ASA Basic Configuration

I have an ASA 5506 running in my lab and I wanted to establish the basic configuration for it first before I jump into the TrustSec configuration. This post isn't much of a deep dive but more informational in the even someone is building a lab similar to mine. 

Jumping into it, I'm going to start with the basic interface, IP, domain name and NAT configuration:

ssh version 2
hostname ASA-5506X

interface gigabit1/1
nameif inside
ip address
no shutdown

interface gigabit 1/2
nameif outside
ip address
no shut

route outside 0 0

interface management 1/1
no shutdown

object network obj_any
subnet 0 0
nat (any,outside) dynamic interface

management-access inside
http server enable
http 0 0 inside
ssh 0 0 inside
ssh timeout 60
admin password networknode privilege 15
enable password
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
logging asdm informational
fixup protocol icmp
<- This is more  for my labbing and not really a necessity
asdm image disk0:image

router eigrp 1
passive-interface outside

Since I have the Firepower module on this ASA, I'll go ahead and give that an IP address:

session sfr console
<login with the default username/password of Admin/Admin123>
configure network ipv4 manual
configure manager add networknode

In the Layer 3 switch, I'll go ahead and configure the EIGRP process:

router eigrp 1
(Yes, I'm not being very neat with my routing - it's a lab)
passive-interface default
no passive-interface vlan 100

Next I'm going to swing over to the ASDM to make it easier for anyone following along to set up some basic setting. Navigate to the inside interface on your browser and the following should come up:


Install the ASDM Launcher and run it. 

Configure basic remote access VPN using the wizard. To start, go to Wizards>VPN Wizards>AnyConnect VPN Wizards and click Next:

Give the connection profile a name and set it up for the outside interface:


On the next page, choose the SSL checkbox only and no device certificate:

On the next screen, you will need to add a client image which you can download off of the Cisco support page. Click the appropriate package to upload and click next.


On the next page, click next for now:

On the next page, pick an address pool that won't mess with the existing deployment or DHCP. In this lab, I have my switch using so I'm going to use to assign to VPN clients:

Fill in the necessary information and click next:

Check the box for NAT exception and click next:

Click next and finish.

Navigate to Configuration>Remote Access VPN>Network (Client) Access>Group Policies and open the group policy you just created. Under the Edit Internal Group Policy window, expand Advanced and highlight Split Tunnel. Uncheck the box next to the policy and choose Tunnel Network List Below. Uncheck the box next to Network List and then click Manage.


You'll need to create an ACL with all the internal subnets permitted. After doing so, click Ok and make sure that ACL is chosen in your Network List:

Click Ok and Apply the configuration.

Open up AnyConnect and connect to the outside interface. You should be able to access it now.