Configure cisco asa 5505
Since 192.168.1.240 is a Class C address, the ASA automatically assigns a 24-bit mask of 255.255.255.0. The ASA can assign a default mask based on the class of the IP address. (Notice that I didn't explicitly assign a subnet mask to the BVI's IP address. Now, you'll configure the management IP address through the Bridge Virtual Interface (BVI):Ĭiscoasa(config-if)# ip address 192.168.1.240 If you choose to give the VLAN interfaces different names than inside and outside, you will have to manually assign a security-level of 100 to the inside interface and 0 to the outside interface.) (Notice that the ASA automatically assigns security levels based on the names inside and outside. INFO: Security level for "inside" set to 100 by default. INFO: Security level for "outside" set to 0 by default. Next, assign physical interfaces to VLANs using the switchport access command and enable the physical interfaces with the no shutdown command:Ĭiscoasa(config-if)# switchport access vlan 2Ĭiscoasa(config-if)# interface Ethernet 0/1Ĭiscoasa(config-if)# switchport access vlan 1Īfter configuring the physical interfaces, you must configure the VLAN interfaces by giving them names and assigning them to the same bridge-group: In configuration mode, execute the command firewall transparent: This command will obliterate the existing configuration. Before executing this command, ensure that you have a good backup of the existing configuration. You must first enable transparent mode on the firewall. It’s not that hard to configure and setup, the catch is you’ll need a L2 switch if you don’t have a Sec+ license.Here is the configuration on an ASA 5505 (it will be similar for other models in the ASA family):
Additionally with the Sec+ we could use the built-in POE on the ASA 5505 models to power the AP. This would allow it to carry both VLANs over the same cable.
#Configure cisco asa 5505 license#
If we had a Sec+ license on the ASA we could take the switch out of the picture and tag the port on the ASA as a trunk. Each cable is carrying traffic for a specific VLAN between the two devices. We are essentially doing the work of a trunk port with physical cabling. Then simply plug the other end of those cables into the ASA in the corresponding port per your VLAN configuration. One in the port you configured for VLAN 3 and the other into the port you configured for your production VLAN.
#Configure cisco asa 5505 Patch#
Then plug two more patch cables into the switch. Plug a patch cable between the AP and the port you tagged as a trunk on the switch. Switch(config-if)# switchport access vlan Switch(config-if)# switchport access vlan 3Ĭonfigure a port on the switch for the Production VLAN Switch(config-if)# switchport trunk allowed vlan, 3Ĭonfigure a port on the switch for the Guest VLAN By production I mean it has NAT/PAT setup correctly and is a functioning firewall.ĪSA(config-if)# no forward interface Vlan1Ĭreate a new DHCP scope for the guests and apply it to the VLANĮnable outbound access by adding to the NATĬonfigure the Managed switch you are using to connect the AP and the ASAĬonfigure a port on the switch for the AP A Cisco ASA that’s in production and has the 3rd interface available. So we need to use a managed switch and plug the AP into a trunk port (So it can see more than 1 VLAN) and then tag two access ports on the switch which connect to two corresponding access ports on the ASA one in each VLAN. A Layer 2 switch that can do trunking (I used a 2940) The non-Sec+ 5505’s don’t have the ability to trunk. A Cisco AP that can host dual SSID’s and is configured to do so (I used a 1230AG)
#Configure cisco asa 5505 free#
Text in blue are variable names I made up, feel free to change them Insert your relevant information between Just keep in mind that you’ll probably have to deal with some unhappy users who can’t get to their power point stored on the server from time to time.
Now that you have that VLAN you can tag it on some other access ports in your conference room for guests to use. Also, this doesn’t have to be just for wireless. This makes it pretty useful as an interface for the guest network. That is it can’t be a real DMZ and connect back to you internal network as well. The thing about the base license ASA’s is that the DMZ can only go one way. The Prod network can get everywhere and the Guest network can only get out to the internet. That is to have an AP (Cisco!) that can host dual SSIDs. Probably one of the larger items I have been getting config requests for is wireless configuration, specifically Guest and Production wireless SSID’s.