Quick basic configuration of a Cisco ASA firewall for custom IP address and ASDM access

Here are a few quick commands to wipe a Cisco ASA series firewall, resetting it to factory defaults, and then enabling the device for an IP address on your own subnet rather than the default 192.168.1.0/24, as well as setting up ASDM and telnet and ssh access. This gives you a very basic configuration from which you can access the device. First connect to the device via the console port and run the following commands to wipe the device:

ciscoasa> enable

ciscoasa# conf t

ciscoasa(config)# configure factory-default

Once the device has loaded the default configuration, disable DHCP on the inside interface to prevent the device dishing out IP addresses. This may not be relevant in your environment but in ours DHCP is provided elsewhere:

ciscoasa(config)# no dhcpd enable inside

ciscoasa(config)# no dhcpd address 192.168.1.5-192.168.1.254 inside

Set the ip address for the inside LAN on interface vlan1 if this is the vlan you are using for the inside network:

ciscoasa(config)# int vlan1

ciscoasa(config-if)# ip address 10.0.0.1 255.255.255.0

ciscoasa(config-if)# exit

Enable the http server, and allow access from the inside subnet

ciscoasa(config)# http server enable

ciscoasa(config)# http 10.0.0.0 255.255.255.0 inside

Configure the local AAA authentication database and create a new user account to log in to ASDM with:

ciscoasa(config)# aaa authentication http console LOCAL

ciscoasa(config)# username oasysadmin password Pa55word

Enable telnet and/or ssh on the inside interface if required:

ciscoasa(config)# telnet 10.0.0.0 255.255.255.0 inside

ciscoasa(config)# ssh 10.0.0.0 255.255.255.0 inside

ciscoasa(config)# aaa authentication ssh console LOCAL

Set the enable password

ciscoasa(config)# enable password Pa55word

Save the configuration and reload

ciscoasa(config)# write mem

ciscoasa(config)# exit

ciscoasa# reload

Enabling root SSH access on an ESX host over the network

This post explains how to enable root SSH access on an VMware ESX host over the network, when you don’t have physical access to the server console. Root SSH access is disabled by default. Before enabling root SSH access please assess any security implications of this action in your environment.

Firstly, use the vSphere client to access the host directly. i.e. connect directly to the IP address or hostname of the host rather than logging in to vCenter. Log in using the root account. Once logged in highlight the ESX host in the left pane of the screen, and then click on the local users and groups tab in the right hand pane of the screen, as shown below:

local users and groups

Right click anywhere in the list of users and choose ‘Add’. Enter the details for your new user account as shown below, making sure that you tick the ‘Grant shell access to this user’ check box. You will also need to specify a password of more than 8 characters:

Add a local user to an ESX host

You can use an SSH client like Putty to connect to your ESX host. You may find that when you initally try to connect to the ESX host via SSH that you are still unable to connect and recieve an ‘Access Denied’ message. If this is the case, you need to give Administrator access to the host to your newly created user. In the vSphere client click on the ‘Permissions’ tab, in the right hand pane of the screen as shown here:

ESX host permissions

Right click in the list of users and choose ‘Add Permission’. Select the user you created and assign Administrator permissions, as shown:

Add local user permissions

Now you should find you can use your SSH client client to successfully log in to the ESX host. Once you are logged in using this user account you can use the su command to elevate your privileges to the root user.

Logging in using SSH

Now you have root access edit the /etc/ssh/sshd_config file by issuing the following command:

nano /etc/ssh/sshd_config

Find the line in the file which says:

PermitRootLogin no

and change it to:

PermitRootLogin yes

Press Ctrl-O, and then press Enter to save the file, and then press Ctrl-X to exit the file. Restart the sshd service by issuing the following command:

/etc/init.d/sshd restart

Quit your SSH session and start a new one , this time logging in as the root user. Root SSH access is now enabled.

Log in as root

You may want to delete the user account (in this example ‘testuser’) you created earlier at this stage, as it is no longer required.

References:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=8375637

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1024235