Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
593
Views
0
Helpful
9
Replies

Cisco 5525X Firewall and Cisco 2960 Switch

Go to solution
ATS75
Level 1
Level 1

‎08-04-2024 01:12 PM

I just purchased a Cisco 5525X (without firepower) and a Cisco 2960 switch and a Xfinity router. I am planning to work on these devices as a hands on lab environment to gain experience with Cisco equipment. Yes, I have an Associates degree in Computer Science but our instructors only dealt with basic router/switch configurations. Additionally when it came to firewalls we only went over what it is used for. I currently attend Medcertify ($4500 course) and in a Cyber-security course with lab simulations, but none of these simulations have hands on labs or extensive concepts on firewalls. I am wondering why is this the case?? In short I am wondering if someone can instruct me on how to configure these devices for a home lab/network to keep my home network secure? Or is there any courses or resources that would be helpful. I am good at following directions as well.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-16-2024 02:38 AM

Hello @ATS75 ,

you have bought an ASA 5525 X without firepower service module.

A starting point is the following:

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5500X/5500x_quick_start.html?dtid=osscdc000283

https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html

! configuration guides are the reference for configuring your firewall. A show version will tell you what version is running on the box.

You can also try to go to Security > Network Security and look for documents there.

https://community.cisco.com/t5/network-security/bd-p/discussions-network-security

Very important this one because NAT operations are central on this type of firewall.

https://community.cisco.com/t5/security-knowledge-base/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

 

And likely the Cisco Learning Network can be a good place to start.

https://learningnetwork.cisco.com/s/next-generation-firewall-training-videos

>> but none of these simulations have hands on labs or extensive concepts on firewalls. I am wondering why is this the case?

I don't know the details of Medcertify . It depends on what are the learning goals.

Be also aware that it is difficult for example to make a vendor  neutral training on firewalls as implementation and configuration of them is quite different from vendor to vendor and even within a single vendor between different families there are differences.

The ASA 5525X is a stateful Firewall, but it is not Zone Based,  it uses security levels on interfaces a value between 0 and 100.

The outside interface has security level 0 (untrusted) and the internal inside interface have security level 100 ( totally trusted).

By default an ASA will allow connections starting from a more trusted interface to a less trusted interface.

By default an ASA will use NAT unless configured to not use it ( also called identity NAT)

Be also aware that ASA is not considered a NGFW unless the Firepower module is present.

So you can make some labs with it but the learning curve is not small.

Hope to help

Giuseppe

 

 

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-16-2024 02:38 AM

Hello @ATS75 ,

you have bought an ASA 5525 X without firepower service module.

A starting point is the following:

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5500X/5500x_quick_start.html?dtid=osscdc000283

https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html

! configuration guides are the reference for configuring your firewall. A show version will tell you what version is running on the box.

You can also try to go to Security > Network Security and look for documents there.

https://community.cisco.com/t5/network-security/bd-p/discussions-network-security

Very important this one because NAT operations are central on this type of firewall.

https://community.cisco.com/t5/security-knowledge-base/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

 

And likely the Cisco Learning Network can be a good place to start.

https://learningnetwork.cisco.com/s/next-generation-firewall-training-videos

>> but none of these simulations have hands on labs or extensive concepts on firewalls. I am wondering why is this the case?

I don't know the details of Medcertify . It depends on what are the learning goals.

Be also aware that it is difficult for example to make a vendor  neutral training on firewalls as implementation and configuration of them is quite different from vendor to vendor and even within a single vendor between different families there are differences.

The ASA 5525X is a stateful Firewall, but it is not Zone Based,  it uses security levels on interfaces a value between 0 and 100.

The outside interface has security level 0 (untrusted) and the internal inside interface have security level 100 ( totally trusted).

By default an ASA will allow connections starting from a more trusted interface to a less trusted interface.

By default an ASA will use NAT unless configured to not use it ( also called identity NAT)

Be also aware that ASA is not considered a NGFW unless the Firepower module is present.

So you can make some labs with it but the learning curve is not small.

Hope to help

Giuseppe

 

 

0 Helpful

Go to solution
ATS75
Level 1
Level 1
In response to Giuseppe Larosa

‎08-27-2024 05:31 AM

This solution looks like it should work but on my particular device I cannot even get commands to work like they should. First of all the putty prompt show rommon instead of ciscoasa. Every command from (en, enable, config t, configure terminal, etc..) shows as a invalid command. Also this is a used unit purchased from ebay and I am now worried that maybe the device is faulty.

Every YouTube video about Cisco devices (enable, config t, etc....) are universal commands and should work. So can I get some advice and what should I do if I cant get the initial basic commands to work on the unit? Also the device does not have a SSD but the seller said it still should function as a firewall in his Ebay post.

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to ATS75

‎08-27-2024 07:29 AM

Hello @ATS75 ,

if the device is stucked in ROMMON it means it was not able to load a full OS image.

this is why the usual commands cannot be used.

You need to fix the booting issue first.

You can log the error messages that appear in the console connection put them in a text file and attach the file in a post to get better help.

Hope to help

Giuseppe

 

0 Helpful

Go to solution
ATS75
Level 1
Level 1
In response to Giuseppe Larosa

‎08-27-2024 10:18 AM

My instructor stated that the reason I cannot enter any commands is that the Firewall obviously does not have a IOS available. The seller sold the device without the SSD and did not mention it didnt have an IOS/image file so I can actually configure the firewall. He said I need a download of the image file for the 5525X. Is this correct? He said afterwards then you can store the image file on a TFTP server for the firewall can use. Is this your solution as well or do you agree with this?

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to ATS75

‎08-27-2024 12:02 PM

Hello @ATS75 ,

the ASA should have an internal flash that may have enough free space for the OS image.

From a legal point of view , as far as I know the seller has not the right to pass your the OS image software with the device.

However, in most cases I think devices are sold as is with their current OS image still present on the system.

Booting from a TFTP server  may be possible for an ASA and it can be acceptable for lab usage for learning and training.

>> He said I need a download of the image file for the 5525X

You would need a service contract tied to the serial number of your device to be entitled to download a suitable OS image from Cisco site.

For learning purposes there can be unofficial sites to try to get the image from.

Hope to help

Giuseppe

 

0 Helpful

Go to solution
ATS75
Level 1
Level 1
In response to Giuseppe Larosa

‎08-28-2024 05:38 AM

Are there any commands to check to see if the IOS is stored in flash like you suggested. Main goal is to get the IOS booted up so I can enter commands.

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to ATS75

‎08-28-2024 09:39 AM

Hello @ATS75 ,

read the following document that provides a way to use ROMMON to load an OS image using a TFTP

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/admin_trouble.html#83416

to see the contents of the flash try to use

dir flash:

or

dir disk0:

or

dir disk1:

post the output of dir flash:

Hope to help

Giuseppe

 

0 Helpful

Go to solution
ATS75
Level 1
Level 1
In response to Giuseppe Larosa

‎09-03-2024 06:00 AM

Here is some additional outputs as well as when I entered the commands you recommended. I think the seller did not sell me a functional firewall or withheld important info that someone should be aware of before buying. I cannot afford any licensing accounts with Cisco just to create a lab to learn. Hopefully I can find a way to get it up an operable soon. Thx again for trying to help I appreciate it.

Preview file
219 KB
Preview file
248 KB
Preview file
231 KB
Preview file
175 KB
0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to ATS75

‎09-03-2024 06:09 AM

Hello @ATS75 ,

try to use the help command at the rommon prompt. 

I also suggest you to collect log files as text files and to attach them as txt files.

I couldn't find a rommon config guide for ASA so I suggested you something that may work on routers.

Hope to help

Giuseppe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card