Crash Course: Cisco ASA 5505 Setup with QoS

I embarked on securing my home network while providing reliable VPN access. I had limited experience with Cisco’s IOS in the past so I was willing to make an attempt at taming an ASA (Adaptive Security Appliance) 5505. Of course my budget was limited so I opted for the base license (10 hosts). This is a limit I still do not quite understand. Some say its defined by ARP entries or XLAT’s. Honestly, I decided not to test the water.

I setup my network in a rather unique way. I kept my existing Airport Extreme with its current subnet and simply placed the entire router in a NAT on my ASA. This way my ASA will only ever see one host. This has some disadvantages but only in the configuration. For this example I will define the networks as (substitute yours in):

ASA Inside-Network = 10.1.0.0/24
ASA VPN-Network = 10.2.0.0/24
Airport Network = 10.3.0.0/24

It is important to note if this is your first time playing with an ASA it would be wise to attach the blue serial cable. It personally gave me the confidence to do anything I wanted without worrying about lossing the connection. I also setup my ASA completely via the CLI. I am no expert by any means, in fact I believe Cisco is currently emphasizing the ASDM however I just felt more comfortable in CLI. I do use the ASDM however I make it show me the commands before it sends them. This is for two reasons, one to teach me and two to prevent accidents.

I personally can attest to the vast amount of information on the internet about the ASA. This post is to help bring everything together into one place. I do not plan on explaining anything already available online. The configuration was done on ASA 9.0(2) but should work with anything 8.3 or higher (since the new NAT rules). These commands are expected to be issued on a factory default ASA.

The first thing you will need to do with your ASA is setup the basics (replacing the all-caps words):

hostname HOSTNAME
enable password PASSWORD

username USERNAME password PASSWORD privilege 15
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 

http server enable
http 10.1.0.0 255.255.255.0 inside
ssh 10.1.0.0 255.255.255.0 inside

ssh version 2
ssh timeout 5
console timeout 5
management-access inside

clock timezone CST -6
clock summer-time CDT recurring

dns domain-lookup outside
dns server-group DefaultDNS
 name-server 4.2.2.2
 name-server 8.8.8.8

ntp server 169.229.70.95 source outside prefer

Configure your VLAN addresses and setup DHCP server:

interface Vlan1
 ip address 10.1.0.1 255.255.255.0

dhcpd address 10.1.0.30-10.1.0.50 inside
dhcpd dns 4.2.2.2 interface inside
dhcpd option 3 ip 10.1.0.1 interface inside
dhcpd enable inside

Example of opening a port through the firewall (you of course also have to forward it through the Airport):

object network SSH-Server
 host 10.1.0.2

access-list outside_access_in extended permit tcp any object SSH-Server eq ssh

object network SSH-Server
 nat (inside,outside) static interface service tcp ssh ssh

access-group outside_access_in in interface outside

Note: The host is the Airport’s WAN IP. The address located on the subnet between the ASA and Router. This is because the Airport is performing NAT.

For the VPN portion of the configuration, I personally used the VPN wizard from the ASDM and it worked fine. Using OS X and iOS primarily, I chose to use IPSec. During the configuration I chose to do split tunneling which only redirects local traffic through the VPN and leaves the internet traffic through the client’s connection.

After you configure your VPN you might want to allow it to access the inside network:

object network inside-network
 subnet 10.1.0.0 255.255.255.0

object network vpn-network
 subnet 10.2.0.0 255.255.255.192

nat (inside,outside) source static inside-network inside-network destination static vpn-network vpn-network no-proxy-arp route-lookup

Block pings from hitting your outside interface with this:

icmp deny any outside

Enable scanning threat detection:

threat-detection scanning-threat shun except ip-address 10.1.0.0 255.255.255.0

To setup QoS first perform some speed tests at various times to gauge your actual bandwidth. You will also need to plan which traffic you wish to prioritize. We can only control what leaves our ASA. What comes in from your ISP has already traveled to its final destination and forcing the ASA to shape this traffic would be a waste. The argument says TCP will naturally kick in due to drop packets on the sender’s end and throttle down his send. I think it could have some advantages in paper however I have no real world evidence to support or refute anything nor do I plan on shaping the downstream traffic.

Here is a basic example of traffic shaping your outside interface’s upstream and prioritizing VoIP over IAX2:

class-map VoIP
 match port udp eq 4569

policy-map PriorityPol
 class VoIP
  priority

policy-map OutPol
 class class-default
  shape average 1800000
  service-policy PriorityPol

service-policy OutPol interface outside

Note: The numbers used were calculated based on a 2Mbit upload.

To setup SNMP use the following (fill in the community, location and contact):

snmp-server host inside 10.2.0.2 poll community public version 2c
snmp-server location Home
snmp-server contact [email protected]
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

To enable logging with email alerts perform the following:

logging from-address [email protected]
logging recipient-address [email protected] level critical
smtp-server 10.1.0.3

logging enable
asdm history enable
logging asdm informational
logging buffer-size 16384
logging timestamp

logging list email-notification level errors
logging list email-notification level notifications class auth
logging list email-notification level notifications class config
logging list email-notification level notifications class session
logging list email-notification message 109033
logging list email-notification message 109034
logging list email-notification message 315004
logging list email-notification message 315011
logging list email-notification message 605004
logging list email-notification message 710002
logging list email-notification message 111001
logging list email-notification message 111004
logging list email-notification message 113005
logging list email-notification message 113012
logging list email-notification message 113015
logging list email-notification message 611101
logging list email-notification message 611102
logging list email-notification message 102001
logging list email-notification message 199001
logging list email-notification message 199009
logging list email-notification message 502103
logging list email-notification message 111008
logging list email-notification message 613003
logging list email-notification message 603108
logging list email-notification message 719019
logging list email-notification message 719020
logging list email-notification message 719022
logging list email-notification message 719023
logging list email-notification message 111010

logging device-id ipaddress outside
logging monitor email-notification
logging buffered email-notification
logging mail email-notification
logging class auth mail warnings 
logging class config mail warnings 
logging class session mail warnings 
logging class vpdn mail warnings 

WCCP was something I quickly became a fan of and decided to jump right in. I am now running a dedicated Squid3 proxy VM that not only caches but also strips ads. By using the ASA’s feature and location I was able to transparently proxy the entire homes port 80 traffic. I decided not to touch SSL caching. The key to a proxy in THIS environment is the subnet. The proxy MUST be in the inside vlan subnet of the ASA (ex. 10.1.0.3).

After setting up a working squid3 simply add these settings to your ASA:

access-list wccp_redirect extended permit tcp object inside-network any eq www 

wccp web-cache redirect-list wccp_redirect
wccp interface inside web-cache redirect in

If this still looks puzzling then you are probably missing the GRE tunnel needed. This is a great resource here: Cisco ASA and Squid with WCCP2.

1 thought on “Crash Course: Cisco ASA 5505 Setup with QoS”

  1. Hey I am so grateful I found your weblog, I really found you by error, while I was searching on Yahoo for something else, Anyhow I am here now and would just like to say thanks for
    a tremendous post and a all round exciting blog (I also love
    the theme/design), I don’t have time to browse it all
    at the moment but I have saved it and also included your RSS
    feeds, so when I have time I will be back to read much more, Please do keep up
    the excellent b.

Leave a Reply

Your email address will not be published. Required fields are marked *