• The best way to configure Cisco equipments
• Is there a graphical interface for configuration and where do I get it?
• The most straight-forward way to configure Cisco router: Introduction to CLI
• 2500 Series Installation and Configuration Guide
• Where can I find documentation for configuring my Cisco 67x series DSL Router
• Dynamic DNS (DDNS) Sample Configuration and Discussions
• Straight-forward way to configure Cisco PIX Firewall/ASA: Introduction to CLI
• Basic Configuration of Cisco devices
• Configuring ASA/PIX Firewall to support Riverbed Steelhead passthrough
• Setting Up DHCP server for LAN in Cisco network
• Basic Idea of setting Internet connectivity for IP network

Introduction to Configuration

If you consider yourself as a novice to networking or Cisco equipments, then you should use the GUI (Graphical User Interface), SDM, or any Web Interface configuration tool that is available already in the Cisco equipments to configure.

However a lot of time Cisco Web Interface has bugs and somewhat unreliable. In addition, the Web Interface may or may not available in the equipment or are uninstalled. Also, you can only configure basic feature when using Web Interface.

The most direct and reliable way to configure Cisco equipments is always using CLI (Command Line Interface). For those who are novice to networking or Cisco equipments, most of the time it would be overwhelming when configuring Cisco equipments using CLI for the first time.

No worries! Check out this forum FAQ. There are also topics how revive the SDM when it is not working; even the very basic step to CLI introduction as follows.

»Cisco Forum FAQ »The most straight-forward way to configure Cisco router: Introduction to CLI
»Cisco Forum FAQ »Straight-forward way to configure Cisco PIX Firewall/ASA: Introduction to CLI
»Cisco Forum FAQ »My SDM/CRWS (web configuration mode) doen't work. How do I revive it?

Explore all topics on FAQ. In no time, you should have your Cisco equipments up and running.

Network Device Configuration Management

In a network where there are multiple network devices such as multiple routers, switches, and firewalls; there are alternatives of how to configure them. One traditional way to log into each device and configure it. When you have to configure multiple devices, sometime it is preferred to just log in once and push the configuration to multiple devices simultaneously to minimize human error and to save time, especially when same exact command lines are applied.

Should there be a need to push same exact command lines to multiple network devices, having a centralized configuration manager software is preferred. In some organizations (typically large organizations), using such software is a must or even required as a standard implementation procedure.

Basically what the configuration manager software does is logging into all of those network devices, enter the command lines, and save the configuration; typically similar to manual configuration. The advantage of using such centralized configuration manager software are removing the need of doing tedious manual redundant configuration to multiple network device, faster command implementation, and reducing chances of human error typing incorrect commands.

Further, the centralized configuration manager software is able to store or backup current configuration of all network devices to some servers automatically. When the software never backs up the configuration from specific network device, the software considers the network device as newly-implemented device and stores the configuration as new device.

When the software ever backs up the configuration at least once from such network device, the software compares the current configuration with the stored configuration. If the configurations are identical line by line and word by word (verbatim), then the software assumes no configuration changes are in place hence the software does not back up the current configuration. Should the current configuration not be identical as the stored configuration, then the software assumes configuration changes are in place hence the software backs up the current configuration and time stamps the configuration to identify that by such date different configuration is detected and recorded.

Such process of comparing and backing up configuration can be done automatically or manually. When you like the software to do such process automatically, you will need to set the software to do so on every same time (i.e. every day, every Tuesday, or so). You also have a choice to set the software to just do such process outside preset time by manually choose the time and the device.

The advantage of storing network device configuration is to keep track what configuration changes have been done on specific network device since the network device in question is in place. From operation perspective, it would be much simpler to reverse any network configuration changes on network devices should the configuration changes not behave as expected. From configuration management perspective, it would be easier to track what date the configuration changes are in place on specific network device and by whom.

Depending of the software features, a centralized configuration manager software could be able to check if configuration on network devices comply with standard or contain command lines that might present network security risk. Some software only work on specific network devices from specific vendor, and some other software work on many network devices from wide range of vendors.

There are many centralized configuration manager software available out there. Some organizations use Kiwi Cat Tools which is light, simple to use, and affordable enough. There are also solutions from Solarwinds, Cisco, HP, or even free UNIX-based open source. Check out the following thread for more info.

»Network Config Management

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2010-04-10 06:48:50

The standard Graphical User Interface (GUI) for Cisco routers is Cisco Router and Security Device Manager (SDM). It is "a Web-based device-management tool for Cisco routers that can improve the productivity of network managers, simplify router deployments, and help troubleshoot complex network and VPN connectivity issues.

Cisco SDM supports a wide range of Cisco IOS Software releases and is available free of charge on Cisco router models from Cisco 830 Series to Cisco 7301. It ships preinstalled on all new Cisco 850 Series, Cisco 870 Series, Cisco 1800 Series, Cisco 2800 Series, and Cisco 3800 Series integrated services routers.

Network and security administrators and channel partners can use Cisco SDM for faster and easier deployment of Cisco routers for integrated services such as dynamic routing, WAN access, WLAN, firewall, VPN, SSL VPN, IPS, and QoS."

More details are available from Cisco here:
Cisco Router and Security Device Manager

Following are the GUI for other Cisco gears

ASA/PIX Firewall
Cisco Adaptive Security Device Manager Version 5.2
Cisco Adaptive Security Device Manager Release Notes

The Router SDM software can be downloaded (without a SMARTnet contract) from here:
Cisco Security Device Manager Software Download

Some Discussions
»Best way to restrict commands to a user.. menu or TACACS?

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by Phraxos edited by aryoba
last modified: 2011-05-12 10:05:47

Suggested prerequisite reading
»Cisco Forum FAQ »Things to expect when setup network for home or small business

Physical Connection

When it is time to configure your network router, there are basic steps you need to do regardless equipment brand or model you use. One of those steps is figuring out which would be the router WAN port and which would be router LAN port. Once you have all proper cables connected, you will then configure the router software.

In terms of plugging cables, some Cisco equipments including Cisco routers are not that clear as to which port would be WAN and which would be LAN. To find out which ports are which on your Cisco router, following preliminary hardware setup links should give you ideas. Specifically for Cisco router configuration, you need to plug in the correct cable to the router WAN, LAN, and CONSOLE port.

Cisco 800 series router
Install and Upgrade Guides

Cisco 1700 series router
Install and Upgrade Guides

Cisco 2500 series router
Cisco 2500 Series Overview
Overview of the Cisco 2500 Series Access Server
Overview of the Cisco 2517 and Cisco 2519
Cisco 2500 Multiport Installation and Configuration Guide - Router Overview
Overview of the Cisco 2524 and Cisco 2525

Cisco 2600 and 2600XM series routers
Install and Upgrade Guides

Basic Cisco Router Configuration

Next is the software setup. In software setup, you need to configure the router to have the proper IP connection scheme such as DNS, IP subnets, etc. to make WAN/LAN connection work.

There are alternatives to configure the router. Some people prefer to use Web-based feature (i.e. SDM) since it "seems" easier to use. Keep in mind that SDM is not always available on any router. Even when SDM is available, there are some features that require non-SDM to configure.

The most straight-forward way to configure the router is to use CLI (Command Line Interface). With CLI, you can configure the equipment to anything you like from basic configuration to the most advanced one.

You need to have the following items to be able to use CLI.

* Cisco console cable kit (cable and adapters)
* PC or laptop running Windows with HyperTerminal program installed (or running any operating system with terminal simulator software installed)

Do you have Cisco console kit? If no, then you could go to your local computer shop to get one. You could also buy one from ebay. Basically what you need is a RS-232 cable with DB-9 or DB-25 (depends on your computer serial port model) on one end to go to your computer serial port, and RJ-45 on another end to go to the router CONSOLE port. If your computer does not have serial port and only has USB port, then you might need a DB9-USB or DB25-USB adapter.

---

Note:

It is preferable to use either DB-9 or DB-25 serial port for console in instead of using USB port. In some cases, using DB9-USB or DB25-USB adapter may not work; depending on the adapter model itself or adapter setting.

---

When you already have the CONSOLE cable and you have physical access to the CONSOLE port, then this is the 1st step you need to know.

Accessing CONSOLE port:
Connecting a Terminal or PC to the Console Port

---

Note:

This FAQ assumes that the router CONSOLE port baud speed and setting is default. By saying default means that you can actually see a display coming out of the CONSOLE port. If the display is unreadable or stop being readable, the router CONSOLE port setting may have been altered. Check out the following FAQ to set the setting back to default.

»Cisco Forum FAQ »Unreadable output from Cisco Router Console

---

Some discussions
»[HELP] Some 1841 questions

If everything works right, you should get a prompt like this:

Router>

When you do have such display, it means you are now in CLI. The router then is ready to receive commands. You can enter the following commands as a start.

Router>enable

You may be asked to enter a password. If this is the case, you just enter the password. When the router is brand new or factory default, press ENTER on your keyboard should get you into enable/privilege mode; which shows something like this display

Router#

---

Note:

If by pressing ENTER you don't get into enable/privilege mode and you don't know the password, then you need to do password recovery. There's a FAQ in this forum on how to do it.

»Cisco Forum FAQ »Password Recovery Procedures - proper BREAK key sending

---

Notice the prompt change when you pass the password question

Router#

from > to #.

When you see the # prompt, this means you are in enable/privilege mode. When you are in privilege mode, you can check the router configuration. To do so, issue following command:

Router#show running-config

Keep in mind that the output you are about to see might not exactly match to the following. The output basically varies; it highly depends on your router models and features activated or used. However in general, it should look something like this.

!
version 12.2
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
!
ip subnet-zero
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface Ethernet1
no ip address
shutdown
!
ip classless
no ip http server
no cdp run
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
length 0
!
scheduler max-task-time 5000
end

As mentioned, you need to configure the router to have the proper IP connection scheme such as DNS, IP subnets, etc. In order to do that, you have to enter the global configuration mode by issuing the following command

Router#configure terminal

Then you should have the following display.

Router(config)#

That prompt indicates that you are in the configuration mode.

As illustration, let us say that the interface Ethernet1 is the WAN port and interface Ethernet0 is the LAN port. Then you should enter the WAN IP subnets under the interface Ethernet1 and the LAN IP subnets under the interface Ethernet0.

Let us say that the following is the IP subnets:

WAN:
Subnet: 23.42.53.0/24 network (or 23.42.53.0 network with subnet mask of 255.255.255.0)
IP address: 23.42.53.24
Default Gateway: 23.42.53.1
DNS: 23.42.52.1

LAN:
Subnet: 10.10.10.0/24 network (or 10.10.10.0 network with subnet mask of 255.255.255.0)
IP address: 10.10.10.1

To configure these info, the general idea is to do the following:

1. To make sure the router is working as expected, there might be a need to set several things such as set the router to do ip routing and to keep the manufacturer's suggested settings
2. Enter the interface configuration mode
3. Type in the interface IP address and subnet mask
4. Issue "no shutdown" command to bring up the interface
5. Exit the interface configuration mode to global configuration mode
6. On the global configuration mode, enter the default gateway.
7. Save the configuration.

Here are the walkthrough configuration steps.

Since you plan to configure a router and expect it to do IP routing, then following command is to make sure that the router will be in routing mode.

Router(config)#ip routing

This command is to make sure that the router will keep all settings as advised by the manufacturer (which is Cisco of course).

Router(config)#config-register 0x2102

Side Note:
Check out this FAQ for more info on the default config register value
»Cisco Forum FAQ »Config Register Value - router lost configuration

The WAN interface:

Router(config)#interface Ethernet1
Router(config-if)#description Outside World
Router(config-if)#ip address 23.42.53.24 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#

The LAN interface:

Router(config)#interface Ethernet0
Router(config-if)#description Internal LAN
Router(config-if)#ip address 10.10.10.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#

To configure the default gateway, do the following:

Router(config)#ip route 0.0.0.0 0.0.0.0 23.42.53.1

Keep in mind that in this illustration, it is assumed that you have WAN static IP address scheme in Ethernet environment. When this does not match your situation, please go to the FAQ subsection and find the most suitable environment (PPP, DHCP, etc.).

There should be no further necessary step of configuring the router. You then need to exit the configuration mode and save the changes, by doing the following.

Router(config)#end
Router#copy running-config startup-config

As to the DNS info, you need to inject it into your LAN machines. You can do it either statically or automatically. When you do it statically, it usually means that you configure the LAN machines to have static IP address. When you do it automatically, it usually means that you configure the LAN machines to have dynamic IP address.

Keep in mind that LAN machine configuration step varies, it highly depends on the operating system (i.e. Windows, Mac, or Linux). In general is that when you configure the LAN machines to have either static or dynamic IP address, go to the machine configuration mode and do it from there.

Note:
This FAQ is written with purpose of introducing CLI to novices. This FAQ is not intended as a complete guideline on how to setup a router to connect to the Internet in specific WAN/LAN environment or setup a used router with saved configuration file already in place. If you are trying to connect the router with the rest of your network or trying to connect the router to any network devices, please carefully review how you like the network looks like and how each network device (such as modem, routers, switches, and firewalls) interacts and inter-communicates.

When the router is going to connect to the Internet provided by an ISP via cable modem, DSL, or T1/E1; please go to other FAQ subsections and find the most suitable environment (PPP, DHCP, static, etc.). If you are not sure how the router should connect to the ISP, please consult with the ISP since your ISP is the most knowledgeable source concerning their own connection to the customers. You can check out the following FAQ to get better ideas of how to review and discuss technical requirement with ISP support.
»Cisco Forum FAQ »Things to expect when setup network for home or small business

Some FAQ links of router configuration in specific WAN/LAN environment
Various PPPoE/PPPoA/DHCP/Static Sample Configuration with Cisco
Router-Firewall Combo
Various Sample Network Design with Routers, Switches, and Firewalls

For Cisco IOS command further descriptions, check out the following

»Cisco Forum FAQ »Basic Cisco Commands and Descriptions
»Cisco Forum FAQ »Basic Configuration of Cisco devices

Guide to ISP consultation in finding out how to connect to the ISP
»Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address

Still confused?

When you find yourself still confused after reviewing all above links and descriptions, post a question by creating a new thread on Cisco forum in following this guide.
»Cisco Forum FAQ »How do I post in the forum?

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2013-04-17 12:35:53

Cisco 2500 Series Router Installation and Configuration Guide

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by nozero edited by aryoba
last modified: 2008-05-29 10:47:45

Cisco's documentation and online guides can be found at
Cisco Broadband Operating System (CBOS)

Sample Configuration
Setting up Cisco 675 for Qwest.net in PPP mode with a Dynamic IP

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by ender78 edited by aryoba
last modified: 2009-04-22 16:55:59

Sample Configuration
»Cisco Forum FAQ »Router runs VoIP, Bit Torrent, Online Gaming; DynDNS - QoS Sample Configuration

Tips and Discussions
»Cisco and DDNS not working, please help.
»[Config] No-IP dynDNS Configuration
»dynamic-to-dynamic IPSec VPN
»[HELP] help! 831 ddns with zoneedit
»[Config] CISCO 837 K9 DynDNS - DDNS (Dynamic Host Upgrade)
»[Config] 871 IP Inspect Blocking DDNS Updates
»[HELP] DDNS
»manually change or manage dns servers on rvs4000

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2010-03-25 13:02:00

Suggested prerequisite reading
»Cisco Forum FAQ »Things to expect when setup network for home or small business

Physical Connection

When it is time to configure your network firewall, there are basic steps you need to do regardless equipment brand or model you use. One of those steps is figuring out which would be the PIX Firewall or ASA WAN port and which would be PIX Firewall or ASA LAN port. Once you have all proper cables connected, you will then configure the PIX Firewall or ASA software.

In terms of plugging cables, some Cisco equipments including Cisco PIX Firewall and ASA are not that clear as to which port would be WAN and which would be LAN. To find out which ports are which on your Cisco PIX Firewall or ASA, following preliminary hardware setup should give you ideas. Specifically for Cisco PIX Firewall and ASA configuration, you need to plug in the correct cable to the WAN, LAN, and CONSOLE ports.

Cisco PIX Firewall Hardware Installation Guide

Cisco ASA 5500 Series Hardware Installation Guide

Basic Cisco PIX Firewall/ASA Configuration

Next is the software setup. In software setup, you need to configure the PIX Firewall to have the proper IP connection scheme such as DNS, IP subnets, etc. to make WAN/LAN connection work.

There are alternatives to configure the PIX Firewall and ASA. Some people prefer to use Web-based feature (i.e. SDM or ASDM) since it "seems" easier to use. Keep in mind that SDM/ASDM is not always available on any PIX Firewall or ASA. Even when SDM/ASDM is available, there are some features that require non-SDM/ASDM to configure.

The most straight-forward way to configure the PIX Firewall and ASA is to use CLI (Command Line Interface). With CLI, you can configure the equipment to anything you like from basic configuration to the most advanced one.

You need to have the following items to be able to use CLI.

* Cisco console cable kit (cable and adapters)
* PC or laptop running Windows with HyperTerminal program installed (or running any operating system with terminal simulator software installed)

Do you have Cisco console kit? If no, then you could go to your local computer shop to get one. You could also buy one from ebay. Basically what you need is a RS-232 cable with DB-9 or DB-25 (depends on your computer serial port model) on one end to go to your computer serial port, and RJ-45 on another end to go to the PIX Firewall or ASA CONSOLE port. If your computer does not have serial port and only has USB port, then you might need a DB9-USB or DB25-USB adapter.

---

Note:

It is preferable to use either DB-9 or DB-25 serial port for console in instead of using USB port. In some cases, using DB9-USB or DB25-USB adapter may not work; depending on the adapter model itself or adapter setting.

---

When you already have the CONSOLE cable and you have physical access to the CONSOLE port, then this is the 1st step you need to know.

Accessing CONSOLE port:
Cisco PIX Firewall 501
Cisco PIX Firewall 506/506E
Cisco PIX Firewall 515/515E
Cisco ASA 5500

If everything works right, you should get a prompt like this:

pixfirewall>

When you do have such display, it means you are now in CLI. The PIX Firewall or ASA then is ready to receive commands. You can enter the following commands as a start.

pixfirewall>enable

You may be asked to enter a password. If this is the case, you just enter the password. When the PIX Firewall or ASA is brand new or factory default, press ENTER on your keyboard should get you into enable/privilege mode; which shows something like this display

pixfirewall#

If by pressing ENTER you don't get into enable/privilege mode and you don't know the password, then you need to do password recovery. There's a FAQ in this forum on how to do it.

»Cisco Forum FAQ »Password Recovery Procedures - proper BREAK key sending

Notice the prompt change when you pass the password question

pixfirewall#

from > to #.

When you see the # prompt, this means you are in enable/privilege mode. When you are in privilege mode, you can check the PIX Firewall or ASA configuration. To do so, issue following command:

pixfirewall#write terminal

If the PIX or ASA is running OS version 6.x, 7.x, or later then you can also issue following command with the same exact output.

pixfirewall#show running-config

Keep in mind that the output you are about to see might not exactly match to the following. The output basically varies; it highly depends on your PIX or ASA Firewall models and features activated or used. However in general, it should look something like this.

PIX Version 6.3(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
logging buffered debugging
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 shutdown
interface ethernet1 shutdown
mtu outside 1500
mtu inside 1500
ip address outside 209.165.200.226 255.255.255.224
ip address inside 10.1.1.1 255.255.255.0
no failover
arp timeout 14400
global (outside) 1 209.165.200.227-209.165.200.254 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 209.165.200.225 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp identity hostname
telnet timeout 5
terminal width 80
Cryptochecksum:adffa2c4ed9043ce3e54e959acacd8d8
: end

Configuration above shows when your PIX Firewall is running OS version 6.3. If your PIX Firewall or ASA is running OS version 7.0 or later, the similar configuration shows as following

hostname asa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
!
interface Ethernet0/0
no nameif
no security-level
shutdown
!
interface Ethernet0/1
no nameif
no security-level
shutdown
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context

On PIX Firewall running OS version 6.x by the default, the interface Ethernet0 is the WAN port (called outside interface) and interface Ethernet1 is the LAN port (called inside interface). Also by default, the outside security level is 0 (zero) and the inside security level is 100. You can notice all of these on the nameif command.

On ASA or PIX Firewall running OS version 7.0 or later by default, none of the interfaces have default security assigned unlike the OS version 6.x. Therefore you need to pick one interface as the Outside (WAN) interface and one interface as the Inside (LAN) interface as minimum requirement.

With OS version 7.0 or later, you can set any interface as either WAN or LAN port. For instance, you could have interface Ethernet0/0 as inside (LAN) and Ethernet0/1 as outside (WAN). Keep in mind that whichever interface you choose as outside or inside, the outside security level is still 0 (zero) and the inside security level is still 100. You will notice all of these once you set specific interface as either outside or inside.

From configuration above, PIX Firewall running OS version 6.3 have similar configuration as ASA or PIX Firewall running OS version 7.0 or later. There are some little differences here and there, but the general concept is the same.

To help you further, there will be specific command lines for PIX Firewall running OS version 6.3 and specific command lines for ASA or PIX Firewall running OS version 7.0 or later. When there is no such specification, it means that the following command lines are applicable to OS version 6.3 and later (of course including OS version 7.0 or later).

Let's moving on. As mentioned, you need to configure the PIX Firewall to have the proper IP connection scheme such as DNS, IP subnets, etc. In order to do that, you have to enter the configuration mode by issuing the following command

pixfirewall#configure terminal

Then you should have the following display.

pixfirewall(config)#

The (config)# prompt indicates that you are in the configuration mode.

Let us say that the following is the IP subnets that you need to put into the PIX Firewall or ASA.

WAN:
Subnet: 23.42.53.0/24 network (or 23.42.53.0 network with subnet mask of 255.255.255.0)
IP address: 23.42.53.24
Default Gateway: 23.42.53.1
DNS: 23.42.52.1

LAN:
Subnet: 10.10.10.0/24 network (or 10.10.10.0 network with subnet mask of 255.255.255.0)
IP address: 10.10.10.1 (as default gateway to your LAN machines that are sitting behind the PIX or ASA)

To configure these info, the general idea is to do the following:

1. Enter the configuration mode (which you already are)
2. Type in the interface IP address and subnet mask
3. Issue speed and duplex setting command to bring up the interfaces. For this illustration, all interfaces are set to auto negotiation
4. Enter the default gateway command
5. Specify the LAN subnet that need WAN access via NAT or PAT
6. Specify the WAN IP address as the NAT/PAT-ed IP address of the LAN subnet
7. Activate the NAT/PAT-ed IP address usage
8. Save the configuration.

Note that to access the WAN or the Internet, the LAN subnet will be NAT/PAT-ed to WAN IP address. In typical Internet gateway environment where you connect the PIX Firewall or ASA WAN port to an Internet modem/router and the LAN port to the internal switch; then this NAT/PAT mechanism is mostly required. It is possible to have no NAT/PAT in place on the PIX/ASA, depending on how your network is setup. For the sake of illustration, this FAQ assumes such NAT/PAT on PIX/ASA is required.

Side Note:
When you are not comfortable with the NAT/PAT concept, check out the following FAQ
»Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices

Here are the walkthrough configuration steps.

The interface IP address and subnet mask configuration

The WAN interface:

PIX Firewall running OS version 6.3
pixfirewall(config)#ip address outside 23.42.53.24 255.255.255.0
pixfirewall(config)#interface ethernet0 auto

PIX Firewall/ASA running OS version 7.0 or later
asa(config)#interface Ethernet0/0
asa(config-if)#nameif outside
asa(config-if)#duplex auto
asa(config-if)#speed auto
asa(config-if)#ip address 23.42.53.24 255.255.255.0
asa(config-if)#no shutdown

Note that on ASA or PIX Firewall running OS version 7.0; the outside interface security-level is automatically set as 0 (zero).

The LAN interface:

PIX Firewall running OS version 6.3
pixfirewall(config)#ip address inside 10.10.10.1 255.255.255.0
pixfirewall(config)#interface ethernet1 auto

PIX Firewall/ASA running OS version 7.0 or later
asa(config-if)#interface Ethernet0/1
asa(config-if)#nameif inside
asa(config-if)#duplex auto
asa(config-if)#speed auto
asa(config-if)#ip address 10.10.10.1 255.255.255.0
asa(config-if)#no shutdown

Note that on ASA or PIX Firewall running OS version 7.0; the inside interface security-level is automatically set as 100 (one hundred).

For ASA 5505, you may be required to use VLAN Layer-3 interfaces to assign IP addresses since physical Ethernet interfaces can't take IP address directly. When this is the case you can do the following as one way of assigning IP addresses.

1. Pick ASA 5505 Port 1 as WAN port and Port 2 as LAN port
2. Assign Ports 1 and 2 as Layer-2 access port
3. Assign Port 1 as member of VLAN 10. Similarly, assign Port 2 as member of VLAN 11
4. Create Layer-3 VLAN 10 and 11 interfaces
5. Set VLAN 10 interface as Outside (WAN) and set VLAN 11 interface as Inside (LAN)
6. Assign appropriate IP addresses under VLAN 10 and 11 interfaces

Illustration

asa(config-if)#interface Ethernet0/1
asa(config-if)#switchport access vlan 10
asa(config-if)#interface Ethernet0/2
asa(config-if)#switchport access vlan 11
asa(config-if)#interface VLAN10
asa(config-if)#description WAN
asa(config-if)#nameif outside
asa(config-if)#ip address 23.42.53.24 255.255.255.0
asa(config-if)#interface VLAN11
asa(config-if)#description LAN
asa(config-if)#nameif inside
asa(config-if)#ip address 10.10.10.1 255.255.255.0

To configure the default gateway, do the following:

pixfirewall(config)#route outside 0.0.0.0 0.0.0.0 23.42.53.1

When you wish to permit specific LAN subnet (i.e. 10.10.10.0/24) to have WAN access, you can issue the following command.

pixfirewall(config)#nat (inside) 1 10.10.10.0 255.255.255.0 0 0

If you wish to permit all LAN subnets to have WAN access, you can issue the following command.

pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0

To specify WAN NAT/PAT-ed IP address of the LAN subnet, similarly you can specify specific IP address; range of IP address; or the WAN interface IP address itself. Let's say for illustration you like to use the WAN interface IP address itself. Then the command is

pixfirewall(config)#global (outside) 1 interface

Note that there is a 1 parameter on both nat and global commands. Basically when doing NAT/PAT, this parameter on both nat and global commands must match. If let's say the nat command uses 3, then the global command must use 3 as well to match. In other words, the NAT/PAT process is noted by a pair of both nat and global commands.

To activate the NAT/PAT-ed IP address (or to be exact, reset all of the NAT/PAT IP address), issue the following command.

pixfirewall(config)#clear xlate

Keep in mind that in this illustration, it is assumed that you have WAN static IP address scheme in Ethernet environment. When this does not match your situation, please go to the FAQ subsection and find the most suitable environment (PPP, DHCP, etc.).

There should be no further necessary step of configuring the PIX Firewall. You then need to exit the configuration mode and save the changes, by doing the following.

pixfirewall(config)#exit
pixfirewall#write memory

You can also issue following command to save the changes if the PIX or ASA is running OS 6.x, 7.x, or later.

pixfirewall#copy running-config startup-config

As to the DNS info, you need to inject it into your LAN machines. You can do it either statically or automatically. When you do it statically, it usually means that you configure the LAN machines to have static IP address. When you do it automatically, it usually means that you configure the LAN machines to have dynamic IP address.

Keep in mind that LAN machine configuration step varies, it highly depends on the operating system (i.e. Windows, Mac, or Linux). In general is that when you configure the LAN machines to have either static or dynamic IP address, go to the machine configuration mode and do it from there.

To explore more features and commands, check out the following FAQ
»Cisco Forum FAQ »Understanding PIX Firewall/ASA

Note:
This FAQ is written with purpose of introducing CLI to novices. This FAQ is not intended as a complete guideline on how to setup a ASA/PIX Firewall to connect to the Internet in specific WAN/LAN environment or setup a used ASA/PIX Firewall with saved configuration file already in place. If you are trying to connect the ASA/PIX Firewall with the rest of your network or trying to connect ASA/PIX Firewall with other network devices, please carefully review how you like the network looks like and how each network device (such as modem, routers, switches, and firewalls) interacts and inter-communicates.

When the ASA/PIX Firewall is going to connect to the Internet provided by an ISP via cable modem, DSL, or T1/E1; please go to other FAQ subsections and find the most suitable environment (PPP, DHCP, static, etc.). If you are not sure how the ASA/PIX Firewall should connect to the ISP, please consult with the ISP since your ISP is the most knowledgeable source concerning their own connection to the customers. You can check out the following FAQ to get better ideas of how to review and discuss technical requirement with ISP support.
»Cisco Forum FAQ »Things to expect when setup network for home or small business

Some FAQ links of firewall configuration in specific WAN/LAN environment
Various PPPoE/PPPoA/DHCP/Static Sample Configuration with Cisco
Router-Firewall Combo
Various Sample Network Design with Routers, Switches, and Firewalls

Guide to ISP consultation in finding out how to connect to the ISP
»Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address

For further info on command descriptions, check out the following
Cisco PIX Firewall Command Reference, Version 6.3
Cisco Security Appliance Command Reference, Version 7.0
Cisco Security Appliance Command Reference, Version 8.0

Cisco link
Configuring ASA and PIX Security Appliances

Still confused?

When you find yourself still confused after reviewing all above links and descriptions, post a question by creating a new thread on Cisco forum in following this guide.
»Cisco Forum FAQ »How do I post in the forum?

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2013-04-17 12:36:25

Prerequisite reading
»Cisco Forum FAQ »The most straight-forward way to configure Cisco router: Introduction to CLI

Note:
This FAQ is intended for those who have some comfort of how to work around CLI (Command Line Interface) through either remote access such as telnet or ssh, or through console or AUX port. If you never work with CLI before, then it is highly recommended to check out the prerequisite reading above as introduction.

Router

Cisco Router Configuration Tutorial

Switches

Config Generator

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2010-11-22 15:37:12

Introduction

Riverbed Steelhead as WAN accelerator is deployed in WAN environment when traffic between WAN network (i.e. MPLS, Frame Relay) need to be optimized, hence creating so-called "WAN acceleration". With "standard" WAN network consists of WAN routers and LAN switches, typically the Riverbed Steelhead is in place inline between the WAN routers and LAN switches. Following is an illustration.

LAN 1 Switch --- Riverbed Steelhead 1                        Site 1
                           |
                           |
                     WAN 1 Router
                           |                   +
                           |                   +
                   MPLS/Frame Relay           WAN 
                           |                   +
                           |                   +
                     WAN 2 Router
                           |
                           |
                 Riverbed Steelhead 2 --- LAN 2 Switch       Site 2

In some cases, this WAN network consist of site-to-site IPSec VPN tunnel where ASA/PIX Firewall is used as the IPSec VPN termination. Instead of between routers and switches, the Riverbed Steelhead is in place between the ASA/PIX Firewall and the LAN switches in case of the site-to-site IPSec VPN tunnel with ASA/PIX Firewall as the IPSec VPN termination. Following is an illustration.

LAN 1 Switch --- Riverbed Steelhead 1                        Site 1
                           |
                           |
                  ASA/PIX Firewall 1
                           |                   +
                           |                   +
                        Internet        IPSec VPN tunnel
                           |                   +
                           |                   +
                  ASA/PIX Firewall 2 
                           |
                           |
                 Riverbed Steelhead 2 --- LAN 2 Switch       Site 2
 

Riverbed Steelhead Mechanism

Riverbed Steelhead optimizes TCP SYN and SYN-ACK transaction between sites in order to achieve the so-called WAN optimization. By default, TCP option 76 is only carried in the SYN and SYN-ACK packets of each TCP connection. This is used for autodiscovery.

In addition, Riverbed Steelhead uses TCP option 78 that is carried in every TCP segment of a connection. This is necessary to allow the Steelheads distinguish full transpareny packets.

Note that the above 76 and 78 option numbers are the default values, and that they can be changed through the Steelhead configuration. Check out the following official Riverbed links for more info (PDF file).

Riverbed Steelhead Technical Overview
Riverbed Steelhead Guide

Sample Configuration

Since ASA/PIX Firewall by default is a security device, there must be specific configuration in place to permit TCP option 76 and TCP option 78 as that is used by Riverbed Steelhead to be operational, should the Steelhead is in place between ASA/PIX Firewall and LAN switches.

Following is sample configuration using ASA/PIX Firewall version 7.0 or above

access-list Riverbed_TCP_Option_76 extended permit tcp any any log
access-list Riverbed_TCP_Option_78 extended permit tcp any any log
tcp-map Riverbed_TCP_Option_76_Tmap
tcp-options range 76 76 allow
tcp-map Riverbed_TCP_Option_78_Tmap
tcp-options range 78 78 allow
class-map Riverbed_TCP_Option_76_Cmap
match access-list Riverbed_TCP_Option_76
class-map Riverbed_TCP_Option_78_Cmap
match access-list Riverbed_TCP_Option_78
policy-map global_policy
class Riverbed_TCP_Option_76_Cmap
set connection advanced-options Riverbed_TCP_Option_76_Tmap
class Riverbed_TCP_Option_78_Cmap
set connection advanced-options Riverbed_TCP_Option_78_Tmap
 

In many organizations, the Riverbed Steelhead is configured to use TCP option 76 for both the autodiscovery and the full transpareny packets. When this is the case, then following is the sample configuration using ASA/PIX Firewall version 7.0 or above.

access-list Riverbed_TCP_Option_76 extended permit tcp any any log
tcp-map Riverbed_TCP_Option_76_Tmap
tcp-options range 76 76 allow
class-map Riverbed_TCP_Option_76_Cmap
match access-list Riverbed_TCP_Option_76
policy-map global_policy
class Riverbed_TCP_Option_76_Cmap
set connection advanced-options Riverbed_TCP_Option_76_Tmap
 

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2011-02-15 14:47:14

Sample Configurations

1. LAN machines are within the same subnet under a router using the same router as DHCP server

Assumptions
* The LAN subnet is 192.168.1.0/24
* There are no local DNS servers within the LAN, so external ISP-managed DNS servers of 4.2.2.5, 4.2.2.6, 4.2.2.66 IP addresses are used
* The router Ethernet0 interface that connects to the LAN is used as default gateway for all LAN machines, so the Ethernet0 interface IP address is set as default router (default gateway in DHCP terminology)
* You reserve IP address range of 192.168.1.1 to 192.168.1.30 for statically-assigned hosts within the LAN where the 192.168.1.1 is the router and 192.168.1.2 to 192.168.1.30 are the servers or any other network devices

ip dhcp excluded-address 192.168.1.1 192.168.1.30
!
ip dhcp pool insideDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 4.2.2.5 4.2.2.6 4.2.2.66
!
interface Ethernet0
description Facing my LAN
ip address 192.168.1.1 255.255.255.0
 

2. LAN machines are within the same subnet under a ASA/PIX Firewall using the same firewall as DHCP server

Assumptions
* The LAN subnet is 10.0.0.0/24
* There are no local DNS servers within the LAN, so external ISP-managed DNS servers of 68.87.64.196 and 68.87.66.196 IP addresses are used
* The ASA/PIX Firewall inside interface that connects to the LAN is used as default gateway for all LAN machines, so the inside interface IP address is set as default gateway in for all LAN DHCP client machines, which is the 10.0.0.1
* You reserve IP address range of 10.0.0.1 to 10.0.0.29 for statically-assigned hosts within the LAN where the 10.0.0.1 is the ASA/PIX Firewall and 10.0.0.2 to 10.0.0.29 are the servers or any other network devices
* DHCP assigned IP address expires in 3600 seconds (1 hour). Typically ASA/PIX Firewall assign the same IP address to the same LAN machine (with the same MAC address) although it is possible to have different IP address for the LAN machine in question when the LAN machine's MAC address is already expired off MAC address table.

ip address inside 10.0.0.1 255.255.255.0
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
 

3. LAN machines are within different subnet and VLAN under Layer-3 Switch using Windows 2003 server as dedicated DHCP server
»Single DHCP for multiple Vlans Design

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2010-04-22 14:36:50

Sample Network Topology

The assumption here is that there is one router acts as Internet gateway and one switch connecting the router and all LAN machines such as PC, printer, and server.

                                            Internet
                                               |
                                             Router
                                               |
                                               | 192.168.1.0/24
                                               |
                                       (Layer-2) Switch
                                        |      |      |
                                        |   Server 1  |
                                        |             |
                                        |             |
                                       PC 1       Printer 1

Sample Configuration

1. Internet Router

Assuming your Internet router receives IP address automatically from your ISP using a modem through DHCP, then following is one possible configuration. When you have different requirement such as PPPoE or static IP address, please check out the following FAQ to find the most suitable sample configuration for your Internet router.
Various Internet Gateway Sample Configurations

service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
!
ip subnet-zero
no ip finger
ip dhcp excluded-address 192.168.1.1 192.168.1.30
!
ip dhcp pool insideDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 4.2.2.5 4.2.2.6 4.2.2.66
!
!
!
!
!
interface Ethernet0
description Facing the ISP (the WAN)
ip address dhcp
ip nat outside
!
interface Ethernet1
description Facing my LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
ip nat inside source list 1 interface Ethernet0 overload
ip classless
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
line con 0
exec-timeout 0 0
password 7 104308100F1E1C0C
logging synchronous
login
transport input none
line aux 0
password 7 082C4D4703100B10
login
line vty 0 4
password 7 050607062B45400E
login
!
end
 

2. Switch

Switch
 
vlan 1,11
!
!
interface FastEthernet0/1
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/2
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/3
description LAN 1
switchport access vlan 11
switchport mode access
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan11
description LAN 1 - Users
ip address 192.168.1.2 255.255.255.0
!
ip default-gateway 192.168.1.1
!
 

Check out the following FAQ for further illustration
»Cisco Forum FAQ »Should I use Layer-3 switch or router?

Discussion
»[HELP] multiple ip address

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2011-06-24 12:13:30