Monthly Archives: December 2018

Using a Cisco ASA5510 as a home router and DHCP server

Tired of Cheap Residential Linksys and TP-Link Routers?

If your like me, you’ve probably noticed that your average off the shelf wifi router from Best Buy costs around $100 and lasts about a year… if your lucky. Tired of that? Me too. So I decided to use hardened Cisco ASA5510. These are really solid units, run forever, and they are cheaply found on eBay. You can even run two of them in active/standby fail-over mode.

The Costs…

So an ASA5510 with the Security Plus license runs about $80 on eBay. This unit has 4 NICs, two of which are licensed to run at 1Gbps, in other words, 1 NIC is your ISP uplink (outside interface), the other NIC feeds your home’s LAN space (inside interface). That still leaves 2 NICs running at 100Mbps which you can operate as additional LAN spaces for security. As a small side note, I have two VOIP ATA’s that I run for phone service, these devices tend to be “vulnerable” to remote hacks, so as a precaution, my Grandstream ATA’s sit on a separate network behind my ASA5510 on NIC3. ┬áThis security zone is completely isolated from the rest of my network.

What about Wifi?

Clearly an ASA5510 has no Wifi capability, so for that will we use a Cisco SAP2600 access point. These run around $80-$140 on eBay. Again, they are extremely robust and will last forever, they also have excellent range. I will discuss the configuration of the SAP2600 in a separate article, but its very straight forward as the SAP2600 is out-of-the-box a standalone access point, you simply connect it to your WAN, it grabs an IP via DHCP, then you configure your SSIDs for 2 and 5 GHZ. The access simply forwards DHCP requests through to the ASA.

Initial Configuration of the ASA5510

So we will use Ethernet0/0 as “outside” uplink to ISP and Ethernet0/1 as “inside” LAN. In my case, that Ethernet0/1 goes to a switch where I hard wires some devices as well as my Cisco SAP2600 access point. For this example, I am using Verizon FiOS which does not have a static IP, ┬áso the ISP uplink will be done via DHCP. I was also include an example of how to setup port forward to say a personal web server.

Most ASA’s off eBay will come with ASA software version 8.0, 8.1, or 8.2. For home use, this is fine, dont try to run anything higher. Also, dont bother with the ASDM, its useless. ASA’s were meant to be configured via command line. I am not going to bother showing a full config dump, rather, when you get console access, do a “write erase” followed by “reload”. This will bring up the ASA with the default config. From that default config, below is what you want to configure:

interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute

The above sets our ISP uplink, and assigns the WAN IP via DHCP.

interface Ethernet0/1
nameif inside
security-level 100
ip address

The above sets our inside or LAN interface. In my case, I’m using 192.168.1.X/24 as my LAN space.

access-list outside extended permit icmp any any
access-list outside extended permit icmp any any echo
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any time-exceeded
access-list outside extended permit tcp any interface outside eq www

This is a sample ACL for opening port 80 access to a personal web server I am running on the LAN with IP

global (outside) 1 interface
nat (inside) 1
nat (voice1) 1

This is required for functionality. The global statement sets our outbound PAT or proxy address translation. The nat statement tells the ASA that the 192.168.1.X range is what should be NAT’d.

static (inside,outside) interface netmask
access-group outside in interface outside

This is related to our web server example. The access-group statement binds the ACL to the outside interface. The static translation effectively connects the port forward, it tells the ASA to “connect” the WAN IP of the outside interface (which we get via DHCP from the ISP) to the private LAN IP of my web server, which is

telnet inside
dhcpd dns
dhcpd ping_timeout 750
dhcpd address inside
dhcpd enable inside

This last price enables telnet access to the ASA from the LAN. This is also where we configure the LAN’s DHCP server. In this case I have allocated the range through .199, and I also set my resolving DNS servers which DHCP process will send through to the clients.

Lastly, secure your ASA by setting the proper passwords:

enable password CLEAR-TXT-PASSWD

Securing WordPress – Fool Proof Method

Are you tired of your WordPress site being hacked?

I have a simple and effective solution. The biggest reason WordPress gets hacked is because of very insecure file permissions that exist on the backend server, and there are many bugs within wp-admin that can exploited. These permissions and exploits make it easy to upload content, install plugins, brute force attack the login and so on. But if your like me, once your WordPress environment is setup, it doesn’t really change after that. All I do is upload images and write posts. So I write a simple set of lockdown scripts which I execute from the command line.

The lockdown script does a few things:

1. It removes wp-login.php from the base web root
2. It removes the entire wp-admin directory
3. It resets the permissions on wp-content/uploads

The unlock script effectively does the reverse.

So when I need to make changes or write an article, I SSH into my server and run the unlock script. When I am all done, I run the lockdown script. Here is the raw code for those scripts, in PERL:

A few details. My web server runs as the “www” user, so thats why I chown the uploads directory as www. My web root is /usr/local/www/apache24/data and the resources directory is my WordPress base URL, i.e. The script runs as root user and stores the temp files in /root