cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30876
Views
25
Helpful
18
Replies

How to connect to an ASA 5505

I have attached my new ASA 5505 to my computer with the network cable as described in section 5. I have verified that Firefox 3 has both Java and Javascript enabled. When I enter https://192.168.1.1 it times out with no connection.

I haved attempted to access it by connecting it to our LAN, then browsing it from various computers, both Linux and Windows. It always times out.

I have pressed and held the Reset button and tried again. No change.

The front and rear lights appear to indicate a proper connection, complete with activity.

Can you give me a hint as to what I have done wrong or should do differently or in addition ?

1 Accepted Solution

Accepted Solutions

I'm glad to help! Congratulations! :-)

Thanks!

John

HTH, John *** Please rate all useful posts ***

View solution in original post

18 Replies 18

John Blakley
VIP Alumni
VIP Alumni

I'm not sure what the default address is, but your ASA should have come with a rollover cable. (It's a light blue, flat cable with an RJ45 connection on one end and a serial (DB9) connection on the other.)

I would connect this directly to the ASA on the console port. Open hyperterminal up on your PC, and select the appropriate com port.

The settings for Hyperterminal connection should be:

Baud Rate: 9600

Data Bits: 8

Stop Bits: 1

Parity: None

Flow Control: I leave default.

After you click connect, you can hit enter a few times to get data on the screen. Once in, check your ip addresses in there by doing a:

show ip address inside

Once you have your IP address, you should be able to get into it. Also, make sure that your LAN is addressed on the same subnet as the ASA or you'll have to put a workstation in the 192.168.1.0/24 subnet.

--John

HTH, John *** Please rate all useful posts ***

Thank you. I'll do that now.

I suspect you provided some part of the answer, because my lan is not on the 1 subnet. That should not have stopped the direct connection, but it should stop the LAN attempt. Maybe with the rollover cable and hyperterminal I can change my Cisco subnet to match the LAN.

At CISCOASA> I entered "show ip address inside"

I got CISCOASA> ERROR: % Invalid input detected at "^" marker.

The marker points to the p in ip.

?

Type:

Ciscoasa> en

Hit enter...it may ask you for a password, if so, try Cisco and hit enter.

If that gets you in, type:

CISCOASA# sh ip address inside

HTH, John *** Please rate all useful posts ***

Thank you for the fast response.

It did ask for a password. It rejected Cisco.

Any idea what else it could be? I'll check through my booklet.

cisco would be the only other one, or just try to hit enter.

HTH, John *** Please rate all useful posts ***

Thank you. It was

I tried case variations and got locked out after 3 tries. My book says only to see my command line interface guide, and I can't find one in the box.

It showed me the ip, and it is indeed 192.168.1.1, How can I change that ?

To do that, enter the following:

ASA# sh ip address inside

Find the Interface that the 192.168.1.1 address is assigned to. I think it'll be VLAN2, but I'm not sure.

After you find that out, type:

ASA# conf t

ASA(config)# int vlan2 (or whatever interface it's on)

ASA(config-if)# ip address

So it would be like:

ip address 5.5.5.5 255.255.255.0

Don't use the above address, it's only for an example.

ASA(config-if)# exit

ASA(config)# exit

ASA# wr <-- this saves it.

Please rate if helpful. :-)

--John

HTH, John *** Please rate all useful posts ***

I do want to thank you for being so patient and thorough, complete with examples.

I was sure it was Vlan1, and it kept saying it conflicted with Vlan2. So I changed it to Vlan2 and it took it. I made it 192.168.10.11 to put it on our subnet, and to avoid conflick with our yet to be removed Checkpoint firewall ending in 1.

Next I tried accessing 192.168.10.11. It timed out.

I can hit any other ip on this subnet, but not this new Cisco firewall. Do you think it has to end in a 1?

OK, here's what the book says.

Cisco adaptive security appliances are shipped with a factory-default configuration that enables quick startup. The ASA 5505 comes preconfigured with

* Two Vlans: VLAN1 and VLAN2

* VLAN 1 has the following properties:

- Named "inside"

- Allocated switch ports Ethernet 0/1 through Ethernet 0/7

- Security level 100

- IP address of 192.168.1.1 255.255.255.0

* VLAN2 has the following properties:

- Named "outside"

- Allocated switch port Ethernet 0/0

- Security level of 0

- Configured to obtain its IP address using DHCP

This is why I thought it would be VLan1. Also, with Vlan2 getting its ip from dhcp, it might get it from the Checkpoint firewall.

Also, with it connected to our subnet, it might start suppying IPs with its own dhcp server :O

What do you think ?

You're right in the fact that the private address is on VLAN1.

Oh, did you type http://192.168.1.1 or https://192.168.1.1?

Try with https. You won't be able to ping the interface unless you issue the command management-access inside.

--John

HTH, John *** Please rate all useful posts ***

Hmm, no it doesn't need to. Can you post your config here? To do that, you need to record the sh run to a text file in hyperterminal.

You'll go to Transfer/Capture Text, give it a name, and it will start to record.

Then at the ASA# prompt type show run and hit spacebar all the way until you get back to the ASA# again. Then you click Transfer/Capture Text/Stop

From the sound of it, it doesn't sound like the ASA is configured for any public access yet, so you should just be able to post the config here without modifying it. Just double check there are no public addresses in the config for your security.

--John

HTH, John *** Please rate all useful posts ***

Here's the link copied from by browser:

https://192.168.10.11/

And here is the run shown:

show run

: Saved

:

ASA Version 7.2(3)

!

hostname ciscoasa

enable password encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.10.11 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

<--- More --->

interface Ethernet0/3

<--- More --->

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd encrypted

ftp mode passive

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

<--- More --->

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

<--- More --->

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tft

Well, a couple of things:

Is your workstation that you're trying to connect to the ASA with on the 192.168.1.0 network, or is it on the 192.168.10.0 network? If it's on the latter, you should connect your workstation to the back of the ASA and put your workstation statically on the 192.168.1.0 network. This will get you into it.

If you are trying to connect to it from the 192.168.10.0 network, you'll have to issue:

ASA# config t

ASA(config)# http 192.168.10.0 255.255.255.0 outside

See if that works. You won't be able to ping 192.168.1.1 from the 192.168.10.0 side. ASA doesn't support pinging the opposite side of the device (from outside interface to inside). You can either ping the outside or inside, or through the device to another host on the inside from the outside.

John

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco