VLANs and the ASA 5505 [FIREWALL]

Vask3nVask3n Posts: 517Member
in CCNP Security
From my understanding, the 5505 has Ethernet 0/0 set to VLAN 2(outside) and the rest of the ports set to VLAN 1. However, in the official cert guide (page 19) it reads "By default, all eight ports are connected ot the same VLAN on the switch, allowing connected devices to communicate with each otehr at Layer 2 directly."

However, here on the official Cisco documentation, it reads

The default factory configuration for the ASA 5505 adaptive security appliance configures the following:

•An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0.

•An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address using DHCP.


Cisco Security Appliance Command Line Configuration Guide, Version 7.2 - Getting Started  [Cisco ASA 5500-X Series Next-Generation Firewalls] - Cisco Systems

Any ideas on how to approach this? What is the correct answer if this was posed as a question?
Working on MS-ISA at Western Governor's University
· Share on Facebook

Comments

  • Legacy UserLegacy User Posts: 0Unregistered / Not Logged In ■□□□□□□□□□
    Well from what I know a factory reset unit has every port on the default vlan 1 until you designate the ports to a vlan. If I'm not mistaken on some units not specific to the asa usually has a default ip address which is used when trying to do a software recovery in rommon mode.
    · Share on Facebook
  • elderkaielderkai Posts: 279Member
    Wiping the config is different from how it comes from Cisco.

    Vask3n:

    I guess the real question would be what is considered default: The way it comes straight from Cisco or the way it is every time it is "write erased"?

    When I configure ASAs that have came factory fresh, there is a config on it. Vlan 1 has 192.168.x.x if i remember correctly and vlan 2 is set for dhcp with E0/0 belonging to Vlan 2 and the rest Vlan 1.

    After a write erase, though, it's pretty bare and all interfaces are in Vlan 1.
    · Share on Facebook
  • Vask3nVask3n Posts: 517Member
    Thanks for your help on this. I guess the consensus is that there's two "defaults"- the configuration that the ASA comes with and the configuration that gets applied when you do configure factory-default
    Working on MS-ISA at Western Governor's University
    · Share on Facebook
  • Legacy UserLegacy User Posts: 0Unregistered / Not Logged In ■□□□□□□□□□
    @elderkai good write up icon_thumright.gif I was thinking after a write erase which is the first thing I always do before I begin any configurations.
    · Share on Facebook
  • Legacy UserLegacy User Posts: 0Unregistered / Not Logged In ■□□□□□□□□□
    Well actually as elderkai mentioned issuing the command configure factory-default or getting a unit fresh from cisco should in theory be same thing and have the same default configs. The comment I made was after issuing a write erase and reload. In that situation everything is set to vlan 1 and the trusted/untrusted vlans still need to configured.

    Actually out of curiosity I just powered on a 5505 that we got straight from cisco new in box to verify and this is the show run:

    ciscoasa# sh startup-config
    No Configuration
    ciscoasa# sh running-config
    : Saved
    :
    ASA Version 8.2(5)
    !
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0/0
    shutdown
    !
    interface Ethernet0/1
    shutdown
    !
    interface Ethernet0/2
    shutdown
    !
    interface Ethernet0/3
    shutdown
    !
    interface Ethernet0/4
    shutdown
    !
    interface Ethernet0/5
    shutdown
    !
    interface Ethernet0/6
    shutdown
    !
    interface Ethernet0/7
    shutdown
    !
    interface Vlan1
    no nameif
    no security-level
    no ip address
    !


    After typing the configure factory-default this is the output:

    ciscoasa(config)# configure factory-default


    WARNING: The boot system configuration will be cleared.
    The first image found in disk0:/ will be used to boot the
    system on the next reload.
    Verify there is a valid image on disk0:/ or the system will
    not boot.


    Begin to apply factory-default configuration:
    Clear all configuration
    Executing command: interface Ethernet 0/0
    Executing command: switchport access vlan 2
    Executing command: no shutdown
    Executing command: exit
    Executing command: interface Ethernet 0/1
    Executing command: switchport access vlan 1
    Executing command: no shutdown
    Executing command: exit
    Executing command: interface Ethernet 0/2
    Executing command: switchport access vlan 1
    Executing command: no shutdown
    Executing command: exit
    Executing command: interface Ethernet 0/3
    Executing command: switchport access vlan 1
    Executing command: no shutdown
    Executing command: exit
    Executing command: interface Ethernet 0/4
    Executing command: switchport access vlan 1
    Executing command: no shutdown
    Executing command: exit
    Executing command: interface Ethernet 0/5
    Executing command: switchport access vlan 1
    Executing command: no shutdown
    Executing command: exit
    Executing command: interface Ethernet 0/6
    Executing command: switchport access vlan 1
    Executing command: no shutdown
    Executing command: exit
    Executing command: interface Ethernet 0/7
    Executing command: switchport access vlan 1
    Executing command: no shutdown
    Executing command: exit
    Executing command: interface vlan2
    Executing command: nameif outside
    INFO: Security level for "outside" set to 0 by default.
    Executing command: no shutdown
    Executing command: ip address dhcp setroute
    Executing command: exit
    Executing command: interface vlan1
    Executing command: nameif inside
    INFO: Security level for "inside" set to 100 by default.
    Executing command: ip address 192.168.1.1 255.255.255.0
    Executing command: security-level 100
    Executing command: allow-ssc-mgmt
    ERROR: SSC card is not available
    Executing command: no shutdown
    Executing command: exit
    Executing command: global (outside) 1 interface
    INFO: outside interface address added to PAT pool
    Executing command: nat (inside) 1 0 0
    Executing command: http server enable
    Executing command: http 192.168.1.0 255.255.255.0 inside
    Executing command: dhcpd address 192.168.1.5-192.168.1.36 inside
    Executing command: dhcpd auto_config outside
    Executing command: dhcpd enable inside
    Executing command: logging asdm informational
    Factory-default configuration is completed
    ciscoasa(config)#


    Result:

    the factory default for cisco is:

    e0/0 vlan 2 -outside
    e0/1 - 7 vlan 1 - inside
    interface vlan 1 ip address 192.168.1.1 255.255.255.0

    but after a write erase and reload those defaults do not apply


    Hopefully this helps answer your question.
    · Share on Facebook
  • Vask3nVask3n Posts: 517Member
    So, to confirm:

    Out of the box configuration: All interfaces are shut down and VLAN 1 exists.
    Wiping the configuration with write-erase: VLAN 1 and 2 exist on Ethernet 0/1 and 0/0 respectively.
    Working on MS-ISA at Western Governor's University
    · Share on Facebook
  • Legacy UserLegacy User Posts: 0Unregistered / Not Logged In ■□□□□□□□□□
    No my friend you misunderstood. Out of box config can vary. The batch I got came wiped out already. Elderkai's units had a default config. I think that really depends where it ships from. Issuing the command write erase and reload removes all configs so all interfaces are placed into default vlan 1. Think of when you are working on a new switch all interfaces are in interface vlan 1.

    My point was illustrating what Cisco considers as factory default. Which is basically having a basic config preloaded which is a huge security risk if the engineer chooses to keep that config. Its like everyone knows all unused ports in a switch are always in vlan 1 unless moved to an unused vlan. At my place we consider it factory default if when you boot up it prompts:

    Pre-configure Firewall now through interactive prompts [yes]?

    Bottom line don't assume anything is default always check the show run before configuring the device. If there is a default config make sure you erase it and start fresh before configuring.
    · Share on Facebook
  • theodoxatheodoxa Posts: 1,340Member
    Vask3n wrote: »
    So, to confirm:

    Out of the box configuration: All interfaces are shut down and VLAN 1 exists.
    Wiping the configuration with write-erase: VLAN 1 and 2 exist on Ethernet 0/1 and 0/0 respectively.

    Out of the Box, it comes ready to plug and play so to speak. It has a the firewall pre-configured to allow all traffic from inside to outside, but only established traffic back in. E0/0 is configured on I believe VLAN 2, "outside" security zone, and as a DHCP Client. The rest of the ports are on I believe VLAN 1, "inside" security zone, IP Address=192.168.1.1/24, and DHCP Server pre-enabled. NAT Overload (PAT) is configured for all traffic originating from "inside" going to "outside". It is configured to allow ASDM (GUI) access from the "inside". Basically, you could take it right out of the box, plug some PCs into it, hook E0/0 to a Cable/DSL modem and surf the web right away.

    If you write erase, all of this configuration would be wiped and everything would presumably be set back to a single VLAN. You would also lose the ability to configure it using ASDM until the appropriate commands are added using the Console port. There is a command (also in ASDM) that should reset it to the factory default settings described above.
    R&S: CCENT CCNA CCNP CCIE [ ]
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
    · Share on Facebook
Sign In or Register to comment.