Category Archives: Cisco

Using a Cisco ASA5510 as a home router and DHCP server

Tired of Cheap Residential Linksys and TP-Link Routers?

If your like me, you’ve probably noticed that your average off the shelf wifi router from Best Buy costs around $100 and lasts about a year… if your lucky. Tired of that? Me too. So I decided to use hardened Cisco ASA5510. These are really solid units, run forever, and they are cheaply found on eBay. You can even run two of them in active/standby fail-over mode.

The Costs…

So an ASA5510 with the Security Plus license runs about $80 on eBay. This unit has 4 NICs, two of which are licensed to run at 1Gbps, in other words, 1 NIC is your ISP uplink (outside interface), the other NIC feeds your home’s LAN space (inside interface). That still leaves 2 NICs running at 100Mbps which you can operate as additional LAN spaces for security. As a small side note, I have two VOIP ATA’s that I run for phone service, these devices tend to be “vulnerable” to remote hacks, so as a precaution, my Grandstream ATA’s sit on a separate network behind my ASA5510 on NIC3. ┬áThis security zone is completely isolated from the rest of my network.

What about Wifi?

Clearly an ASA5510 has no Wifi capability, so for that will we use a Cisco SAP2600 access point. These run around $80-$140 on eBay. Again, they are extremely robust and will last forever, they also have excellent range. I will discuss the configuration of the SAP2600 in a separate article, but its very straight forward as the SAP2600 is out-of-the-box a standalone access point, you simply connect it to your WAN, it grabs an IP via DHCP, then you configure your SSIDs for 2 and 5 GHZ. The access simply forwards DHCP requests through to the ASA.

Initial Configuration of the ASA5510

So we will use Ethernet0/0 as “outside” uplink to ISP and Ethernet0/1 as “inside” LAN. In my case, that Ethernet0/1 goes to a switch where I hard wires some devices as well as my Cisco SAP2600 access point. For this example, I am using Verizon FiOS which does not have a static IP, ┬áso the ISP uplink will be done via DHCP. I was also include an example of how to setup port forward to say a personal web server.

Most ASA’s off eBay will come with ASA software version 8.0, 8.1, or 8.2. For home use, this is fine, dont try to run anything higher. Also, dont bother with the ASDM, its useless. ASA’s were meant to be configured via command line. I am not going to bother showing a full config dump, rather, when you get console access, do a “write erase” followed by “reload”. This will bring up the ASA with the default config. From that default config, below is what you want to configure:

interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute

The above sets our ISP uplink, and assigns the WAN IP via DHCP.

interface Ethernet0/1
nameif inside
security-level 100
ip address

The above sets our inside or LAN interface. In my case, I’m using 192.168.1.X/24 as my LAN space.

access-list outside extended permit icmp any any
access-list outside extended permit icmp any any echo
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any time-exceeded
access-list outside extended permit tcp any interface outside eq www

This is a sample ACL for opening port 80 access to a personal web server I am running on the LAN with IP

global (outside) 1 interface
nat (inside) 1
nat (voice1) 1

This is required for functionality. The global statement sets our outbound PAT or proxy address translation. The nat statement tells the ASA that the 192.168.1.X range is what should be NAT’d.

static (inside,outside) interface netmask
access-group outside in interface outside

This is related to our web server example. The access-group statement binds the ACL to the outside interface. The static translation effectively connects the port forward, it tells the ASA to “connect” the WAN IP of the outside interface (which we get via DHCP from the ISP) to the private LAN IP of my web server, which is

telnet inside
dhcpd dns
dhcpd ping_timeout 750
dhcpd address inside
dhcpd enable inside

This last price enables telnet access to the ASA from the LAN. This is also where we configure the LAN’s DHCP server. In this case I have allocated the range through .199, and I also set my resolving DNS servers which DHCP process will send through to the clients.

Lastly, secure your ASA by setting the proper passwords:

enable password CLEAR-TXT-PASSWD

Filtering outbound BGP announcements in Cisco IOS

We previously looked at a sample BGP setup for a Cisco 6500 series router. What if you have multiple BGP peers and want to restrict which prefixes or IP blocks you announce to which peers. Simple. We can use the prefix-list command.

What you announce to each BGP peer will effect the traffic that comes in. So sometimes filtering what you announce can help shape your inbound traffic usage, or it can be used to limit one of your peers to very little traffic so you have a backdoor option during a high load event or DDoS.
Lets look at a sample BGP config:

router bgp 17500
bgp log-neighbor-changes
neighbor remote-as 1000
neighbor ebgp-multihop 5
neighbor update-source GigabitEthernet5/8
neighbor remote-as 2000
neighbor ebgp-multihop 5
neighbor update-source GigabitEthernet4/8
address-family ipv4
neighbor activate
neighbor next-hop-self
neighbor send-community
neighbor soft-reconfiguration inbound
neighbor prefix-list PeerA-out out
neighbor filter-list 1 in
neighbor filter-list 15 out
neighbor activate
neighbor next-hop-self
neighbor send-community
neighbor soft-reconfiguration inbound
neighbor prefix-list PeerB-out out
neighbor filter-list 1 in
neighbor filter-list 15 out

My ASN is 17500 and I have two BGP uplinks, one to AS 1000 (we’ll call this Peer A) and one to AS 2000 (we’ll call this Peer B). I am announcing the following prefixes:

As you can see, for each peer, I have included a statement with

    prefix-list “LIST-NAME” out

This statement restricts what my ASN will broadcast OUT to my peers. Lets say I want to BGP announce all three prefixes to Peer A, but I only want to announce to Peer B. This is what those respective prefix-list’s will look like:

ip prefix-list PeerA-out seq 1 permit
ip prefix-list PeerA-out seq 2 permit
ip prefix-list PeerA-out seq 3 permit
ip prefix-list PeerA-out seq 100 deny
ip prefix-list PeerB-out seq 1 permit
ip prefix-list PeerB-out seq 100 deny

Thats all there is to it.

Configuring SSL VPN on Cisco ASA

Starting a few years ago, Cisco began to phase out their support of the long standing VPN Client software which used IPsec. Basically, they didn’t make a 64-bit version to run on Windows 7 and 8, so unless you use XP, its very hard to use the old Cisco VPN client software. The replacement is AnyConnect, which can be launched via the web. AnyConnect does not use IPsec for the vpn tunnel, it uses SSL. The downside is it requires additional licensing, most ASA’s only come with 1 SSLVPN user license, and 10 IPSec.
Here is how you configure a typical ASA (running IOS 8.3) to use webvpn and AnyConnect.
1. The outside or public WAN IP of the ASA is
2. The inside or local access range is
3. The VPN IP pool that we will create is
Here is the complete config with some comments.
Create and apply a nonat access list:
ASA(config)# access-list nonat extended permit ip
ASA(config)# nat (inside) 0 access-list nonat

Define a split tunnel access list:

ASA(config)# access-list splitvpn standard permit

Define the Group Policy for the WebVPN:

ASA(config)# group-policy SSLVPN_POLICY internal
ASA(config)# group-policy SSLVPN_POLICY attributes
ASA(config-group-policy)# vpn-tunnel-protocol svc webvpn
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn)# split-tunnel-policy tunnelspecified
ASA(config-group-webvpn)# split-tunnel-network-list value splitvpn
ASA(config-group-webvpn)# split-dns value
ASA(config-group-webvpn)# dns-server value X.X.X.X

In the above case, would be your local DNS search suffix. The X.X.X.X would be the IP of your local DNS server if you used one, if not you can leave it out or insert a public DNS server IP like
Define a DHCP pool for the clients to use:
ASA(config)# ip local pool vpnpool mask
Define a local user to use for the VPN:
ASA(config)# username johndoe password ABC123 privilege 0
ASA(config)# username johndoe attributes
ASA(config-username)# vpn-group-policy SSLVPN_POLICY

Enable WebVPN:
ASA(config)# webvpn
ASA(config-webvpn)# enable outside
ASA(config-webvpn)# svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
ASA(config-webvpn)# svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
ASA(config-webvpn)# svc enable

The above location/filename of the AnyConnect software may vary, to verify just type the “dir” command from the main prompt to see a file listing showing the exact filename versions.
Define the tunnel group:
ASA(config)# Tunnel-group SSLVPN_TUNNEL type remote-access
ASA(config)# Tunnel-group SSLVPN_TUNNEL general-attributes
ASA(config-tunnel-general)# default-group-policy SSLVPN_POLICY
ASA(config-tunnel-general)# address-pool vpnpool

Link the tunnel group to WebVPN:

ASA(config)# webvpn
ASA(config-webvpn)# tunnel-group-list enable
ASA(config-webvpn)# exit
ASA(config)# tunnel-group SSLVPN_TUNNEL webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias AnyConnect enable

Basic Cisco Router Config with BGP Uplink

Do you have your own /24 IP subnet and want to setup a BGP router? This article will gave a basic overview of the key components required. The syntax used is for an IOS 12.2 Cisco 6500 series, but is applicable to a 7600 series, a 7200 series, or even a 1800 or 2800 series router.
1. The /24 subnet we are announcing is
2. The IPv4 WAN Subnet from our upstream BGP provider is
3. Upstream BGP peer’s AS is 1000, and our AS is 17500
So to begin, we assume our BGP uplink is delivered to us via a basic Cat5 handoff. This handoff has a static WAN subnet of – our side of the WAN is and the provider’s side of the WAN is That also means our default GW is
We connect this Cat5 uplink to FastEthernet7/1 on our 6500. Now we need to go into the 6500 series router, config the WAN link, then do all the BGP configs so we can start using our /24 subnet.
We login with enable access and go to configuration mode:
Cisco6500# config -t
We know setup the WAN link:
Cisco6500(config)# interface FastEthernet7/1
Cisco6500(config)# desc BGP Uplink
Cisco6500(config)# ip address
Cisco6500(config)# no shutdown

We set the default route:
Cisco6500(config)# ip route 250
At this point our router is live and we should be able to ping out to the internet. In order to use our own /24 and AS we need to setup a BGP session with our upstream, let get started:

Cisco6500(config)# router bgp 17500

The above effectively “creates” the BGP service on our end acting as AS 17500, we now need to config it. We are inside the router statement, so every command from this point on effects only the BGP config. We have to exit out to return to the main config.
Cisco6500(config-router)# bgp log-neighbor-changes
Cisco6500(config-router)# neighbor remote-as 1000
Cisco6500(config-router)# neighbor ebgp-multihop 5
Cisco6500(config-router)# neighbor password ABC123

Quick recap of the above. We are telling our BGP service about our first neighbor or “peer”. The peer address is the WAN side IP of our upstream, we specify that our peers AS is 1000, we specify a BGP session password (this is optional, and must be configured to match on the other end), the ebgp-multihop 5 entry is also potentially optional, but I like to add it just in case there are any hops between myself and my peer.
Now we configure the IPv4 portion of the BGP config. In order to do that, we go one more level down in the config by entering the following:

Cisco6500(config-router)# address-family ipv4

This puts you into a sub-config menu, and your prompy will change. From here we can add the IP details of our BGP session:
Cisco6500(config-router-af)# neighbor activate
Cisco6500(config-router-af)# neighbor next-hop-self
Cisco6500(config-router-af)# neighbor send-community
Cisco6500(config-router-af)# neighbor soft-reconfiguration inbound
Cisco6500(config-router-af)# neighbor filter-list 1 in
Cisco6500(config-router-af)# neighbor filter-list 15 out

The first line activates IPv4 on the session. The next three lines are pretty basic and normal. The soft-reconfiguration line is required if you want to be able to do soft resets of the BGP session to grab updates from the other side or vice versa. The last two lines are tricky, but basically, the control what we will allow in and what we allow out from our router. I will describe these filter lists below after we are down with the main BGP config. The following lines finish out out IPv4 portion of the config:

Cisco6500(config-router-af)# no auto-summary
Cisco6500(config-router-af)# no synchronization
Cisco6500(config-router-af)# network mask

The last line here is our IPv4 announcement. Now we exit out of the address-family sub-config, and the bgp router sub-config:
Cisco6500(config-router-af)# exit
Cisco6500(config-router)# exit

This returns us to the menu config menu. At this point our BGP session is 95% percent complete, just a few loose ends to finish up. Mainly, we have to create those in and out filter lists rules for the BGP prefixes we will allow in and out. We add the following:
Cisco6500(config)# ip as-path access-list 1 permit .*
Cisco6500(config)# ip as-path access-list 15 permit ^$
Cisco6500(config)# ip as-path access-list 15 permit ^(17500_)+$

Access list 1 basically permits everything in, which is want we want. Access list 15 permits our AS 17500 to go out. Last but not least, we need to locally null route our IP announcement:

Cisco6500(config)# ip route Null0 250
Cisco6500(config)# exit
Cisco6500(config)# write mem

At this point our BGP router is live, you can verify with the following command:
Cisco6500# sh ip bgp summary
BGP router identifier, local AS number 17500
BGP table version is 27807253, main routing table version 27807253
187089 network entries using 18895989 bytes of memory
203251 path entries using 9756048 bytes of memory
48641 BGP path attribute entries using 2724008 bytes of memory
39260 BGP AS-PATH entries using 1076272 bytes of memory
58 BGP community entries using 1392 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
61132 BGP filter-list cache entries using 733584 bytes of memory
BGP using 33187293 total bytes of memory
8 received paths for inbound soft reconfiguration
BGP activity 4186733/3980758 prefixes, 6186177/5962957 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 4 1000 10948679 267030 27806888 0 0 7w2d 174293

With your BGP router live and running, you can start using your IP space on any interface by simply assign a subnet of your choosing, for example:
Cisco6500(config)# interface FastEthernet7/2
Cisco6500(config)# desc Mail Server
Cisco6500(config)# ip address
Cisco6500(config)# no shutdown

This creates a subnet on interface 7/2 with acting as the default gateway. Simply connect a server to that port and it will be live with a usable IP in the .2 through .6 (.7 is reserved for the broadcast).

Enabling SSH Access on Cisco ASA Appliances

It is very important to access your ASA via SSH and not telnet. Even if you only enable access from your inside interface, this will protect from clear text password scanning on your local network via an undetected malware bot.
For this example, we are enabling SSH on our inside interface network (
To get started, enter configuration mode:
asa# config t
Make sure you have an enable password set, in the case TEXT is your clear text enable password:
asa(config)# enable password TEXT
Now we create a local user for SSH login, in this case the username is admin with password ABC123:
asa(config)# aaa authentication ssh console LOCAL
asa(config)# username admin password ABC123 privilege 15
Allow access from our inside network:
asa(config)# ssh inside
And finally, generate an RSA key:
asa(config)# domain-name
asa(config)# crypto key generate rsa modulus 1024

Its an important to note, you have to specify a domain name in order to generate a functional RSA key. Also, if you wanted to enable SSH access from the outside, you would use the following line:
asa(config)# ssh outside
In this case, I am only allowing SSH from a singular IP address of for say a home office.