwed up the configs and Cisco changed syntax on some of the commands somewhere in between 8.2 and 8.4.  So do yourself a favor and delete the old boot roms and also specifically state your boot image:

cisco-asa> enable
cisco-asa# conf t
cisco-asa(config)# boot system disk0:/asa843-k8.bin

2.  Never have your VPN DHCP pool in the same subnet as your NAT range.  I suppose with some crazy rules you might be able to get this to work but it is a ton easier to just use a different IP range.  e.g.  10.1.5.x is your NAT range and 10.1.6.x is your VPN Pool.

3.  As a novice of ASA programming I enjoy/must use the ASDM interface.  I know using a GUI is not great, trust me as a command line virtuoso on OS X, but since I have no clue what I am doing some times I use it to move about and learn the features on the ASA.  So here is a quick set of commands to turn on the ASDM.

  • Make sure you have the VPN-3DES-AES.  To get that go here.
  • Make sure ssl is turned on by typing the following into terminal
cisco-asa> enable
cisco-asa# conf t
cisco-asa(config)# ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Next you need to enable the http server. To enable this and open access to your private network do the following:

cisco-asa> enable
cisco-asa# conf t
cisco-asa(config)# http server enable
cisco-asa(config)# http inside

Where is your internal network and “inside” is the name of the interface that connects to your internal network.

Lastly you need to make sure that you have the ASDM image loaded onto your ASA.  I won’t get into the particulars of that because it is a pain in the ass and needs its own article.  Suffice to say, make sure you run the following command and substitute the correct ASDM image for your version of the ASA operating system.

cisco-asa(config)# asdm image disk0:/asdm-647.bin

This gets you close to full ASDM goodness.  This configuration should allow you to connect to and download the ASDM client.  This will not allow you to access ASDM while connected via VPN.  That requires the following command while in configure mode.

cisco-asa(config)# management-access inside

4.  I also wanted to get SSH working so that I have flexibility for management.  I ran into a few problems where my RSA key got hosed and SSH wouldn’t connect but for a second.  So if you get this error (SSH2_MSG_KEXDH_REPLY) when connecting via ssh this might be helpful.

cisco-asa> enable
cisco-asa# conf t
cisco-asa(config)# crypto key zeroize rsa noconfirm

This last command deletes all the RSA keys. Make sure you aren’t using them elsewhere or you may have undesired results. The next command will rebuild the RSA key.

cisco-asa(config)# crypto key generate rsa noconfirm

Now you have an RSA key. It is time to enable ssh for the desired network.

cisco-asa(config)# ssh scopy enable
cisco-asa(config)# ssh inside being the network you will connect via SSH from and “inside” the name of the interface for that network.

cisco-asa(config)# ssh timeout 60

This last bit just sets the time out for good measure.

Once you have all the above completed you should have all the backend services ready for you to access. You will need to create a user in the ASA that has the appropriate level of permissions so that you can connect and manage your ASA.

And lastly, make sure you plug the physical connections into correct functioning ports.  There is nothing worse than spending hours mucking with your ASA to find out you plugged your inside interface into a stack port (thank you Cisco/Linksys for making an ethernet port stop working when you light up a stack port).  The whole time you insist that your missing some configuration option only to find out that you screwed up the physical wiring, but I digress.




Be the first to write a comment.

Leave a Reply

Your email address will not be published. Required fields are marked *