Networking

Setting up a Cisco ASA 5505 firewall with a wireless router

This walk-through on setting up a Cisco ASA 5505 firewall with a wireless router focuses on things you might encounter when doing the setup at home.

I've been working on getting a Cisco ASA 5505 firewall set up at home so that eventually I can create a site-to-site VPN between my house and my office. I've written several posts about setting up Cisco 5510s, but this piece focuses on common things you might encounter at home like not having a static IP from your ISP or utilizing your current wireless router. In my case I'm using a NetGear WNDR3700, but I'll go over what you need to do at a high level, which should work with any wireless router.

The firewall setup can seem a little daunting, especially because you will most likely lose your Internet access while you're doing it. Remember there are only four basic things you need to configure to get Internet access.

  1. You should configure the inside and outside interfaces.
  2. You need a default route that tells your devices where to go.
  3. You need to configure Port Address Translation (PAT). This is what allows you to only have one IP address from your ISP, but you can have several devices connected on your internal network in a many-to-one configuration.
  4. You need access rules that open ports so your devices can browse web pages, download from FTP sites, etc.

Initial setup and configuration of interfaces

  1. Connect the network cable from the modem to port 0 (default outside port) on the ASA.
  2. Connect your computer to one of the other ports on the ASA, which should be on the inside network by default. Ports 6 and 7 are Power over Ethernet (PoE) ports; I recommend reserving those ports for any devices that can use PoE.
  3. Open a browser on your computer and go to 192.168.1.1, which is the default address for connecting to the ASA.
  4. Click Run ASDM. (Another option is to click Run Startup Wizard and do this entire configuration in the wizard.)
  5. Log in. There are no passwords configured yet, so just leave that blank.
  6. Click Configuration at the top.
  7. Click Device Setup.
  8. Click Interfaces.
  9. Edit the Inside Interface.
  10. Make sure it is enabled.
  11. Specify the internal address you want to use. By default this is 192.168.1.1, which you can leave it at.  This will indicate that you are using the 192.168.1.0/24 network as your inside network.
  12. Click OK.
  13. Edit the Outside Interface.
  14. Choose DHCP. If you happen to have a fixed IP at home, please use that. Many ISPs require you to have a business account to get a static IP, though.
  15. Make sure the interface is enabled.
  16. Put a check mark next to the option Obtain Default Route Using DHCP. This saves you the step of configuring a static route, and it saves you the hassle of having to change the static route every time your IP changes.
  17. Click OK.
  18. Put a check next to Enable Traffic Between Two Or More Interfaces Which Are Configured With The Same Security Levels and next to Enable Traffic Between Two Or More Hosts Connected To The Same Interface.

Those 18 steps take care of the first two basic things I spoke about before: configuring your interfaces and setting up a default route. Now to configure PAT and the access rules.

Configure PAT

  1. Click Firewall while still under the Configuration tab.
  2. Click NAT Rules.
  3. Click Add.
  4. Click Add Dynamic Rule.
  5. For the original source you can just leave it set at Any (or you can specify the inside network).
  6. For the translated interface put the outside interface.
  7. Click OK.

Configure access rules

You'll most likely want to allow HTTP/HTTPS traffic on your ASA. Make sure you add rules for the inside and the outside to permit these, along with any other protocols that might be necessary such as FTP, ICMP, etc.  Use Figure A as a reference for the kind of configuration you may need. Figure A

Click the image to enlarge.

Configure your wireless router to act like an access point

This covers setting up the ASA, but you still want to be able to use your wireless router to connect all your laptops, printers, Rokus, etc. The easiest way (though not the only way) to do this is to configure your wireless router to act just as an access point (AP).

In general, you'll want to disconnect the network cable from the WAN, or outside, port on the AP. Then connect to the management interface of your AP, most likely via a browser while your computer is connected to the AP. Some newer APs have an option to just put a check next to AP Mode and it will do it automatically. However, if you don't have that option, just make sure you turn off DHCP (use the ASA as your DHCP server) and configure the LAN settings to be on the same network as your ASA.

In my example, you might configure the AP with an IP of 192.168.1.15, a subnet mask of 255.255.255.0, and then the default gateway should be the IP address of the ASA. Now connect one of the LAN, or inside, ports to one of the inside ports on the Cisco ASA (ports 1-7). You may need to reboot the AP, but now you should be able to connect wirelessly and have Internet access through the firewall.

About

Lauren Malhoit has been in the IT field for over 10 years and has acquired several data center certifications. She's currently a Technology Evangelist for Cisco focusing on ACI and Nexus 9000. She has been writing for a few years for TechRepublic, Te...

7 comments
jerryfahm
jerryfahm

If a wireless router was connected behind the ASA on the WAN port and 20 hosts connected to the router will the ASA only see the one PATed address? Reason being I have the basic license on my ASA 5505.

steveashton
steveashton

"1) Connect the network cable from the modem to port 0 (default outside port) on the ASA" - Do you not mean router? or do you mean the router has to be in "modem" mode? (if in modem mode, doesn't that disable the routers features like Wi-Fi and the 3 of 4 ports on the switch?)

MikeGinUS
MikeGinUS

This info is old news...as old as the ASA. Nobody wants an ASA anymore. This is 2012!

HBackus
HBackus

Sound like Mitt Romney, criticizing without providing a solution. What would recommend?

baalpeteor
baalpeteor

@netconsultant.servic and all above if you can't tell by now @MikeGinUS  was trolling. Serious security and IT professionals (including CCIE's) are still using and recommending the ASA line for security, firewalling, IPs to name a few things. There is nothing better of writing to replace or take the place of an ASA.

Editor's Picks