VLANs and the ASA 5505 [FIREWALL]

From my understanding, the 5505 has Ethernet 0/0 set to VLAN 2(outside) and the rest of the ports set to VLAN 1. However, in the official cert guide (page 19) it reads "By default, all eight ports are connected ot the same VLAN on the switch, allowing connected devices to communicate with each otehr at Layer 2 directly."
However, here on the official Cisco documentation, it reads
The default factory configuration for the ASA 5505 adaptive security appliance configures the following:
•An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0.
•An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address using DHCP.
Cisco Security Appliance Command Line Configuration Guide, Version 7.2 - Getting Started [Cisco ASA 5500-X Series Next-Generation Firewalls] - Cisco Systems
Any ideas on how to approach this? What is the correct answer if this was posed as a question?
However, here on the official Cisco documentation, it reads
The default factory configuration for the ASA 5505 adaptive security appliance configures the following:
•An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0.
•An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address using DHCP.
Cisco Security Appliance Command Line Configuration Guide, Version 7.2 - Getting Started [Cisco ASA 5500-X Series Next-Generation Firewalls] - Cisco Systems
Any ideas on how to approach this? What is the correct answer if this was posed as a question?
Working on MS-ISA at Western Governor's University
Comments
Vask3n:
I guess the real question would be what is considered default: The way it comes straight from Cisco or the way it is every time it is "write erased"?
When I configure ASAs that have came factory fresh, there is a config on it. Vlan 1 has 192.168.x.x if i remember correctly and vlan 2 is set for dhcp with E0/0 belonging to Vlan 2 and the rest Vlan 1.
After a write erase, though, it's pretty bare and all interfaces are in Vlan 1.
Actually out of curiosity I just powered on a 5505 that we got straight from cisco new in box to verify and this is the show run:
ciscoasa# sh startup-config
No Configuration
ciscoasa# sh running-config
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!
After typing the configure factory-default this is the output:
ciscoasa(config)# configure factory-default
WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.
Begin to apply factory-default configuration:
Clear all configuration
Executing command: interface Ethernet 0/0
Executing command: switchport access vlan 2
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/1
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/2
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/3
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/4
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/5
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/6
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/7
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface vlan2
Executing command: nameif outside
INFO: Security level for "outside" set to 0 by default.
Executing command: no shutdown
Executing command: ip address dhcp setroute
Executing command: exit
Executing command: interface vlan1
Executing command: nameif inside
INFO: Security level for "inside" set to 100 by default.
Executing command: ip address 192.168.1.1 255.255.255.0
Executing command: security-level 100
Executing command: allow-ssc-mgmt
ERROR: SSC card is not available
Executing command: no shutdown
Executing command: exit
Executing command: global (outside) 1 interface
INFO: outside interface address added to PAT pool
Executing command: nat (inside) 1 0 0
Executing command: http server enable
Executing command: http 192.168.1.0 255.255.255.0 inside
Executing command: dhcpd address 192.168.1.5-192.168.1.36 inside
Executing command: dhcpd auto_config outside
Executing command: dhcpd enable inside
Executing command: logging asdm informational
Factory-default configuration is completed
ciscoasa(config)#
Result:
the factory default for cisco is:
e0/0 vlan 2 -outside
e0/1 - 7 vlan 1 - inside
interface vlan 1 ip address 192.168.1.1 255.255.255.0
but after a write erase and reload those defaults do not apply
Hopefully this helps answer your question.
Out of the box configuration: All interfaces are shut down and VLAN 1 exists.
Wiping the configuration with write-erase: VLAN 1 and 2 exist on Ethernet 0/1 and 0/0 respectively.
My point was illustrating what Cisco considers as factory default. Which is basically having a basic config preloaded which is a huge security risk if the engineer chooses to keep that config. Its like everyone knows all unused ports in a switch are always in vlan 1 unless moved to an unused vlan. At my place we consider it factory default if when you boot up it prompts:
Pre-configure Firewall now through interactive prompts [yes]?
Bottom line don't assume anything is default always check the show run before configuring the device. If there is a default config make sure you erase it and start fresh before configuring.
Out of the Box, it comes ready to plug and play so to speak. It has a the firewall pre-configured to allow all traffic from inside to outside, but only established traffic back in. E0/0 is configured on I believe VLAN 2, "outside" security zone, and as a DHCP Client. The rest of the ports are on I believe VLAN 1, "inside" security zone, IP Address=192.168.1.1/24, and DHCP Server pre-enabled. NAT Overload (PAT) is configured for all traffic originating from "inside" going to "outside". It is configured to allow ASDM (GUI) access from the "inside". Basically, you could take it right out of the box, plug some PCs into it, hook E0/0 to a Cable/DSL modem and surf the web right away.
If you write erase, all of this configuration would be wiped and everything would presumably be set back to a single VLAN. You would also lose the ability to configure it using ASDM until the appropriate commands are added using the Console port. There is a command (also in ASDM) that should reset it to the factory default settings described above.
Security: CCNA [ ]
Virtualization: VCA-DCV [ ]