VLANs and the ASA 5505 [FIREWALL]

Vask3n

From my understanding, the 5505 has Ethernet 0/0 set to VLAN 2(outside) and the rest of the ports set to VLAN 1. However, in the official cert guide (page 19) it reads "By default, all eight ports are connected ot the same VLAN on the switch, allowing connected devices to communicate with each otehr at Layer 2 directly."

However, here on the official Cisco documentation, it reads

The default factory configuration for the ASA 5505 adaptive security appliance configures the following:

•An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0.

•An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address using DHCP.


Cisco Security Appliance Command Line Configuration Guide, Version 7.2 - Getting Started  [Cisco ASA 5500-X Series Next-Generation Firewalls] - Cisco Systems

Any ideas on how to approach this? What is the correct answer if this was posed as a question?

Legacy User

Well from what I know a factory reset unit has every port on the default vlan 1 until you designate the ports to a vlan. If I'm not mistaken on some units not specific to the asa usually has a default ip address which is used when trying to do a software recovery in rommon mode.

elderkai

Wiping the config is different from how it comes from Cisco.

Vask3n:

I guess the real question would be what is considered default: The way it comes straight from Cisco or the way it is every time it is "write erased"?

When I configure ASAs that have came factory fresh, there is a config on it. Vlan 1 has 192.168.x.x if i remember correctly and vlan 2 is set for dhcp with E0/0 belonging to Vlan 2 and the rest Vlan 1.

After a write erase, though, it's pretty bare and all interfaces are in Vlan 1.

Vask3n

Thanks for your help on this. I guess the consensus is that there's two "defaults"- the configuration that the ASA comes with and the configuration that gets applied when you do configure factory-default

Legacy User

@elderkai good write up I was thinking after a write erase which is the first thing I always do before I begin any configurations.

Legacy User

Well actually as elderkai mentioned issuing the command configure factory-default or getting a unit fresh from cisco should in theory be same thing and have the same default configs. The comment I made was after issuing a write erase and reload. In that situation everything is set to vlan 1 and the trusted/untrusted vlans still need to configured.

Actually out of curiosity I just powered on a 5505 that we got straight from cisco new in box to verify and this is the show run:

ciscoasa# sh startup-config
No Configuration
ciscoasa# sh running-config
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!


After typing the configure factory-default this is the output:

ciscoasa(config)# configure factory-default


WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.


Begin to apply factory-default configuration:
Clear all configuration
Executing command: interface Ethernet 0/0
Executing command: switchport access vlan 2
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/1
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/2
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/3
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/4
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/5
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/6
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/7
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface vlan2
Executing command: nameif outside
INFO: Security level for "outside" set to 0 by default.
Executing command: no shutdown
Executing command: ip address dhcp setroute
Executing command: exit
Executing command: interface vlan1
Executing command: nameif inside
INFO: Security level for "inside" set to 100 by default.
Executing command: ip address 192.168.1.1 255.255.255.0
Executing command: security-level 100
Executing command: allow-ssc-mgmt
ERROR: SSC card is not available
Executing command: no shutdown
Executing command: exit
Executing command: global (outside) 1 interface
INFO: outside interface address added to PAT pool
Executing command: nat (inside) 1 0 0
Executing command: http server enable
Executing command: http 192.168.1.0 255.255.255.0 inside
Executing command: dhcpd address 192.168.1.5-192.168.1.36 inside
Executing command: dhcpd auto_config outside
Executing command: dhcpd enable inside
Executing command: logging asdm informational
Factory-default configuration is completed
ciscoasa(config)#


Result:

the factory default for cisco is:

e0/0 vlan 2 -outside
e0/1 - 7 vlan 1 - inside
interface vlan 1 ip address 192.168.1.1 255.255.255.0

but after a write erase and reload those defaults do not apply


Hopefully this helps answer your question.

Vask3n

So, to confirm:

Out of the box configuration: All interfaces are shut down and VLAN 1 exists.
Wiping the configuration with write-erase: VLAN 1 and 2 exist on Ethernet 0/1 and 0/0 respectively.

Legacy User

No my friend you misunderstood. Out of box config can vary. The batch I got came wiped out already. Elderkai's units had a default config. I think that really depends where it ships from. Issuing the command write erase and reload removes all configs so all interfaces are placed into default vlan 1. Think of when you are working on a new switch all interfaces are in interface vlan 1.

My point was illustrating what Cisco considers as factory default. Which is basically having a basic config preloaded which is a huge security risk if the engineer chooses to keep that config. Its like everyone knows all unused ports in a switch are always in vlan 1 unless moved to an unused vlan. At my place we consider it factory default if when you boot up it prompts:

Pre-configure Firewall now through interactive prompts [yes]?

Bottom line don't assume anything is default always check the show run before configuring the device. If there is a default config make sure you erase it and start fresh before configuring.

theodoxa

Vask3n wrote: »

So, to confirm:

Out of the box configuration: All interfaces are shut down and VLAN 1 exists.
Wiping the configuration with write-erase: VLAN 1 and 2 exist on Ethernet 0/1 and 0/0 respectively.

Out of the Box, it comes ready to plug and play so to speak. It has a the firewall pre-configured to allow all traffic from inside to outside, but only established traffic back in. E0/0 is configured on I believe VLAN 2, "outside" security zone, and as a DHCP Client. The rest of the ports are on I believe VLAN 1, "inside" security zone, IP Address=192.168.1.1/24, and DHCP Server pre-enabled. NAT Overload (PAT) is configured for all traffic originating from "inside" going to "outside". It is configured to allow ASDM (GUI) access from the "inside". Basically, you could take it right out of the box, plug some PCs into it, hook E0/0 to a Cable/DSL modem and surf the web right away.

If you write erase, all of this configuration would be wiped and everything would presumably be set back to a single VLAN. You would also lose the ability to configure it using ASDM until the appropriate commands are added using the Console port. There is a command (also in ASDM) that should reset it to the factory default settings described above.