Tired of Cheap Residential Linksys and TP-Link Routers?
If your like me, you’ve probably noticed that your average off the shelf wifi router from Best Buy costs around $100 and lasts about a year… if your lucky. Tired of that? Me too. So I decided to use hardened Cisco ASA5510. These are really solid units, run forever, and they are cheaply found on eBay. You can even run two of them in active/standby fail-over mode.
So an ASA5510 with the Security Plus license runs about $80 on eBay. This unit has 4 NICs, two of which are licensed to run at 1Gbps, in other words, 1 NIC is your ISP uplink (outside interface), the other NIC feeds your home’s LAN space (inside interface). That still leaves 2 NICs running at 100Mbps which you can operate as additional LAN spaces for security. As a small side note, I have two VOIP ATA’s that I run for phone service, these devices tend to be “vulnerable” to remote hacks, so as a precaution, my Grandstream ATA’s sit on a separate network behind my ASA5510 on NIC3. This security zone is completely isolated from the rest of my network.
What about Wifi?
Clearly an ASA5510 has no Wifi capability, so for that will we use a Cisco SAP2600 access point. These run around $80-$140 on eBay. Again, they are extremely robust and will last forever, they also have excellent range. I will discuss the configuration of the SAP2600 in a separate article, but its very straight forward as the SAP2600 is out-of-the-box a standalone access point, you simply connect it to your WAN, it grabs an IP via DHCP, then you configure your SSIDs for 2 and 5 GHZ. The access simply forwards DHCP requests through to the ASA.
Initial Configuration of the ASA5510
So we will use Ethernet0/0 as “outside” uplink to ISP and Ethernet0/1 as “inside” LAN. In my case, that Ethernet0/1 goes to a switch where I hard wires some devices as well as my Cisco SAP2600 access point. For this example, I am using Verizon FiOS which does not have a static IP, so the ISP uplink will be done via DHCP. I was also include an example of how to setup port forward to say a personal web server.
Most ASA’s off eBay will come with ASA software version 8.0, 8.1, or 8.2. For home use, this is fine, dont try to run anything higher. Also, dont bother with the ASDM, its useless. ASA’s were meant to be configured via command line. I am not going to bother showing a full config dump, rather, when you get console access, do a “write erase” followed by “reload”. This will bring up the ASA with the default config. From that default config, below is what you want to configure:
ip address dhcp setroute
The above sets our ISP uplink, and assigns the WAN IP via DHCP.
ip address 192.168.1.1 255.255.255.0
The above sets our inside or LAN interface. In my case, I’m using 192.168.1.X/24 as my LAN space.
access-list outside extended permit icmp any any
access-list outside extended permit icmp any any echo
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any time-exceeded
access-list outside extended permit tcp any interface outside eq www
This is a sample ACL for opening port 80 access to a personal web server I am running on the LAN with IP 192.168.1.250.
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (voice1) 1 192.168.5.0 255.255.255.0
This is required for functionality. The global statement sets our outbound PAT or proxy address translation. The nat statement tells the ASA that the 192.168.1.X range is what should be NAT’d.
static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255
access-group outside in interface outside
This is related to our web server example. The access-group statement binds the ACL to the outside interface. The static translation effectively connects the port forward, it tells the ASA to “connect” the WAN IP of the outside interface (which we get via DHCP from the ISP) to the private LAN IP of my web server, which is 192.168.1.250.
telnet 0.0.0.0 0.0.0.0 inside
dhcpd dns 126.96.36.199 188.8.131.52
dhcpd ping_timeout 750
dhcpd address 192.168.1.100-192.168.1.199 inside
dhcpd enable inside
This last price enables telnet access to the ASA from the LAN. This is also where we configure the LAN’s DHCP server. In this case I have allocated the range 192.168.1.100 through .199, and I also set my resolving DNS servers which DHCP process will send through to the clients.
Lastly, secure your ASA by setting the proper passwords:
enable password CLEAR-TXT-PASSWD