My Cybersecurity Journal: Cisco ASA 5506W-X Basic Configuration

After upgrading the image on my Cisco ASA 5506W-X in a previous post, it's time to do some basic configuration. The deployment starting in ASA 9.7 was slightly changed in order to mimic the plug-and-play behavior of an ASA 5505. This is probably due to demands from SOHO users to deploy an ASA5506-X without an additional Layer 2 switch.

The default configuration and behavior are the following:

The GigabitEthernet1/1 interface is used for the outside or the ISP facing port

You'll need to patch a direct cable between GigabitEthernet 1/2 and Management 1/1 ports in order to manage the FirePOWER module. You shouldn't configure any Layer 3 IP address on the Management 1/1 interface.

You can configure the FirePOWER module with an IP address from the inside subnet (i.e. 192.168.1.2/24)

The GigabitEthernet 1/3 - 1/8 interfaces can be used to connect end devices (router, server, PC, etc.) which are "bridged" to the BVI (inside) interface. This is similar to the ASA 5505 Switch Virtual Interface (SVI).

There's an internal GigabitEthernet 1/9 (wifi) port which is used to manage the integrated Cisco Aironet 702i.

The inside (higher security level 100) to outside (low security level 0) traffic flow is allowed

The wifi to inside (using the same-security-traffic permit inter-interface command) and wifi to outside traffic are allowed

ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: <ENTER>

ciscoasa(config)# hostname ASA5506W-X
ASA5506W-X(config)# domain-name ?

configure mode commands/options:
WORD Domain names must begin and end with a digit/letter, only letters,
        digits, and hyphen are allowed as internal characters, labels are
        separated by a dot. A maximum of 63 characters is allowed.

ASA5506W-X(config)# domain-name lab.com
ASA5506W-X(config)# enable ?

configure mode commands/options:
password Configure password for the enable command

ASA5506W-X(config)# enable password ?

configure mode commands/options:
WORD Enter a password for the privilege level. The length must be between 3
        and 127 characters.
<cr>

ASA5506W-X(config)# enable password cisco       // NOT IDEAL IN PRODUCTION
ASA5506W-X(config)# passwd ?

configure mode commands/options:
WORD A password of up to 32 alphanumeric characters

ASA5506W-X(config)# passwd cisco    // TELNET PASSWORD (IF TELNET IS CONFIGURED)
ASA5506W-X(config)# username ?

configure mode commands/options:
WORD < 65 char Enter the name of the user. A minimum of 3 characters is
                  required. A maximum of 64 characters is allowed.

ASA5506W-X(config)# username admin ?

configure mode commands/options:
attributes Enter the attributes sub-command mode for the specified user
nopassword Indicates that this user has the blank string ("") as the
              password
password    The password for this user
privilege   Enter the privilege level for this user
<cr>

ASA5506W-X(config)# username admin password ?

configure mode commands/options:
WORD Enter a password for the user. The length must be between 3 and 127
        characters and must comply with the configured password policy.

ASA5506W-X(config)# username admin password cisco ?

configure mode commands/options:
attributes    Enter the attributes sub-command mode for the specified user
encrypted     Indicates the <password> entered is encrypted
mschap        The password will be converted to unicode and hashed using MD4.
                 User entries must be created this way if they are to be
                authenticated using MSCHAPv1 or MSCHAPv2
nt-encrypted Indicates the <password> entered has been converted to unicode
                and hashed using MD4, and can be used for MS-CHAP.
pbkdf2        Indicates that the <password> entered has been salted and
                hashed using the pbkdf2 key derivation algorithm
privilege     Enter the privilege level for this user
<cr>

ASA5506W-X(config)# username admin password cisco privilege ?

configure mode commands/options:
<0-15> The privilege level for this user

ASA5506W-X(config)# username admin password cisco privilege 15
ASA5506W-X(config)# crypto key generate rsa modulus 2048    // CONFIGURE HOSTNAME AND DOMAIN NAME FIRST
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA5506W-X(config)# boot system disk0:/asa982-38-lfbff-k8.SPA
ASA5506W-X(config)# asdm image disk0:/asdm-792-152.bin
ASA5506W-X(config)#
ASA5506W-X(config)# interface g1/1
ASA5506W-X(config-if)# description ### ISP WAN ###
ASA5506W-X(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA5506W-X(config-if)# ip address ?

interface mode commands/options:
Hostname or A.B.C.D Firewall's network interface address
dhcp                 Keyword to use DHCP to poll for information. Enables the
                       DHCP client feature on the specified interface
pppoe                Keyword to use PPPoE to poll for information. Enables
                       the PPPoE client feature on the specified interface

ASA5506W-X(config-if)# ip address dhcp ?

interface mode commands/options:
setroute Keyword to set the default route using the default gateway
            parameter the DHCP server returns
<cr>

ASA5506W-X(config-if)# ip address dhcp setroute     // IF CONNECTING TO A CABLE MODEM OR ISP ROUTER
ASA5506W-X(config-if)# no shutdown
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface ?

configure mode commands/options:
BVI              Bridge-Group Virtual Interface
GigabitEthernet GigabitEthernet IEEE 802.3z
Management       Management interface
Port-channel     Ethernet Channel of interfaces
Redundant        Redundant Interface
Tunnel           Tunnel interface
vni              VNI Interface
<cr>

ASA5506W-X(config)# interface bvi ?

configure mode commands/options:
<1-250> BVI interface number

ASA5506W-X(config)# interface bvi 1     // DEFAULT GATEWAY FOR GIG PORTS 1/2 - 1/8
ASA5506W-X(config-if)# description ### WIRED LAN GW ###
ASA5506W-X(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA5506W-X(config-if)# ip address 192.168.1.1 255.255.255.0
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface g1/2
ASA5506W-X(config-if)# description ### DIRECT CABLE MGMT 1/1 - FP IP: 192.168.1.2 ###
ASA5506W-X(config-if)# ?

Interface configuration commands:
authentication   authentication subcommands
bfd              BFD interface configuration commands
bridge-group     Specify the bridge group that this interface is a part of
channel-group    Etherchannel/port bundling configuration
cts              Configure interface specific CTS settings
ddns             Configure dynamic DNS
default          Set a command to its defaults
delay            Specify interface throughput delay
description      Interface specific description
dhcp             Configure parameters for DHCP client
dhcprelay        Configure DHCP Relay Agent
duplex           Configure duplex operation
exit             Exit from interface configuration mode
flowcontrol      Configure flowcontrol operation
hello-interval   Configures EIGRP-IPv4 hello interval
help             Description of the interactive help system
help             Interactive help for interface subcommands
hold-time        Configures EIGRP-IPv4 hold time
igmp             IGMP interface commands
ip               Configure the ip address
ipv6             IPv6 interface subcommands
isis             IS-IS commands
lacp             LACP interface subcommands
mac-address      Assign MAC address to interface
management-only Dedicate an interface to management. Block thru traffic
mfib             Interface Specific MFIB Control
multicast        Configure multicast routing
nameif           Assign name to interface
no               Negate a command or set its defaults
nve-only         Dedicate an interface to source-interface of a NVE. Block
                   thru traffic
ospf             OSPF interface commands
pim              PIM interface commands
policy-route     Enable policy based routing
pppoe            Configure parameters for PPPoE client
rip              Router Information Protocol
security-level   Specify the security level of this interface after this
                   keyword, Eg: 0, 100 etc. The relative security level between
                   two interfaces determines the way the Adaptive Security
                   Algorithm is applied. A lower security_level interface is
                   outside relative to a higher level interface and equivalent
                   interfaces are outside to each other
shutdown         Shutdown the selected interface
speed            Configure speed operation
split-horizon    Configures EIGRP-IPv4 split-horizon
summary-address Configures EIGRP-IPv4 summary-address
zone-member      Associate interface to a zone

ASA5506W-X(config-if)# bridge-group ?

interface mode commands/options:
<1-250> Group number of this interface

ASA5506W-X(config-if)# bridge-group 1
ASA5506W-X(config-if)# nameif inside-1
INFO: Security level for "inside-1" set to 0 by default.
ASA5506W-X(config-if)# security-level 100
ASA5506W-X(config-if)# no shutdown
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface g1/3
ASA5506W-X(config-if)# description ### VM/ASDM PC: 192.168.1.100 ###
ASA5506W-X(config-if)# bridge-group 1
ASA5506W-X(config-if)# nameif inside-2
INFO: Security level for "inside-2" set to 0 by default.
ASA5506W-X(config-if)# security-level 100
ASA5506W-X(config-if)# no shutdown
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface g1/4
ASA5506W-X(config-if)# bridge-group 1
ASA5506W-X(config-if)# nameif inside-3
INFO: Security level for "inside-3" set to 0 by default.
ASA5506W-X(config-if)# security-level 100
ASA5506W-X(config-if)# no shutdown
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface g1/5
ASA5506W-X(config-if)# bridge-group 1
ASA5506W-X(config-if)# nameif inside-4
INFO: Security level for "inside-4" set to 0 by default.
ASA5506W-X(config-if)# security-level 100
ASA5506W-X(config-if)# no shutdown
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface g1/6
ASA5506W-X(config-if)# bridge-group 1
ASA5506W-X(config-if)# nameif inside-5
INFO: Security level for "inside-5" set to 0 by default.
ASA5506W-X(config-if)# security-level 100
ASA5506W-X(config-if)# no shutdown
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface g1/7
ASA5506W-X(config-if)# bridge-group 1
INFO: Security level for "inside-6" set to 0 by default.
ASA5506W-X(config-if)# security-level 100
ASA5506W-X(config-if)# no shutdown
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface g1/8
ASA5506W-X(config-if)# bridge-group 1
ASA5506W-X(config-if)# nameif inside-7
INFO: Security level for "inside-7" set to 0 by default.
ASA5506W-X(config-if)# security-level 100
ASA5506W-X(config-if)# no shutdown

The Cisco Quick Start Guide will ask you to HTTP to 192.168.10.2 but I got timed out. The ASA show arp output shows it's on 192.168.10.10 instead. You'll also need to initialize the built-in AP using the hw-module module wlan recover configuration command

ASA5506W-X# show arp
        inside 192.168.1.10 8cec.4be6.a3c4 0
        wifi 192.168.10.10 f078.163d.f100 190      // HTTP TO AP GUI 192.168.10.10

I manually set my laptop to 192.168.1.10/24 connected to the ASA G1/3 port.

Type the default login: cisco / Cisco

ASA5506W-X(config-if)# hw-module ?

exec mode commands/options:
module Act on a module

ASA5506W-X(config-if)# hw-module module ?

exec mode commands/options:
Available module ID(s):
wlan Module ID
ASA5506W-X(config-if)# hw-module module wlan ?

exec mode commands/options:
recover Configure recovery of this module
reset    Reset the module

ASA5506W-X(config-if)# hw-module module wlan recover ?

exec mode commands/options:
configuration Initiate configuration recovery of this module
image          Perform image recovery on this module

ASA5506W-X(config-if)# hw-module module wlan recover configuration    // TO INITIALIZE THE INTERNAL AP; WIFI LED BLINKED AMBER FOR FEW SECONDS THEN STABLE GREEN
WARNING: Entering this command will suspend the ASA console as long as the module recovery process is in progress.
Do you want to proceed [confirm]?

Configuration recovery is now complete.
You can now session into the module console to issue any further commands.
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface g1/9
ASA5506W-X(config-if)#description ### INTERNAL AP: 192.168.10.2 ###
ASA5506W-X(config-if)# nameif wifi
INFO: Security level for "wifi" set to 0 by default.
ASA5506W-X(config-if)# security-level 100
ASA5506W-X(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5506W-X(config-if)# no shutdown
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# same-security-traffic permit inter-interface     // FOR inside AND wifi INTERFACE TO COMMUNICATE DIRECTLY
ASA5506W-X(config)#
ASA5506W-X(config)# dhcpd ?

configure mode commands/options:
address       Configure the IP pool address range after this keyword
auto_config   Enable auto configuration from client
dns           Configure the IP addresses of the DNS servers after this
                keyword
domain        Configure DNS domain name after this keyword
enable        Enable the DHCP server
lease         Configure the DHCPD lease length after this keyword
option        Configure options to pass to DHCP clients after this keyword
ping_timeout Configure ping timeout value after this keyword
update        Configure dynamic updates
wins          Configure the IP addresses of the NETBIOS servers after this
                keyword
ASA5506W-X(config)# dhcpd address ?

configure mode commands/options:
WORD IP address[es], <ip1>[-<ip2>]
ASA5506W-X(config)# dhcpd address 192.168.1.10-192.168.1.50 ?

configure mode commands/options:
Available interfaces on which to enable the DHCP server:
inside    Name of interface BVI1
inside-1 Name of interface GigabitEthernet1/2
inside-2 Name of interface GigabitEthernet1/3
inside-3 Name of interface GigabitEthernet1/4
inside-4 Name of interface GigabitEthernet1/5
inside-5 Name of interface GigabitEthernet1/6
inside-6 Name of interface GigabitEthernet1/7
inside-7 Name of interface GigabitEthernet1/8
outside   Name of interface GigabitEthernet1/1
wifi      Name of interface GigabitEthernet1/9
ASA5506W-X(config)# dhcpd address 192.168.1.10-192.168.1.50 inside     // DHCP FOR inside
ASA5506W-X(config)# dhcpd dns ?

configure mode commands/options:
Hostname or A.B.C.D IP address of server 1
ASA5506W-X(config)# dhcpd dns 8.8.8.8 ?

configure mode commands/options:
Hostname or A.B.C.D IP address of server 2
interface            Specify interface to which action will apply to
<cr>
ASA5506W-X(config)# dhcpd dns 8.8.8.8 4.2.2.2 ?

configure mode commands/options:
interface Specify interface to which action will apply to
<cr>
ASA5506W-X(config)# dhcpd dns 8.8.8.8 4.2.2.2 interface inside
ASA5506W-X(config)# dhcpd domain ?

configure mode commands/options:
WORD DNS domain name
<cr>
ASA5506W-X(config)# dhcpd domain lab.com ?

configure mode commands/options:
interface Specify interface to which action will apply to
<cr>
ASA5506W-X(config)# dhcpd domain lab.com interface ?

configure mode commands/options:
Available interfaces on which to apply this keyword:
inside    Name of interface BVI1
inside-1 Name of interface GigabitEthernet1/2
inside-2 Name of interface GigabitEthernet1/3
inside-3 Name of interface GigabitEthernet1/4
inside-4 Name of interface GigabitEthernet1/5
inside-5 Name of interface GigabitEthernet1/6
inside-6 Name of interface GigabitEthernet1/7
inside-7 Name of interface GigabitEthernet1/8
outside   Name of interface GigabitEthernet1/1
wifi      Name of interface GigabitEthernet1/9
ASA5506W-X(config)# dhcpd domain lab.com interface inside
ASA5506W-X(config)# dhcpd enable inside
ASA5506W-X(config)#
ASA5506W-X(config)# dhcpd address 192.168.10.10-192.168.10.50 wifi     // DHCP FOR wifi
ASA5506W-X(config)# dhcpd dns 8.8.8.8 4.2.2.2 interface wifi
ASA5506W-X(config)# dhcpd domain lab.com interface wifi
ASA5506W-X(config)# dhcpd enable wifi
ASA5506W-X(config)#
ASA5506W-X(config)# object ?

configure mode commands/options:
network Specifies a host, subnet or range IP addresses
service Specifies a protocol/port
ASA5506W-X(config)# object network ?

configure mode commands/options:
WORD < 129 char Specifies object ID
ASA5506W-X(config)# object network obj_inside-1
ASA5506W-X(config-network-object)# ?

attribute    Enter this keyword to specify an attribute
description Specify description text
fqdn         Enter this keyword to specify an FQDN
help         Help for network object configuration commands
host         Enter this keyword to specify a single host object
nat          Enable NAT on a singleton object
no           Remove an object or description from object
range        Enter this keyword to specify a range
subnet       Enter this keyword to specify a subnet
ASA5506W-X(config-network-object)# subnet ?

network-object mode commands/options:
A.B.C.D             Enter an IPV4 network address
X:X:X:X::X/<0-128> Enter an IPv6 prefix
ASA5506W-X(config-network-object)# subnet 192.168.1.0 ?

network-object mode commands/options:
A.B.C.D Enter an IPv4 network mask
ASA5506W-X(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA5506W-X(config-network-object)# nat ?

network-object mode commands/options:
(        Open parenthesis for (<real_if_name>,<mapped_if_name>) pair where
           <real_if_name> is the prenat interface and <mapped_if_name> is the
           postnat interface
dynamic Specify NAT type as dynamic
static   Specify NAT type as static

configure mode commands/options:
(               Open parenthesis for (<internal_if_name>,<external_if_name>)
                  pair where <internal_if_name> is the Internal or prenat
                  interface and <external_if_name> is the External or postnat
                  interface
<1-2147483647> Position of NAT rule within before auto section
after-auto      Insert NAT rule after auto section
source          Source NAT parameters
ASA5506W-X(config-network-object)# nat (?

network-object mode commands/options:
Current available interface(s):

any       Global address space
inside-1 Name of interface GigabitEthernet1/2
inside-2 Name of interface GigabitEthernet1/3
inside-3 Name of interface GigabitEthernet1/4
inside-4 Name of interface GigabitEthernet1/5
inside-5 Name of interface GigabitEthernet1/6
inside-6 Name of interface GigabitEthernet1/7
inside-7 Name of interface GigabitEthernet1/8
outside   Name of interface GigabitEthernet1/1
wifi      Name of interface GigabitEthernet1/9

configure mode commands/options:
Current available interface(s):

any       Global address space
inside-1 Name of interface GigabitEthernet1/2
inside-2 Name of interface GigabitEthernet1/3
inside-3 Name of interface GigabitEthernet1/4
inside-4 Name of interface GigabitEthernet1/5
inside-5 Name of interface GigabitEthernet1/6
inside-6 Name of interface GigabitEthernet1/7
inside-7 Name of interface GigabitEthernet1/8
outside   Name of interface GigabitEthernet1/1
wifi      Name of interface GigabitEthernet1/9
ASA5506W-X(config-network-object)# nat (inside-1,?

network-object mode commands/options:
Current available interface(s):

any       Global address space
inside-1 Name of interface GigabitEthernet1/2
inside-2 Name of interface GigabitEthernet1/3
inside-3 Name of interface GigabitEthernet1/4
inside-4 Name of interface GigabitEthernet1/5
inside-5 Name of interface GigabitEthernet1/6
inside-6 Name of interface GigabitEthernet1/7
inside-7 Name of interface GigabitEthernet1/8
outside   Name of interface GigabitEthernet1/1
wifi      Name of interface GigabitEthernet1/9

configure mode commands/options:
Current available interface(s):

any       Global address space
inside-1 Name of interface GigabitEthernet1/2
inside-2 Name of interface GigabitEthernet1/3
inside-3 Name of interface GigabitEthernet1/4
inside-4 Name of interface GigabitEthernet1/5
inside-5 Name of interface GigabitEthernet1/6
inside-6 Name of interface GigabitEthernet1/7
inside-7 Name of interface GigabitEthernet1/8
outside   Name of interface GigabitEthernet1/1
wifi      Name of interface GigabitEthernet1/9
ASA5506W-X(config-network-object)# nat (inside-1,outside) ?

network-object mode commands/options:
dynamic Specify NAT type as dynamic
static   Specify NAT type as static

configure mode commands/options:
<1-2147483647> Position of NAT rule within before auto section
after-auto      Insert NAT rule after auto section
source          Source NAT parameters
ASA5506W-X(config-network-object)# nat (inside-1,outside) dynamic ?

network-object mode commands/options:
A.B.C.D             Mapped IP address
WORD                Mapped network object/object-group name
X:X:X:X::X/<0-128> Enter an IPv6 prefix
interface           Use interface address as mapped IP
pat-pool            Specify object or object-group name for mapped source pat
                      pool
ASA5506W-X(config-network-object)# nat (inside-1,outside) dynamic interface ?

network-object mode commands/options:
dns   Use the created xlate to rewrite DNS record
ipv6 Use IPv6 address(es) as mapped IP(s)
<cr>
ASA5506W-X(config-network-object)# nat (inside-1,outside) dynamic interface   // CONFIGURE PAT FOR EACH inside INTERFACE
ASA5506W-X(config-network-object)#
ASA5506W-X(config-network-object)# object network obj_inside-2
ASA5506W-X(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA5506W-X(config-network-object)# nat (inside-2,outside) dynamic interface
ASA5506W-X(config-network-object)#
ASA5506W-X(config-network-object)# object network obj_inside-3
ASA5506W-X(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA5506W-X(config-network-object)# nat (inside-3,outside) dynamic interface
ASA5506W-X(config-network-object)#
ASA5506W-X(config-network-object)# object network obj_inside-4
ASA5506W-X(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA5506W-X(config-network-object)# nat (inside-4,outside) dynamic interface
ASA5506W-X(config-network-object)#
ASA5506W-X(config-network-object)# object network obj_inside-5
ASA5506W-X(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA5506W-X(config-network-object)# nat (inside-5,outside) dynamic interface
ASA5506W-X(config-network-object)#
ASA5506W-X(config-network-object)# object network obj_inside-6
ASA5506W-X(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA5506W-X(config-network-object)# nat (inside-6,outside) dynamic interface
ASA5506W-X(config-network-object)#
ASA5506W-X(config-network-object)# object network obj_inside-7
ASA5506W-X(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA5506W-X(config-network-object)# nat (inside-7,outside) dynamic interface
ASA5506W-X(config-network-object)#
ASA5506W-X(config-network-object)# object network obj_any_wifi
ASA5506W-X(config-network-object)# subnet 192.168.10.0 255.255.255.0
ASA5506W-X(config-network-object)# nat (wifi,outside) dynamic interface
ASA5506W-X(config-network-object)#
ASA5506W-X(config-network-object)# access-list ?

configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval   Specify the alert interval for generating syslog message
                   106001 which alerts that the system has reached a deny flow
                   maximum. If not specified, the default value is 300 sec
deny-flow-max    Specify the maximum number of concurrent deny flows that can
                   be created. If not specified, the default value is 4096
ASA5506W-X(config-network-object)# access-list OUTSIDE-IN ?

configure mode commands/options:
deny       Specify packets to reject
ethertype Configure access policy for non IP traffic through the system when
             configured in transparent mode
extended   Configure access policy for IP traffic through the system
line       Use this to specify line number at which ACE should be entered
permit     Specify packets to forward
remark     Specify a comment (remark) for the access-list after this keyword
rename     rename an existing access-list
standard   Use this to configure policy having destination host or network
             only
webtype    Use this to configure WebVPN related policy
ASA5506W-X(config-network-object)# access-list OUTSIDE-IN remark ?

configure mode commands/options:
LINE < 101 char Comment for the access-list
ASA5506W-X(config-network-object)# access-list OUTSIDE-IN remark ALLOW ICMP AND TRACEROUTE
ASA5506W-X(config)# access-list OUTSIDE_IN extended permit icmp any any
ASA5506W-X(config)# access-list OUTSIDE_IN extended permit icmp any any time-exceeded
ASA5506W-X(config)# access-list OUTSIDE_IN extended permit icmp any any unreachable
ASA5506W-X(config)#
ASA5506W-X(config)# access-group OUTSIDE_IN in interface outside
ASA5506W-X(config)#
ASA5506W-X(config)# policy-map global_policy
ASA5506W-X(config-pmap)# class inspection_default
ASA5506W-X(config-pmap-c)# inspect ?

mpf-policy-map-class mode commands/options:
ctiqbe
dcerpc
diameter
dns
esmtp
ftp
gtp
h323
http
icmp
ils
im
ip-options
ipsec-pass-thru
ipv6
lisp
m3ua
mgcp
mmp
netbios
pptp
rsh
rtsp
scansafe
sctp
sip
skinny
snmp
sqlnet
stun
sunrpc
tftp
vxlan
waas
xdmcp
ASA5506W-X(config-pmap-c)# inspect icmp        // ALLOW STATEFUL OUTBOUND ICMP/PING INSPECTION FROM inside TO outside
ASA5506W-X(config-pmap-c)# inspect icmp error
ASA5506W-X(config-pmap-c)#
ASA5506W-X(config-pmap-c)# aaa ?

configure mode commands/options:
accounting      Configure user accounting parameters
authentication Configure user authentication parameters
authorization   Configure user authorization parameters
local           AAA Local method options
mac-exempt      Configure MAC Exempt parameters
proxy-limit     Configure number of concurrent proxy connections allowed per
                  user
ASA5506W-X(config-pmap-c)# aaa authentication ?

configure mode commands/options:
enable              Enable
exclude             Exclude the service, local and foreign network which
                      needs to be authenticated, authorized, and accounted
http                HTTP
include             Include the service, local and foreign network which
                      needs to be authenticated, authorized, and accounted
listener            Configure an HTTP or HTTPS authentication listener
login-history       Configure login history reporting for administrators
match               Specify this keyword to configure an ACL to match
secure-http-client Specify this keyword to ensure HTTP client authentication
                      is secured (over SSL)
serial              Serial
ssh                 SSH
telnet              Telnet
ASA5506W-X(config-pmap-c)# aaa authentication http ?

configure mode commands/options:
console Specify this keyword to identify a server group for administrative
           authentication
ASA5506W-X(config-pmap-c)# aaa authentication http console ?

configure mode commands/options:
LOCAL Predefined server tag for AAA protocol 'local'
WORD   Name of RADIUS or TACACS+ aaa-server group for administrative
         authentication
ASA5506W-X(config-pmap-c)# aaa authentication http console LOCAL     // USE LOCAL admin FOR ASDM
ASA5506W-X(config)# aaa authentication ssh console LOCAL     // USE LOCAL admin FOR SSH
ASA5506W-X(config)# aaa authentication serial console LOCAL     // USE LOCAL admin FOR CONSOLE CABLE ACCESS
ASA5506W-X(config)#
ASA5506W-X(config)# banner ?

configure mode commands/options:
asdm   Display a post login banner (ASDM only)
exec   Display a banner whenever an EXEC process in initiated
login Display a banner before the username and password login prompts
motd   Display a message-of-the-day banner
ASA5506W-X(config)# banner login ?

configure mode commands/options:
LINE A line of message to be displayed, it will be added to the end of an
        existing banner. The token $(domain) and $(hostname) will be replaced
        with the domain name and host name
<cr>
ASA5506W-X(config)# banner login ### ASA 5506W-X LAB ###
ASA5506W-X(config)#
ASA5506W-X(config)# http ?

configure mode commands/options:
Hostname or A.B.C.D                     The IP address of the host and/or
                                          network authorized to access the HTTP
                                          server
Hostname/<0-128> or X:X:X:X::X/<0-128> IPv6 address/prefix authorized to
                                          access the HTTP server
authentication-certificate              Request a certificate from the HTTPS
                                          client when a management connection
                                          is being established
redirect                                Redirect HTTP connections to the
                                          security gateway to use HTTPS
server                                  Enable the http server required to
                                          run Device Manager
username-from-certificate               The DN of the HTTP client certificate
                                          used as username for authorization
                                          and/or authentication
ASA5506W-X(config)# http server ?

configure mode commands/options:
enable           Enable the http server required to run Device Manager
idle-timeout     Idle timeout in minutes (single routed mode only in case of
                   ASDM)
session-timeout Session timeout in minutes (single routed mode only)
ASA5506W-X(config)# http server enable
ASA5506W-X(config)# http ?

configure mode commands/options:
Hostname or A.B.C.D                     The IP address of the host and/or
                                          network authorized to access the HTTP
                                          server
Hostname/<0-128> or X:X:X:X::X/<0-128> IPv6 address/prefix authorized to
                                          access the HTTP server
authentication-certificate              Request a certificate from the HTTPS
                                          client when a management connection
                                          is being established
redirect                                Redirect HTTP connections to the
                                          security gateway to use HTTPS
server                                  Enable the http server required to
                                          run Device Manager
username-from-certificate               The DN of the HTTP client certificate
                                          used as username for authorization
                                          and/or authentication
ASA5506W-X(config)# http 192.168.1.0 ?

configure mode commands/options:
A.B.C.D The IP netmask to apply to the IP address
ASA5506W-X(config)# http 192.168.1.0 255.255.255.0 ?

configure mode commands/options:
Current available interface(s):
inside-1 Name of interface GigabitEthernet1/2
inside-2 Name of interface GigabitEthernet1/3
inside-3 Name of interface GigabitEthernet1/4
inside-4 Name of interface GigabitEthernet1/5
inside-5 Name of interface GigabitEthernet1/6
inside-6 Name of interface GigabitEthernet1/7
inside-7 Name of interface GigabitEthernet1/8
outside   Name of interface GigabitEthernet1/1
wifi      Name of interface GigabitEthernet1/9
ASA5506W-X(config)# http 192.168.1.0 255.255.255.0 inside-1      // ALLOW ASDM FROM inside
ASA5506W-X(config)# http 192.168.1.0 255.255.255.0 inside-2
ASA5506W-X(config)# http 192.168.1.0 255.255.255.0 inside-3
ASA5506W-X(config)# http 192.168.1.0 255.255.255.0 inside-4
ASA5506W-X(config)# http 192.168.1.0 255.255.255.0 inside-5
ASA5506W-X(config)# http 192.168.1.0 255.255.255.0 inside-6
ASA5506W-X(config)# http 192.168.1.0 255.255.255.0 inside-7
ASA5506W-X(config)# http 192.168.10.0 255.255.255.0 wifi     // ALOW ASDM FROM wifi CLIENTS
ASA5506W-X(config)# ssh ?

configure mode commands/options:
Hostname or A.B.C.D                     The IP address of the host and/or
                                          network authorized to login to the
                                          system
Hostname/<0-128> or X:X:X:X::X/<0-128> IPv6 address/prefix authorized to
                                          login to the system
cipher                                  Specify ssh cipher parameters
key-exchange                            Configure the Diffie-Hellman key
                                          exchange group to use for SSH
pubkey-chain                            SSH host public keys
scopy                                   Secure Copy mode
stricthostkeycheck                      SSH strict host key check
timeout                                 Configure ssh idle timeout
version                                 Specify protocol version to be
                                          supported

exec mode commands/options:
disconnect Specify SSH session id to be disconnected after this keyword
ASA5506W-X(config)# ssh 192.168.1.0 ?

configure mode commands/options:
A.B.C.D The IP netmask to apply to the IP address
ASA5506W-X(config)# ssh 192.168.1.0 255.255.255.0 ?

configure mode commands/options:
Current available interface(s):
inside-1 Name of interface GigabitEthernet1/2
inside-2 Name of interface GigabitEthernet1/3
inside-3 Name of interface GigabitEthernet1/4
inside-4 Name of interface GigabitEthernet1/5
inside-5 Name of interface GigabitEthernet1/6
inside-6 Name of interface GigabitEthernet1/7
inside-7 Name of interface GigabitEthernet1/8
outside   Name of interface GigabitEthernet1/1
wifi      Name of interface GigabitEthernet1/9
ASA5506W-X(config)# ssh 192.168.1.0 255.255.255.0 inside-1     ALLOW SSH ACCESS TO ASA
ASA5506W-X(config)# ssh 192.168.1.0 255.255.255.0 inside-2
ASA5506W-X(config)# ssh 192.168.1.0 255.255.255.0 inside-3
ASA5506W-X(config)# ssh 192.168.1.0 255.255.255.0 inside-4
ASA5506W-X(config)# ssh 192.168.1.0 255.255.255.0 inside-5
ASA5506W-X(config)# ssh 192.168.1.0 255.255.255.0 inside-6
ASA5506W-X(config)# ssh 192.168.1.0 255.255.255.0 inside-7
ASA5506W-X(config)# ssh 192.168.10.0 255.255.255.0 wifi
ASA5506W-X(config)# end

ASA5506W-X# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Virtual0                   127.1.0.1       YES unset up                    up
GigabitEthernet1/1         unassigned      YES DHCP   down                  down
GigabitEthernet1/2         192.168.1.1     YES unset down                  down
GigabitEthernet1/3         192.168.1.1     YES unset down                  down
GigabitEthernet1/4         192.168.1.1     YES unset down                  down
GigabitEthernet1/5         192.168.1.1     YES unset down                  down
GigabitEthernet1/6         192.168.1.1     YES unset down                  down
GigabitEthernet1/7         192.168.1.1     YES unset down                  down
GigabitEthernet1/8         192.168.1.1     YES unset down                  down
GigabitEthernet1/9         192.168.10.1    YES manual up                    up
Internal-Control1/1        127.0.1.1       YES unset up                    up
Internal-Data1/1           unassigned      YES unset down                  down
Internal-Data1/2           unassigned      YES unset up                    up
Internal-Data1/3           unassigned      YES unset up                    up
Internal-Data1/4           169.254.1.1     YES unset up                    up
Management1/1              unassigned      YES unset administratively down down
BVI1                       192.168.1.1     YES manual up                    up

ASA5506W-X# show nameif
Interface                Name                     Security
GigabitEthernet1/1       outside                    0
GigabitEthernet1/2       inside-1                 100
GigabitEthernet1/3       inside-2                 100
GigabitEthernet1/4       inside-3                 100
GigabitEthernet1/5       inside-4                 100
GigabitEthernet1/6       inside-5                 100
GigabitEthernet1/7       inside-6                 100
GigabitEthernet1/8       inside-7                 100
GigabitEthernet1/9       wifi                     100
BVI1                     inside                   100

ASA5506W-X# more system:running-config
: Saved

:
: Serial Number: JAD200800US
: Hardware:   ASA5506W, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 20:04:10.279 UTC Sat Aug 25 2018
!
ASA Version 9.8(2)38
!
hostname ASA5506W-X
domain-name lab.com
enable password $sha512$5000$J2KrgQkeNeU2GsBrTH9GpA==$vaclWslt/ICaR68qIltgvA== pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names

!
interface GigabitEthernet1/1
description ### ISP WAN ###
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
description ### DIRECT CABLE TO MGMT 1/1 - FP IP: 192.168.1.2 ###
bridge-group 1
nameif inside-1
security-level 100
!
interface GigabitEthernet1/3
description ### VM/ASDM PC: 192.168.1.100 ###
bridge-group 1
nameif inside-2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside-3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside-4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside-5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside-6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside-7
security-level 100
!
interface GigabitEthernet1/9
description ### INTERNAL AP: 192.168.10.2 ###
nameif wifi
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
interface BVI1
description ### WIRED LAN GW ###
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
banner login ### ASA 5506W-X LAB ###
boot system disk0:/asa982-38-lfbff-k8.SPA
ftp mode passive
dns server-group DefaultDNS
domain-name lab.com
same-security-traffic permit inter-interface
object network obj_inside-1
subnet 192.168.1.0 255.255.255.0
object network obj_inside-2
subnet 192.168.1.0 255.255.255.0
object network obj_inside-3
subnet 192.168.1.0 255.255.255.0
object network obj_inside-4
subnet 192.168.1.0 255.255.255.0
object network obj_inside-5
subnet 192.168.1.0 255.255.255.0
object network obj_inside-6
subnet 192.168.1.0 255.255.255.0
object network obj_inside-7
subnet 192.168.1.0 255.255.255.0
object network obj_any_wifi
subnet 192.168.10.0 255.255.255.0
access-list OUTSIDE-IN remark ALLOW ICMP AND TRACEROUTE
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
pager lines 24
mtu outside 1500
mtu inside-1 1500
mtu inside-2 1500
mtu inside-3 1500
mtu inside-4 1500
mtu inside-5 1500
mtu inside-6 1500
mtu inside-7 1500
mtu wifi 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_inside-1
nat (inside-1,outside) dynamic interface
object network obj_inside-2
nat (inside-2,outside) dynamic interface
object network obj_inside-3
nat (inside-3,outside) dynamic interface
object network obj_inside-4
nat (inside-4,outside) dynamic interface
object network obj_inside-5
nat (inside-5,outside) dynamic interface
object network obj_inside-6
nat (inside-6,outside) dynamic interface
object network obj_inside-7
nat (inside-7,outside) dynamic interface
object network obj_any_wifi
nat (wifi,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside-1
http 192.168.1.0 255.255.255.0 inside-2
http 192.168.1.0 255.255.255.0 inside-3
http 192.168.1.0 255.255.255.0 inside-4
http 192.168.1.0 255.255.255.0 inside-5
http 192.168.1.0 255.255.255.0 inside-6
http 192.168.1.0 255.255.255.0 inside-7
http 192.168.10.0 255.255.255.0 wifi
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside-1
ssh 192.168.1.0 255.255.255.0 inside-2
ssh 192.168.1.0 255.255.255.0 inside-3
ssh 192.168.1.0 255.255.255.0 inside-4
ssh 192.168.1.0 255.255.255.0 inside-5
ssh 192.168.1.0 255.255.255.0 inside-6
ssh 192.168.1.0 255.255.255.0 inside-7
ssh 192.168.10.0 255.255.255.0 wifi
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd address 192.168.1.10-192.168.1.50 inside
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
dhcpd domain lab.com interface inside
dhcpd enable inside
!
dhcpd address 192.168.10.10-192.168.10.50 wifi
dhcpd dns 8.8.8.8 4.2.2.2 interface wifi
dhcpd domain lab.com interface wifi
dhcpd enable wifi
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin password $sha512$5000$gVaa8zHedgEDR5ydCt1JjA==$G2xWFA2NeQMf+q+EIHz+XA== pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
inspect icmp error
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e689f8e4ab02668c431c64e49e76d90a
: end

To modify the built-in AP settings, HTTP to the AP management IP 192.168.10.10 (I got this IP by default) using the default login: cisco / Cisco

You can change the AP management IP, go under Home > Easy Setup > Network Configuration.

Click Static IP and type the new IP address (192.168.10.2 in this case).

To configure a wireless SSID, go under Radio Configuration > Radio 5GHz > type the SSID name > click Enable VLAN ID: type "1" > under Universal Admin Mode: choose Disable > under Security: choose WPA2-PSK > type the Pre-Shared Key > click Apply.

The Pre-Shared Key uses hexadecimal characters: A-F (case insensitive) and 0-9.

To enable the 5GHz , go under Summary > Radio1-802.11N (I chose to run in 5 GHz) > Settings tab > Enable Radio > Enable.

Click Save Configuration on the top right corner to save configuration in NVRAM.

You can modify the Local User List under Security > Admin Access. You can remove the default cisco login from here. I tried configuring admin / cisco but it didn't take the small "c" for the password probably due to the password complexity policy.

The SSID settings can be modified under Security > SSID Manager.

You can view the associated wifi users using the ASA show arp command.

ASA5506W-X# show arp
        inside 192.168.1.10 8cec.4be6.a3c4 17
        outside 222.165.104.1 0017.108e.ec1f 0
        wifi 192.168.10.14 b072.bf5a.10cb 12
        wifi 192.168.10.11 ac1f.7451.d91f 13
        wifi 192.168.10.13 3010.e466.ce5a 15
        wifi 192.168.10.15 b853.acc9.9644 20
        wifi 192.168.10.12 703e.ac93.ef1a 37
        wifi 192.168.10.2 f078.163d.f100 2034
        wifi 192.168.10.10 f078.163d.f100 3688

The ASA 5506W-X gig port 1/1 connects to my cable modem and it received a public IP address via DHCP from the ISP.

ASA5506W-X# show interface g1/1
Interface GigabitEthernet1/1 "outside", is up, line protocol is up
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is off
        Description: ### ISP WAN ###
        MAC address 0078.884b.bf63, MTU 1500
        IP address 222.165.108.160, subnet mask 255.255.248.0
        551915 packets input, 294680883 bytes, 0 no buffer
        Received 344987 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        42217 packets output, 10437234 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        input queue (blocks free curr/low): hardware (954/891)
        output queue (blocks free curr/low): hardware (1023/1012)
Traffic Statistics for "outside":
        551826 packets input, 284732216 bytes
        42217 packets output, 9660520 bytes
        338 packets dropped
      1 minute input rate 507 pkts/sec, 362042 bytes/sec
      1 minute output rate 57 pkts/sec, 6625 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 521 pkts/sec, 386945 bytes/sec
      5 minute output rate 46 pkts/sec, 21843 bytes/sec
      5 minute drop rate, 0 pkts/sec

ASA5506W-X# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Virtual0                   127.1.0.1       YES unset up                    up
GigabitEthernet1/1         222.165.108.160 YES DHCP   up                    up
GigabitEthernet1/2         192.168.1.1     YES unset down                  down
GigabitEthernet1/3         192.168.1.1     YES unset down                  down
GigabitEthernet1/4         192.168.1.1     YES unset down                  down
GigabitEthernet1/5         192.168.1.1     YES unset down                  down
GigabitEthernet1/6         192.168.1.1     YES unset down                  down
GigabitEthernet1/7         192.168.1.1     YES unset down                  down
GigabitEthernet1/8         192.168.1.1     YES unset down                  down
GigabitEthernet1/9         192.168.10.1    YES manual up                    up
Internal-Control1/1        127.0.1.1       YES unset up                    up
Internal-Data1/1           unassigned      YES unset down                  down
Internal-Data1/2           unassigned      YES unset up                    up
Internal-Data1/3           unassigned      YES unset up                    up
Internal-Data1/4           169.254.1.1     YES unset up                    up
Management1/1              unassigned      YES unset administratively down down
BVI1                       192.168.1.1     YES manual up                    up

ASA5506W-X# show nat

Auto NAT Policies (Section 2)
1 (inside-1) to (outside) source dynamic obj_inside-1 interface
    translate_hits = 0, untranslate_hits = 0
2 (inside-2) to (outside) source dynamic obj_inside-2 interface
    translate_hits = 0, untranslate_hits = 0
3 (inside-3) to (outside) source dynamic obj_inside-3 interface
    translate_hits = 2420, untranslate_hits = 55      // NAT TRANSLATIONS FROM WIRED PC CONNECTED TO GIG 1/3
4 (inside-4) to (outside) source dynamic obj_inside-4 interface
    translate_hits = 0, untranslate_hits = 0
5 (inside-5) to (outside) source dynamic obj_inside-5 interface
    translate_hits = 0, untranslate_hits = 0
6 (inside-6) to (outside) source dynamic obj_inside-6 interface
    translate_hits = 0, untranslate_hits = 0
7 (inside-7) to (outside) source dynamic obj_inside-7 interface
    translate_hits = 0, untranslate_hits = 0
8 (wifi) to (outside) source dynamic obj_any_wifi interface
    translate_hits = 1524, untranslate_hits = 308      // NAT TRANSLATIONS FROM WIFI CLIENTS

ASA5506W-X# show xlate
217 in use, 929 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net

UDP PAT from wifi:192.168.10.13/51901 to outside:222.165.108.160/51901 flags ri idle 0:00:48 timeout 0:00:30
UDP PAT from wifi:192.168.10.13/60458 to outside:222.165.108.160/60458 flags ri idle 0:00:48 timeout 0:00:30
UDP PAT from wifi:192.168.10.13/51885 to outside:222.165.108.160/51885 flags ri idle 0:00:50 timeout 0:00:30
UDP PAT from wifi:192.168.10.13/52118 to outside:222.165.108.160/52118 flags ri idle 0:00:50 timeout 0:00:30
TCP PAT from wifi:192.168.10.13/49166 to outside:222.165.108.160/49166 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from wifi:192.168.10.13/49163 to outside:222.165.108.160/49163 flags ri idle 0:07:22 timeout 0:00:30
TCP PAT from wifi:192.168.10.13/49162 to outside:222.165.108.160/49162 flags ri idle 0:07:27 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/49386 to outside:222.165.108.160/49386 flags ri idle 0:00:00 timeout 0:00:30
UDP PAT from wifi:192.168.10.15/53201 to outside:222.165.108.160/53201 flags ri idle 0:00:21 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/49385 to outside:222.165.108.160/49385 flags ri idle 0:00:00 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/49384 to outside:222.165.108.160/49384 flags ri idle 0:00:22 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/49383 to outside:222.165.108.160/49383 flags ri idle 0:00:28 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/49382 to outside:222.165.108.160/49382 flags ri idle 0:00:00 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/49381 to outside:222.165.108.160/49381 flags ri idle 0:00:20 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/49380 to outside:222.165.108.160/49380 flags ri idle 0:00:55 timeout 0:00:30
UDP PAT from wifi:192.168.10.15/61486 to outside:222.165.108.160/61486 flags ri idle 0:01:19 timeout 0:00:30
UDP PAT from wifi:192.168.10.15/49637 to outside:222.165.108.160/49637 flags ri idle 0:01:19 timeout 0:00:30
UDP PAT from wifi:192.168.10.15/58541 to outside:222.165.108.160/58541 flags ri idle 0:01:20 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/57508 to outside:222.165.108.160/57508 flags ri idle 0:01:21 timeout 0:00:30
UDP PAT from wifi:192.168.10.15/56241 to outside:222.165.108.160/56241 flags ri idle 0:01:53 timeout 0:00:30
UDP PAT from wifi:192.168.10.15/57234 to outside:222.165.108.160/57234 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/57506 to outside:222.165.108.160/57506 flags ri idle 0:03:09 timeout 0:00:30
UDP PAT from wifi:192.168.10.15/53091 to outside:222.165.108.160/53091 flags ri idle 0:03:09 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/57505 to outside:222.165.108.160/57505 flags ri idle 0:03:09 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/49374 to outside:222.165.108.160/49374 flags ri idle 0:03:19 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/57503 to outside:222.165.108.160/57503 flags ri idle 0:03:25 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50012 to outside:222.165.108.160/50012 flags ri idle 0:00:33 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/55080 to outside:222.165.108.160/55080 flags ri idle 0:00:40 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/39050 to outside:222.165.108.160/39050 flags ri idle 0:00:50 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/39049 to outside:222.165.108.160/39049 flags ri idle 0:00:51 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/42389 to outside:222.165.108.160/42389 flags ri idle 0:00:54 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/41097 to outside:222.165.108.160/41097 flags ri idle 0:01:02 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/54947 to outside:222.165.108.160/54947 flags ri idle 0:01:07 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/54946 to outside:222.165.108.160/54946 flags ri idle 0:01:07 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/42295 to outside:222.165.108.160/42295 flags ri idle 0:01:10 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/42294 to outside:222.165.108.160/42294 flags ri idle 0:01:10 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50001 to outside:222.165.108.160/50001 flags ri idle 0:00:05 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/37526 to outside:222.165.108.160/37526 flags ri idle 0:01:11 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/35704 to outside:222.165.108.160/35704 flags ri idle 0:01:11 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/41900 to outside:222.165.108.160/41900 flags ri idle 0:01:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/42932 to outside:222.165.108.160/42932 flags ri idle 0:01:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/34785 to outside:222.165.108.160/34785 flags ri idle 0:01:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/37521 to outside:222.165.108.160/37521 flags ri idle 0:01:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/43526 to outside:222.165.108.160/43526 flags ri idle 0:01:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/36228 to outside:222.165.108.160/36228 flags ri idle 0:01:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/42174 to outside:222.165.108.160/42174 flags ri idle 0:01:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/49991 to outside:222.165.108.160/49991 flags ri idle 0:01:43 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/43584 to outside:222.165.108.160/43584 flags ri idle 0:01:48 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/40526 to outside:222.165.108.160/40526 flags ri idle 0:00:30 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/53684 to outside:222.165.108.160/53684 flags ri idle 0:01:55 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/33488 to outside:222.165.108.160/33488 flags ri idle 0:01:56 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/33486 to outside:222.165.108.160/33486 flags ri idle 0:01:56 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/56170 to outside:222.165.108.160/56170 flags ri idle 0:01:57 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/56168 to outside:222.165.108.160/56168 flags ri idle 0:01:57 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/56167 to outside:222.165.108.160/56167 flags ri idle 0:01:57 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/56165 to outside:222.165.108.160/56165 flags ri idle 0:01:57 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/49361 to outside:222.165.108.160/49361 flags ri idle 0:01:59 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/49360 to outside:222.165.108.160/49360 flags ri idle 0:01:59 timeout 0:00:30
UDP PAT from wifi:192.168.10.14/36471 to outside:222.165.108.160/36471 flags ri idle 0:01:59 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/35677 to outside:222.165.108.160/35677 flags ri idle 0:01:59 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/59676 to outside:222.165.108.160/59676 flags ri idle 0:02:01 timeout 0:00:30
UDP PAT from wifi:192.168.10.14/47372 to outside:222.165.108.160/47372 flags ri idle 0:02:06 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/41264 to outside:222.165.108.160/41264 flags ri idle 0:02:07 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50955 to outside:222.165.108.160/50955 flags ri idle 0:02:09 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50954 to outside:222.165.108.160/50954 flags ri idle 0:02:09 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50953 to outside:222.165.108.160/50953 flags ri idle 0:02:09 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50952 to outside:222.165.108.160/50952 flags ri idle 0:02:09 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50951 to outside:222.165.108.160/50951 flags ri idle 0:02:09 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50950 to outside:222.165.108.160/50950 flags ri idle 0:02:09 timeout 0:00:30
UDP PAT from wifi:192.168.10.14/53764 to outside:222.165.108.160/53764 flags ri idle 0:00:09 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/45523 to outside:222.165.108.160/45523 flags ri idle 0:02:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/58053 to outside:222.165.108.160/58053 flags ri idle 0:02:15 timeout 0:00:30
UDP PAT from wifi:192.168.10.14/33824 to outside:222.165.108.160/33824 flags ri idle 0:00:00 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/41040 to outside:222.165.108.160/41040 flags ri idle 0:02:30 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/56928 to outside:222.165.108.160/56928 flags ri idle 0:02:45 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/58287 to outside:222.165.108.160/58287 flags ri idle 0:02:53 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/54885 to outside:222.165.108.160/54885 flags ri idle 0:03:04 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/49308 to outside:222.165.108.160/49308 flags ri idle 0:00:07 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/54883 to outside:222.165.108.160/54883 flags ri idle 0:03:07 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/49306 to outside:222.165.108.160/49306 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/41841 to outside:222.165.108.160/41841 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/48893 to outside:222.165.108.160/48893 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/54879 to outside:222.165.108.160/54879 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/56383 to outside:222.165.108.160/56383 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/43244 to outside:222.165.108.160/43244 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/34264 to outside:222.165.108.160/34264 flags ri idle 0:03:23 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/34262 to outside:222.165.108.160/34262 flags ri idle 0:03:27 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/37775 to outside:222.165.108.160/37775 flags ri idle 0:03:29 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/51453 to outside:222.165.108.160/51453 flags ri idle 0:03:30 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/37652 to outside:222.165.108.160/37652 flags ri idle 0:03:31 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/54868 to outside:222.165.108.160/54868 flags ri idle 0:03:31 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/49520 to outside:222.165.108.160/49520 flags ri idle 0:03:36 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/33788 to outside:222.165.108.160/33788 flags ri idle 0:03:36 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/49602 to outside:222.165.108.160/49602 flags ri idle 0:03:37 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/48628 to outside:222.165.108.160/48628 flags ri idle 0:04:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/48626 to outside:222.165.108.160/48626 flags ri idle 0:04:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/37733 to outside:222.165.108.160/37733 flags ri idle 0:04:22 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50239 to outside:222.165.108.160/50239 flags ri idle 0:04:27 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/41151 to outside:222.165.108.160/41151 flags ri idle 0:04:55 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/37384 to outside:222.165.108.160/37384 flags ri idle 0:05:27 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/37381 to outside:222.165.108.160/37381 flags ri idle 0:05:27 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/54758 to outside:222.165.108.160/54758 flags ri idle 0:05:28 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/54757 to outside:222.165.108.160/54757 flags ri idle 0:05:29 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/49371 to outside:222.165.108.160/49371 flags ri idle 0:05:52 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/55868 to outside:222.165.108.160/55868 flags ri idle 0:06:23 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/57545 to outside:222.165.108.160/57545 flags ri idle 0:06:25 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/57731 to outside:222.165.108.160/57731 flags ri idle 0:00:20 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/57730 to outside:222.165.108.160/57730 flags ri idle 0:00:20 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/48866 to outside:222.165.108.160/48866 flags ri idle 0:06:29 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/38453 to outside:222.165.108.160/38453 flags ri idle 0:06:29 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/56285 to outside:222.165.108.160/56285 flags ri idle 0:06:29 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/33673 to outside:222.165.108.160/33673 flags ri idle 0:06:30 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/51186 to outside:222.165.108.160/51186 flags ri idle 0:06:43 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/57614 to outside:222.165.108.160/57614 flags ri idle 0:06:54 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50974 to outside:222.165.108.160/50974 flags ri idle 0:02:11 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50973 to outside:222.165.108.160/50973 flags ri idle 0:02:11 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50970 to outside:222.165.108.160/50970 flags ri idle 0:02:59 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50968 to outside:222.165.108.160/50968 flags ri idle 0:03:11 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50962 to outside:222.165.108.160/50962 flags ri idle 0:03:15 timeout 0:00:30
UDP PAT from wifi:192.168.10.12/51905 to outside:222.165.108.160/51905 flags ri idle 0:00:14 timeout 0:00:30
UDP PAT from wifi:192.168.10.12/61651 to outside:222.165.108.160/61651 flags ri idle 0:00:30 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50960 to outside:222.165.108.160/50960 flags ri idle 0:03:41 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50959 to outside:222.165.108.160/50959 flags ri idle 0:03:42 timeout 0:00:30
UDP PAT from wifi:192.168.10.12/52583 to outside:222.165.108.160/52583 flags ri idle 0:00:30 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50924 to outside:222.165.108.160/50924 flags ri idle 0:15:52 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50913 to outside:222.165.108.160/50913 flags ri idle 0:16:03 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/64131 to outside:222.165.108.160/64131 flags ri idle 0:00:08 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/64129 to outside:222.165.108.160/64129 flags ri idle 0:00:08 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/64128 to outside:222.165.108.160/64128 flags ri idle 0:00:08 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52851 to outside:222.165.108.160/52851 flags ri idle 0:00:11 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52850 to outside:222.165.108.160/52850 flags ri idle 0:00:11 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52849 to outside:222.165.108.160/52849 flags ri idle 0:00:13 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/64127 to outside:222.165.108.160/64127 flags ri idle 0:00:13 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52848 to outside:222.165.108.160/52848 flags ri idle 0:00:16 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/55114 to outside:222.165.108.160/55114 flags ri idle 0:00:33 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/51688 to outside:222.165.108.160/51688 flags ri idle 0:00:39 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/55476 to outside:222.165.108.160/55476 flags ri idle 0:00:39 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52846 to outside:222.165.108.160/52846 flags ri idle 0:00:40 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/64220 to outside:222.165.108.160/64220 flags ri idle 0:00:41 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/53442 to outside:222.165.108.160/53442 flags ri idle 0:00:41 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52845 to outside:222.165.108.160/52845 flags ri idle 0:00:41 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52844 to outside:222.165.108.160/52844 flags ri idle 0:00:41 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/61257 to outside:222.165.108.160/61257 flags ri idle 0:00:41 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/60167 to outside:222.165.108.160/60167 flags ri idle 0:00:41 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52843 to outside:222.165.108.160/52843 flags ri idle 0:00:47 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52842 to outside:222.165.108.160/52842 flags ri idle 0:00:47 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/54607 to outside:222.165.108.160/54607 flags ri idle 0:00:47 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/54089 to outside:222.165.108.160/54089 flags ri idle 0:00:47 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/50801 to outside:222.165.108.160/50801 flags ri idle 0:00:47 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/56979 to outside:222.165.108.160/56979 flags ri idle 0:00:58 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/57436 to outside:222.165.108.160/57436 flags ri idle 0:01:03 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/58865 to outside:222.165.108.160/58865 flags ri idle 0:01:03 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/51621 to outside:222.165.108.160/51621 flags ri idle 0:01:03 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52830 to outside:222.165.108.160/52830 flags ri idle 0:01:07 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52828 to outside:222.165.108.160/52828 flags ri idle 0:01:07 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/52324 to outside:222.165.108.160/52324 flags ri idle 0:01:22 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52811 to outside:222.165.108.160/52811 flags ri idle 0:00:21 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/52320 to outside:222.165.108.160/52320 flags ri idle 0:01:23 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52769 to outside:222.165.108.160/52769 flags ri idle 0:01:40 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52768 to outside:222.165.108.160/52768 flags ri idle 0:01:40 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/58263 to outside:222.165.108.160/58263 flags ri idle 0:01:40 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52719 to outside:222.165.108.160/52719 flags ri idle 0:01:56 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/64830 to outside:222.165.108.160/64830 flags ri idle 0:01:57 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52718 to outside:222.165.108.160/52718 flags ri idle 0:01:59 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52717 to outside:222.165.108.160/52717 flags ri idle 0:02:00 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/55231 to outside:222.165.108.160/55231 flags ri idle 0:02:01 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/50729 to outside:222.165.108.160/50729 flags ri idle 0:00:00 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/63674 to outside:222.165.108.160/63674 flags ri idle 0:00:00 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52711 to outside:222.165.108.160/52711 flags ri idle 0:02:07 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/62438 to outside:222.165.108.160/62438 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/62692 to outside:222.165.108.160/62692 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/50524 to outside:222.165.108.160/50524 flags ri idle 0:00:06 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52710 to outside:222.165.108.160/52710 flags ri idle 0:02:07 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/53448 to outside:222.165.108.160/53448 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/50484 to outside:222.165.108.160/50484 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/50483 to outside:222.165.108.160/50483 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/57592 to outside:222.165.108.160/57592 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/53063 to outside:222.165.108.160/53063 flags ri idle 0:00:06 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52690 to outside:222.165.108.160/52690 flags ri idle 0:02:12 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/61983 to outside:222.165.108.160/61983 flags ri idle 0:00:10 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52689 to outside:222.165.108.160/52689 flags ri idle 0:02:15 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/52908 to outside:222.165.108.160/52908 flags ri idle 0:00:14 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52688 to outside:222.165.108.160/52688 flags ri idle 0:02:15 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/60321 to outside:222.165.108.160/60321 flags ri idle 0:00:14 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52685 to outside:222.165.108.160/52685 flags ri idle 0:00:15 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/54235 to outside:222.165.108.160/54235 flags ri idle 0:00:18 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/58810 to outside:222.165.108.160/58810 flags ri idle 0:00:18 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52682 to outside:222.165.108.160/52682 flags ri idle 0:02:20 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/56007 to outside:222.165.108.160/56007 flags ri idle 0:00:19 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/63291 to outside:222.165.108.160/63291 flags ri idle 0:00:23 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52656 to outside:222.165.108.160/52656 flags ri idle 0:00:30 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/58715 to outside:222.165.108.160/58715 flags ri idle 0:00:23 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/59462 to outside:222.165.108.160/59462 flags ri idle 0:00:14 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52578 to outside:222.165.108.160/52578 flags ri idle 0:04:23 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/49156 to outside:222.165.108.160/49156 flags ri idle 0:05:00 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52479 to outside:222.165.108.160/52479 flags ri idle 0:00:09 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52478 to outside:222.165.108.160/52478 flags ri idle 0:05:03 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52420 to outside:222.165.108.160/52420 flags ri idle 0:05:20 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/4500 to outside:222.165.108.160/4500 flags ri idle 0:05:31 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52241 to outside:222.165.108.160/52241 flags ri idle 0:05:33 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52238 to outside:222.165.108.160/52238 flags ri idle 0:05:33 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52239 to outside:222.165.108.160/52239 flags ri idle 0:05:33 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52233 to outside:222.165.108.160/52233 flags ri idle 0:05:34 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52231 to outside:222.165.108.160/52231 flags ri idle 0:05:34 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52227 to outside:222.165.108.160/52227 flags ri idle 0:05:34 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52007 to outside:222.165.108.160/52007 flags ri idle 0:18:30 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52005 to outside:222.165.108.160/52005 flags ri idle 0:18:32 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/51986 to outside:222.165.108.160/51986 flags ri idle 0:18:35 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/51907 to outside:222.165.108.160/51907 flags ri idle 0:20:51 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/51671 to outside:222.165.108.160/51671 flags ri idle 0:25:00 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/51278 to outside:222.165.108.160/51278 flags ri idle 0:27:31 timeout 0:00:30

I connected to the SSID on my iPhone and HTTP to the AP management GUI.

The ASA was able to capture my iPhone's Internet session.

ASA5506W-X# show xlate | inc 192.168.10.11

UDP PAT from wifi:192.168.10.11/57796 to outside:222.165.108.160/57796 flags ri idle 0:00:14 timeout 0:00:30
UDP PAT from wifi:192.168.10.11/57035 to outside:222.165.108.160/57035 flags ri idle 0:00:14 timeout 0:00:30
TCP PAT from wifi:192.168.10.11/62247 to outside:222.165.108.160/62247 flags ri idle 0:00:15 timeout 0:00:30
UDP PAT from wifi:192.168.10.11/60123 to outside:222.165.108.160/60123 flags ri idle 0:00:15 timeout 0:00:30
TCP PAT from wifi:192.168.10.11/62246 to outside:222.165.108.160/62246 flags ri idle 0:00:19 timeout 0:00:30
UDP PAT from wifi:192.168.10.11/62221 to outside:222.165.108.160/62221 flags ri idle 0:00:19 timeout 0:00:30
TCP PAT from wifi:192.168.10.11/62245 to outside:222.165.108.160/62245 flags ri idle 0:00:19 timeout 0:00:30
TCP PAT from wifi:192.168.10.11/62244 to outside:222.165.108.160/62244 flags ri idle 0:00:20 timeout 0:00:30
TCP PAT from wifi:192.168.10.11/62243 to outside:222.165.108.160/62243 flags ri idle 0:03:52 timeout 0:00:30

ASA5506W-X# show conn | inc 192.168.10.11
TCP outside 40.100.29.226:443 wifi 192.168.10.11:62243, idle 0:03:55, bytes 5246, flags UIO
TCP outside 125.252.217.78:443 wifi 192.168.10.11:62246, idle 0:00:22, bytes 7591, flags UIO
TCP outside 17.167.194.230:443 wifi 192.168.10.11:62244, idle 0:00:23, bytes 1836, flags UIO
TCP outside 17.242.28.90:5223 wifi 192.168.10.11:62247, idle 0:00:18, bytes 7069, flags UIO

Below is the configuration template that I used for my ASA 5506W-X. I'll be upgrading and configure the ASA FirePOWER module next.

hostname ASA5506W-X

domain-name lab.com
enable password cisco
passwd cisco
username admin password cisco privilege 15

crypto key generate rsa modulus 2048

boot system disk0:/asa982-38-lfbff-k8.SPA
asdm image disk0:/asdm-792-152.bin

interface GigabitEthernet1/1
description ### ISP WAN ###
nameif outside
security-level 0
ip address dhcp setroute
no shutdown

interface BVI1
description ### WIRED LAN GW ###
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

interface GigabitEthernet1/2
description ### DIRECT CABLE MGMT 1/1 - FP IP: 192.168.1.2 ###
bridge-group 1
nameif inside-1
security-level 100
no shutdown

interface GigabitEthernet1/3
description ### VM/ASDM PC: 192.168.1.100 ###
bridge-group 1
nameif inside-2
security-level 100
no shutdown

interface GigabitEthernet1/4
bridge-group 1
nameif inside-3
security-level 100
no shutdown

interface GigabitEthernet1/5
bridge-group 1
nameif inside-4
security-level 100
no shutdown

interface GigabitEthernet1/6
bridge-group 1
nameif inside-5
security-level 100
no shutdown

interface GigabitEthernet1/7
bridge-group 1
nameif inside0-6
security-level 100

interface GigabitEthernet1/8
bridge-group 1
nameif inside-7
security-level 100
no shutdown

hw-module module wlan recover configuration

interface GigabitEthernet1/9
description ### INTERNAL AP IP: 192.168.10.2 ###
nameif wifi
security-level 100
ip address 192.168.10.1 255.255.255.0

same-security-traffic permit inter-interface

dhcpd address 192.168.1.10-192.168.1.50 inside
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
dhcpd domain lab.com interface inside
dhcpd enable inside

dhcpd address 192.168.10.10-192.168.10.50 wifi
dhcpd dns 8.8.8.8 4.2.2.2 interface wifi
dhcpd domain lab.com interface wifi
dhcpd enable wifi

object network obj_inside-1
subnet 192.168.1.0 255.255.255.0
nat (inside-1,outside) dynamic interface

object network obj_inside-2
subnet 192.168.1.0 255.255.255.0
nat (inside-2,outside) dynamic interface

object network obj_inside-3
subnet 192.168.1.0 255.255.255.0
nat (inside-3,outside) dynamic interface

object network obj_inside-4
subnet 192.168.1.0 255.255.255.0
nat (inside-4,outside) dynamic interface

object network obj_inside-5
subnet 192.168.1.0 255.255.255.0
nat (inside-5,outside) dynamic interface

object network obj_inside-6
subnet 192.168.1.0 255.255.255.0
nat (inside-6,outside) dynamic interface

object network obj_inside-7
subnet 192.168.1.0 255.255.255.0
nat (inside-7,outside) dynamic interface

object network obj_any_wifi
subnet 192.168.10.0 255.255.255.0
nat (wifi,outside) dynamic interface

access-list OUTSIDE_IN remark ALLOW ICMP AND TRACEROUTE
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable

access-group OUTSIDE_IN in interface outside

policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error

aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL

banner login ### ASA 5506W-X LAB ###

http server enable
http 192.168.1.0 255.255.255.0 inside-1
http 192.168.1.0 255.255.255.0 inside-2
http 192.168.1.0 255.255.255.0 inside-3
http 192.168.1.0 255.255.255.0 inside-4
http 192.168.1.0 255.255.255.0 inside-5
http 192.168.1.0 255.255.255.0 inside-6
http 192.168.1.0 255.255.255.0 inside-7
http 192.168.10.0 255.255.255.0 wifi

ssh 192.168.1.0 255.255.255.0 inside-1
ssh 192.168.1.0 255.255.255.0 inside-2
ssh 192.168.1.0 255.255.255.0 inside-3
ssh 192.168.1.0 255.255.255.0 inside-4
ssh 192.168.1.0 255.255.255.0 inside-5
ssh 192.168.1.0 255.255.255.0 inside-6
ssh 192.168.1.0 255.255.255.0 inside-7
ssh 192.168.10.0 255.255.255.0 wifi

write memory

My Cybersecurity Journal

Thursday, October 4, 2018

Cisco ASA 5506W-X Basic Configuration

No comments:

Post a Comment