Thursday, October 4, 2018

Cisco ASA 5506W-X Basic Configuration

After upgrading the image on my Cisco ASA 5506W-X in a previous post, it's time to do some basic configuration. The deployment starting in ASA 9.7 was slightly changed in order to mimic the plug-and-play behavior of an ASA 5505. This is probably due to demands from SOHO users to deploy an ASA5506-X without an additional Layer 2 switch.

The default configuration and behavior are the following:
  • The GigabitEthernet1/1 interface is used for the outside or the ISP facing port
  • You'll need to patch a direct cable between GigabitEthernet 1/2 and Management 1/1 ports in order to manage the FirePOWER module. You shouldn't configure any Layer 3 IP address on the Management 1/1 interface.
  • You can configure the FirePOWER module with an IP address from the inside subnet (i.e. 192.168.1.2/24)
  • The GigabitEthernet 1/3 - 1/8 interfaces can be used to connect end devices (router, server, PC, etc.) which are "bridged" to the BVI (inside) interface. This is similar to the ASA 5505 Switch Virtual Interface (SVI).
  • There's an internal GigabitEthernet 1/9 (wifi) port which is used to manage the integrated Cisco Aironet 702i.
  • The inside (higher security level 100) to outside (low security level 0) traffic flow is allowed
  • The wifi to inside (using the same-security-traffic permit inter-interface command) and wifi to outside traffic are allowed

ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: <ENTER>

ciscoasa(config)# hostname ASA5506W-X
ASA5506W-X(config)# domain-name ?

configure mode commands/options:
  WORD  Domain names must begin and end with a digit/letter, only letters,
        digits, and hyphen are allowed as internal characters, labels are
        separated by a dot. A maximum of 63 characters is allowed.

ASA5506W-X(config)# domain-name lab.com
ASA5506W-X(config)# enable ?

configure mode commands/options:
  password  Configure password for the enable command

ASA5506W-X(config)# enable password ?

configure mode commands/options:
  WORD  Enter a password for the privilege level.  The length must be between 3
        and 127 characters.
  <cr>

ASA5506W-X(config)# enable password cisco       // NOT IDEAL IN PRODUCTION
ASA5506W-X(config)# passwd ?

configure mode commands/options:
  WORD  A password of up to 32 alphanumeric characters

ASA5506W-X(config)# passwd cisco    // TELNET PASSWORD (IF TELNET IS CONFIGURED)
ASA5506W-X(config)# username ?

configure mode commands/options:
  WORD < 65 char  Enter the name of the user. A minimum of 3 characters is
                  required. A maximum of 64 characters is allowed.

ASA5506W-X(config)# username admin ?

configure mode commands/options:
  attributes  Enter the attributes sub-command mode for the specified user
  nopassword  Indicates that this user has the blank string ("") as the
              password
  password    The password for this user
  privilege   Enter the privilege level for this user
  <cr>

ASA5506W-X(config)# username admin password ?

configure mode commands/options:
  WORD  Enter a password for the user. The length must be between 3 and 127
        characters and must comply with the configured password policy.

ASA5506W-X(config)# username admin password cisco ?

configure mode commands/options:
  attributes    Enter the attributes sub-command mode for the specified user
  encrypted     Indicates the <password> entered is encrypted
  mschap        The password will be converted to unicode and hashed using MD4.
                 User entries must be created this way if they are to be
                authenticated using MSCHAPv1 or MSCHAPv2
  nt-encrypted  Indicates the <password> entered has been converted to unicode
                and hashed using MD4, and can be used for MS-CHAP.
  pbkdf2        Indicates that the <password> entered has been salted and
                hashed using the pbkdf2 key derivation algorithm
  privilege     Enter the privilege level for this user
  <cr>

ASA5506W-X(config)# username admin password cisco privilege ?

configure mode commands/options:
  <0-15>  The privilege level for this user

ASA5506W-X(config)# username admin password cisco privilege 15
ASA5506W-X(config)# crypto key generate rsa modulus 2048    // CONFIGURE HOSTNAME AND DOMAIN NAME FIRST
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA5506W-X(config)# boot system disk0:/asa982-38-lfbff-k8.SPA
ASA5506W-X(config)# asdm image disk0:/asdm-792-152.bin
ASA5506W-X(config)# 
ASA5506W-X(config)# interface g1/1
ASA5506W-X(config-if)# description ### ISP WAN ###
ASA5506W-X(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA5506W-X(config-if)# ip address ?

interface mode commands/options:
  Hostname or A.B.C.D  Firewall's network interface address
  dhcp                 Keyword to use DHCP to poll for information. Enables the
                       DHCP client feature on the specified interface
  pppoe                Keyword to use PPPoE to poll for information. Enables
                       the PPPoE client feature on the specified interface

ASA5506W-X(config-if)# ip address dhcp ?

interface mode commands/options:
  setroute  Keyword to set the default route using the default gateway
            parameter the DHCP server returns
  <cr>

ASA5506W-X(config-if)# ip address dhcp setroute     // IF CONNECTING TO A CABLE MODEM OR ISP ROUTER
ASA5506W-X(config-if)# no shutdown
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface ?

configure mode commands/options:
  BVI              Bridge-Group Virtual Interface
  GigabitEthernet  GigabitEthernet IEEE 802.3z
  Management       Management interface
  Port-channel     Ethernet Channel of interfaces
  Redundant        Redundant Interface
  Tunnel           Tunnel interface
  vni              VNI Interface
  <cr>

ASA5506W-X(config)# interface bvi ?

configure mode commands/options:
  <1-250>  BVI interface number

ASA5506W-X(config)# interface bvi 1     // DEFAULT GATEWAY FOR GIG PORTS 1/2 - 1/8
ASA5506W-X(config-if)# description ### WIRED LAN GW ###
ASA5506W-X(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA5506W-X(config-if)# ip address 192.168.1.1 255.255.255.0
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface g1/2
ASA5506W-X(config-if)# description ### DIRECT CABLE MGMT 1/1 - FP IP: 192.168.1.2 ###
ASA5506W-X(config-if)# ?

Interface configuration commands:
  authentication   authentication subcommands
  bfd              BFD interface configuration commands
  bridge-group     Specify the bridge group that this interface is a part of
  channel-group    Etherchannel/port bundling configuration
  cts              Configure interface specific CTS settings
  ddns             Configure dynamic DNS
  default          Set a command to its defaults
  delay            Specify interface throughput delay
  description      Interface specific description
  dhcp             Configure parameters for DHCP client
  dhcprelay        Configure DHCP Relay Agent
  duplex           Configure duplex operation
  exit             Exit from interface configuration mode
  flowcontrol      Configure flowcontrol operation
  hello-interval   Configures EIGRP-IPv4 hello interval
  help             Description of the interactive help system
  help             Interactive help for interface subcommands
  hold-time        Configures EIGRP-IPv4 hold time
  igmp             IGMP interface commands
  ip               Configure the ip address
  ipv6             IPv6 interface subcommands
  isis             IS-IS commands
  lacp             LACP interface subcommands
  mac-address      Assign MAC address to interface
  management-only  Dedicate an interface to management. Block thru traffic
  mfib             Interface Specific MFIB Control
  multicast        Configure multicast routing
  nameif           Assign name to interface
  no               Negate a command or set its defaults
  nve-only         Dedicate an interface to source-interface of a NVE. Block
                   thru traffic
  ospf             OSPF interface commands
  pim              PIM interface commands
  policy-route     Enable policy based routing
  pppoe            Configure parameters for PPPoE client
  rip              Router Information Protocol
  security-level   Specify the security level of this interface after this
                   keyword, Eg: 0, 100 etc. The relative security level between
                   two interfaces determines the way the Adaptive Security
                   Algorithm is applied. A lower security_level interface is
                   outside relative to a higher level interface and equivalent
                   interfaces are outside to each other
  shutdown         Shutdown the selected interface
  speed            Configure speed operation
  split-horizon    Configures EIGRP-IPv4 split-horizon
  summary-address  Configures EIGRP-IPv4 summary-address
  zone-member      Associate interface to a zone

ASA5506W-X(config-if)# bridge-group ?

interface mode commands/options:
  <1-250>  Group number of this interface

ASA5506W-X(config-if)# bridge-group 1
ASA5506W-X(config-if)# nameif inside-1
INFO: Security level for "inside-1" set to 0 by default.
ASA5506W-X(config-if)# security-level 100
ASA5506W-X(config-if)# no shutdown
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface g1/3
ASA5506W-X(config-if)# description ### VM/ASDM PC: 192.168.1.100 ###
ASA5506W-X(config-if)# bridge-group 1
ASA5506W-X(config-if)# nameif inside-2
INFO: Security level for "inside-2" set to 0 by default.
ASA5506W-X(config-if)# security-level 100
ASA5506W-X(config-if)# no shutdown
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface g1/4
ASA5506W-X(config-if)# bridge-group 1
ASA5506W-X(config-if)# nameif inside-3
INFO: Security level for "inside-3" set to 0 by default.
ASA5506W-X(config-if)# security-level 100
ASA5506W-X(config-if)# no shutdown
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface g1/5
ASA5506W-X(config-if)# bridge-group 1
ASA5506W-X(config-if)# nameif inside-4
INFO: Security level for "inside-4" set to 0 by default.
ASA5506W-X(config-if)# security-level 100
ASA5506W-X(config-if)# no shutdown
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface g1/6
ASA5506W-X(config-if)# bridge-group 1
ASA5506W-X(config-if)# nameif inside-5
INFO: Security level for "inside-5" set to 0 by default.
ASA5506W-X(config-if)# security-level 100
ASA5506W-X(config-if)# no shutdown
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface g1/7
ASA5506W-X(config-if)# bridge-group 1
INFO: Security level for "inside-6" set to 0 by default.
ASA5506W-X(config-if)# security-level 100
ASA5506W-X(config-if)# no shutdown
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface g1/8
ASA5506W-X(config-if)# bridge-group 1
ASA5506W-X(config-if)# nameif inside-7
INFO: Security level for "inside-7" set to 0 by default.
ASA5506W-X(config-if)# security-level 100
ASA5506W-X(config-if)# no shutdown


The Cisco Quick Start Guide will ask you to HTTP to 192.168.10.2 but I got timed out. The ASA show arp output shows it's on 192.168.10.10 instead. You'll also need to initialize the built-in AP using the hw-module module wlan recover configuration command


ASA5506W-X# show arp     
        inside 192.168.1.10 8cec.4be6.a3c4 0
        wifi 192.168.10.10 f078.163d.f100 190      // HTTP TO AP GUI 192.168.10.10


I manually set my laptop to 192.168.1.10/24 connected to the ASA G1/3 port.


Type the default login: cisco / Cisco
 


ASA5506W-X(config-if)# hw-module ?

exec mode commands/options:
  module  Act on a module

ASA5506W-X(config-if)# hw-module module ?

exec mode commands/options:
Available module ID(s):
  wlan  Module ID
ASA5506W-X(config-if)# hw-module module wlan ?

exec mode commands/options:
  recover  Configure recovery of this module
  reset    Reset the module

ASA5506W-X(config-if)# hw-module module wlan recover ?

exec mode commands/options:
  configuration  Initiate configuration recovery of this module
  image          Perform image recovery on this module

ASA5506W-X(config-if)# hw-module module wlan recover configuration    // TO INITIALIZE THE INTERNAL AP; WIFI LED BLINKED AMBER FOR FEW SECONDS THEN STABLE GREEN
WARNING: Entering this command will suspend the ASA console as long as the module recovery process is in progress.
Do you want to proceed [confirm]?

Configuration recovery is now complete.
You can now session into the module console to issue any further commands.
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# interface g1/9
ASA5506W-X(config-if)#description ### INTERNAL AP: 192.168.10.2 ###
ASA5506W-X(config-if)# nameif wifi
INFO: Security level for "wifi" set to 0 by default.
ASA5506W-X(config-if)# security-level 100
ASA5506W-X(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5506W-X(config-if)# no shutdown
ASA5506W-X(config-if)#
ASA5506W-X(config-if)# same-security-traffic permit inter-interface     // FOR inside AND wifi INTERFACE TO COMMUNICATE DIRECTLY
ASA5506W-X(config)#
ASA5506W-X(config)# dhcpd ?

configure mode commands/options:
  address       Configure the IP pool address range after this keyword
  auto_config   Enable auto configuration from client
  dns           Configure the IP addresses of the DNS servers after this
                keyword
  domain        Configure DNS domain name after this keyword
  enable        Enable the DHCP server
  lease         Configure the DHCPD lease length after this keyword
  option        Configure options to pass to DHCP clients after this keyword
  ping_timeout  Configure ping timeout value after this keyword
  update        Configure dynamic updates
  wins          Configure the IP addresses of the NETBIOS servers after this
                keyword
ASA5506W-X(config)# dhcpd address ?

configure mode commands/options:
  WORD  IP address[es], <ip1>[-<ip2>]
ASA5506W-X(config)# dhcpd address 192.168.1.10-192.168.1.50 ?

configure mode commands/options:
Available interfaces on which to enable the DHCP server:
  inside    Name of interface BVI1
  inside-1  Name of interface GigabitEthernet1/2
  inside-2  Name of interface GigabitEthernet1/3
  inside-3  Name of interface GigabitEthernet1/4
  inside-4  Name of interface GigabitEthernet1/5
  inside-5  Name of interface GigabitEthernet1/6
  inside-6  Name of interface GigabitEthernet1/7
  inside-7  Name of interface GigabitEthernet1/8
  outside   Name of interface GigabitEthernet1/1
  wifi      Name of interface GigabitEthernet1/9
ASA5506W-X(config)# dhcpd address 192.168.1.10-192.168.1.50 inside     // DHCP FOR inside
ASA5506W-X(config)# dhcpd dns ?

configure mode commands/options:
  Hostname or A.B.C.D  IP address of server 1
ASA5506W-X(config)# dhcpd dns 8.8.8.8 ?

configure mode commands/options:
  Hostname or A.B.C.D  IP address of server 2
  interface            Specify interface to which action will apply to
  <cr>
ASA5506W-X(config)# dhcpd dns 8.8.8.8 4.2.2.2 ?

configure mode commands/options:
  interface  Specify interface to which action will apply to
  <cr>
ASA5506W-X(config)# dhcpd dns 8.8.8.8 4.2.2.2 interface inside
ASA5506W-X(config)# dhcpd domain ?

configure mode commands/options:
  WORD  DNS domain name
  <cr>
ASA5506W-X(config)# dhcpd domain lab.com ?

configure mode commands/options:
  interface  Specify interface to which action will apply to
  <cr>
ASA5506W-X(config)# dhcpd domain lab.com interface ?

configure mode commands/options:
Available interfaces on which to apply this keyword:
  inside    Name of interface BVI1
  inside-1  Name of interface GigabitEthernet1/2
  inside-2  Name of interface GigabitEthernet1/3
  inside-3  Name of interface GigabitEthernet1/4
  inside-4  Name of interface GigabitEthernet1/5
  inside-5  Name of interface GigabitEthernet1/6
  inside-6  Name of interface GigabitEthernet1/7
  inside-7  Name of interface GigabitEthernet1/8
  outside   Name of interface GigabitEthernet1/1
  wifi      Name of interface GigabitEthernet1/9
ASA5506W-X(config)# dhcpd domain lab.com interface inside
ASA5506W-X(config)# dhcpd enable inside
ASA5506W-X(config)#
ASA5506W-X(config)# dhcpd address 192.168.10.10-192.168.10.50 wifi     // DHCP FOR wifi
ASA5506W-X(config)# dhcpd dns 8.8.8.8 4.2.2.2 interface wifi
ASA5506W-X(config)# dhcpd domain lab.com interface wifi
ASA5506W-X(config)# dhcpd enable wifi
ASA5506W-X(config)#
ASA5506W-X(config)# object ?

configure mode commands/options:
  network  Specifies a host, subnet or range IP addresses
  service  Specifies a protocol/port
ASA5506W-X(config)# object network ?

configure mode commands/options:
  WORD < 129 char  Specifies object ID
ASA5506W-X(config)# object network obj_inside-1
ASA5506W-X(config-network-object)# ?

  attribute    Enter this keyword to specify an attribute
  description  Specify description text
  fqdn         Enter this keyword to specify an FQDN
  help         Help for network object configuration commands
  host         Enter this keyword to specify a single host object
  nat          Enable NAT on a singleton object
  no           Remove an object or description from object
  range        Enter this keyword to specify a range
  subnet       Enter this keyword to specify a subnet
ASA5506W-X(config-network-object)# subnet ?

network-object mode commands/options:
  A.B.C.D             Enter an IPV4 network address
  X:X:X:X::X/<0-128>  Enter an IPv6 prefix
ASA5506W-X(config-network-object)# subnet 192.168.1.0 ?

network-object mode commands/options:
  A.B.C.D  Enter an IPv4 network mask
ASA5506W-X(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA5506W-X(config-network-object)# nat ?

network-object mode commands/options:
  (        Open parenthesis for (<real_if_name>,<mapped_if_name>) pair where
           <real_if_name> is the prenat interface and <mapped_if_name> is the
           postnat interface
  dynamic  Specify NAT type as dynamic
  static   Specify NAT type as static

configure mode commands/options:
  (               Open parenthesis for (<internal_if_name>,<external_if_name>)
                  pair where <internal_if_name> is the Internal or prenat
                  interface and <external_if_name> is the External or postnat
                  interface
  <1-2147483647>  Position of NAT rule within before auto section
  after-auto      Insert NAT rule after auto section
  source          Source NAT parameters
ASA5506W-X(config-network-object)# nat (?

network-object mode commands/options:
Current available interface(s):
           
  any       Global address space
  inside-1  Name of interface GigabitEthernet1/2
  inside-2  Name of interface GigabitEthernet1/3
  inside-3  Name of interface GigabitEthernet1/4
  inside-4  Name of interface GigabitEthernet1/5
  inside-5  Name of interface GigabitEthernet1/6
  inside-6  Name of interface GigabitEthernet1/7
  inside-7  Name of interface GigabitEthernet1/8
  outside   Name of interface GigabitEthernet1/1
  wifi      Name of interface GigabitEthernet1/9

configure mode commands/options:
Current available interface(s):
           
  any       Global address space
  inside-1  Name of interface GigabitEthernet1/2
  inside-2  Name of interface GigabitEthernet1/3
  inside-3  Name of interface GigabitEthernet1/4
  inside-4  Name of interface GigabitEthernet1/5
  inside-5  Name of interface GigabitEthernet1/6
  inside-6  Name of interface GigabitEthernet1/7
  inside-7  Name of interface GigabitEthernet1/8
  outside   Name of interface GigabitEthernet1/1
  wifi      Name of interface GigabitEthernet1/9
ASA5506W-X(config-network-object)# nat (inside-1,?

network-object mode commands/options:
Current available interface(s):
           
  any       Global address space
  inside-1  Name of interface GigabitEthernet1/2
  inside-2  Name of interface GigabitEthernet1/3
  inside-3  Name of interface GigabitEthernet1/4
  inside-4  Name of interface GigabitEthernet1/5
  inside-5  Name of interface GigabitEthernet1/6
  inside-6  Name of interface GigabitEthernet1/7
  inside-7  Name of interface GigabitEthernet1/8
  outside   Name of interface GigabitEthernet1/1
  wifi      Name of interface GigabitEthernet1/9

configure mode commands/options:
Current available interface(s):
           
  any       Global address space
  inside-1  Name of interface GigabitEthernet1/2
  inside-2  Name of interface GigabitEthernet1/3
  inside-3  Name of interface GigabitEthernet1/4
  inside-4  Name of interface GigabitEthernet1/5
  inside-5  Name of interface GigabitEthernet1/6
  inside-6  Name of interface GigabitEthernet1/7
  inside-7  Name of interface GigabitEthernet1/8
  outside   Name of interface GigabitEthernet1/1
  wifi      Name of interface GigabitEthernet1/9
ASA5506W-X(config-network-object)# nat (inside-1,outside) ?

network-object mode commands/options:
  dynamic  Specify NAT type as dynamic
  static   Specify NAT type as static

configure mode commands/options:
  <1-2147483647>  Position of NAT rule within before auto section
  after-auto      Insert NAT rule after auto section
  source          Source NAT parameters
ASA5506W-X(config-network-object)# nat (inside-1,outside) dynamic ?

network-object mode commands/options:
  A.B.C.D             Mapped IP address
  WORD                Mapped network object/object-group name
  X:X:X:X::X/<0-128>  Enter an IPv6 prefix
  interface           Use interface address as mapped IP
  pat-pool            Specify object or object-group name for mapped source pat
                      pool
ASA5506W-X(config-network-object)# nat (inside-1,outside) dynamic interface ?

network-object mode commands/options:
  dns   Use the created xlate to rewrite DNS record
  ipv6  Use IPv6 address(es) as mapped IP(s)
  <cr>
ASA5506W-X(config-network-object)# nat (inside-1,outside) dynamic interface   // CONFIGURE PAT FOR EACH inside INTERFACE
ASA5506W-X(config-network-object)#
ASA5506W-X(config-network-object)# object network obj_inside-2
ASA5506W-X(config-network-object)#  subnet 192.168.1.0 255.255.255.0
ASA5506W-X(config-network-object)#  nat (inside-2,outside) dynamic interface
ASA5506W-X(config-network-object)#
ASA5506W-X(config-network-object)# object network obj_inside-3
ASA5506W-X(config-network-object)#  subnet 192.168.1.0 255.255.255.0
ASA5506W-X(config-network-object)#  nat (inside-3,outside) dynamic interface
ASA5506W-X(config-network-object)#
ASA5506W-X(config-network-object)# object network obj_inside-4
ASA5506W-X(config-network-object)#  subnet 192.168.1.0 255.255.255.0
ASA5506W-X(config-network-object)#  nat (inside-4,outside) dynamic interface
ASA5506W-X(config-network-object)#
ASA5506W-X(config-network-object)# object network obj_inside-5
ASA5506W-X(config-network-object)#  subnet 192.168.1.0 255.255.255.0
ASA5506W-X(config-network-object)#  nat (inside-5,outside) dynamic interface
ASA5506W-X(config-network-object)#
ASA5506W-X(config-network-object)# object network obj_inside-6
ASA5506W-X(config-network-object)#  subnet 192.168.1.0 255.255.255.0
ASA5506W-X(config-network-object)#  nat (inside-6,outside) dynamic interface
ASA5506W-X(config-network-object)#
ASA5506W-X(config-network-object)# object network obj_inside-7
ASA5506W-X(config-network-object)#  subnet 192.168.1.0 255.255.255.0
ASA5506W-X(config-network-object)#  nat (inside-7,outside) dynamic interface
ASA5506W-X(config-network-object)#
ASA5506W-X(config-network-object)# object network obj_any_wifi
ASA5506W-X(config-network-object)#  subnet 192.168.10.0 255.255.255.0
ASA5506W-X(config-network-object)#  nat (wifi,outside) dynamic interface
ASA5506W-X(config-network-object)#
ASA5506W-X(config-network-object)# access-list ?

configure mode commands/options:
  WORD < 241 char  Access list identifier
  alert-interval   Specify the alert interval for generating syslog message
                   106001 which alerts that the system has reached a deny flow
                   maximum. If not specified, the default value is 300 sec
  deny-flow-max    Specify the maximum number of concurrent deny flows that can
                   be created. If not specified, the default value is 4096
ASA5506W-X(config-network-object)# access-list OUTSIDE-IN ?

configure mode commands/options:
  deny       Specify packets to reject
  ethertype  Configure access policy for non IP traffic through the system when
             configured in transparent mode
  extended   Configure access policy for IP traffic through the system
  line       Use this to specify line number at which ACE should be entered
  permit     Specify packets to forward
  remark     Specify a comment (remark) for the access-list after this keyword
  rename     rename an existing access-list
  standard   Use this to configure policy having destination host or network
             only
  webtype    Use this to configure WebVPN related policy
ASA5506W-X(config-network-object)# access-list OUTSIDE-IN remark ?

configure mode commands/options:
  LINE < 101 char  Comment for the access-list
ASA5506W-X(config-network-object)# access-list OUTSIDE-IN remark ALLOW ICMP AND TRACEROUTE
ASA5506W-X(config)# access-list OUTSIDE_IN extended permit icmp any any
ASA5506W-X(config)# access-list OUTSIDE_IN extended permit icmp any any time-exceeded
ASA5506W-X(config)# access-list OUTSIDE_IN extended permit icmp any any unreachable
ASA5506W-X(config)#
ASA5506W-X(config)# access-group OUTSIDE_IN in interface outside
ASA5506W-X(config)#
ASA5506W-X(config)# policy-map global_policy
ASA5506W-X(config-pmap)#  class inspection_default
ASA5506W-X(config-pmap-c)# inspect ?

mpf-policy-map-class mode commands/options:
  ctiqbe          
  dcerpc          
  diameter        
  dns             
  esmtp           
  ftp             
  gtp             
  h323            
  http            
  icmp            
  ils             
  im              
  ip-options      
  ipsec-pass-thru 
  ipv6            
  lisp            
  m3ua            
  mgcp            
  mmp             
  netbios         
  pptp            
  rsh             
  rtsp            
  scansafe        
  sctp            
  sip             
  skinny          
  snmp            
  sqlnet          
  stun            
  sunrpc          
  tftp            
  vxlan           
  waas            
  xdmcp           
ASA5506W-X(config-pmap-c)# inspect icmp        // ALLOW STATEFUL OUTBOUND ICMP/PING INSPECTION FROM inside TO outside
ASA5506W-X(config-pmap-c)# inspect icmp error
ASA5506W-X(config-pmap-c)#
ASA5506W-X(config-pmap-c)# aaa ?

configure mode commands/options:
  accounting      Configure user accounting parameters
  authentication  Configure user authentication parameters
  authorization   Configure user authorization parameters
  local           AAA Local method options
  mac-exempt      Configure MAC Exempt parameters
  proxy-limit     Configure number of concurrent proxy connections allowed per
                  user
ASA5506W-X(config-pmap-c)# aaa authentication ?

configure mode commands/options:
  enable              Enable
  exclude             Exclude the service, local and foreign network which
                      needs to be authenticated, authorized, and accounted
  http                HTTP
  include             Include the service, local and foreign network which
                      needs to be authenticated, authorized, and accounted
  listener            Configure an HTTP or HTTPS authentication listener
  login-history       Configure login history reporting for administrators
  match               Specify this keyword to configure an ACL to match
  secure-http-client  Specify this keyword to ensure HTTP client authentication
                      is secured (over SSL)
  serial              Serial
  ssh                 SSH
  telnet              Telnet
ASA5506W-X(config-pmap-c)# aaa authentication http ?

configure mode commands/options:
  console  Specify this keyword to identify a server group for administrative
           authentication
ASA5506W-X(config-pmap-c)# aaa authentication http console ?

configure mode commands/options:
  LOCAL  Predefined server tag for AAA protocol 'local'
  WORD   Name of RADIUS or TACACS+ aaa-server group for administrative
         authentication
ASA5506W-X(config-pmap-c)# aaa authentication http console LOCAL     // USE LOCAL admin FOR ASDM
ASA5506W-X(config)# aaa authentication ssh console LOCAL     // USE LOCAL admin FOR SSH
ASA5506W-X(config)# aaa authentication serial console LOCAL     // USE LOCAL admin FOR CONSOLE CABLE ACCESS
ASA5506W-X(config)#
ASA5506W-X(config)# banner ?

configure mode commands/options:
  asdm   Display a post login banner (ASDM only)
  exec   Display a banner whenever an EXEC process in initiated
  login  Display a banner before the username and password login prompts
  motd   Display a message-of-the-day banner
ASA5506W-X(config)# banner login ?

configure mode commands/options:
  LINE  A line of message to be displayed, it will be added to the end of an
        existing banner. The token $(domain) and $(hostname) will be replaced
        with the domain name and host name
  <cr>
ASA5506W-X(config)# banner login ### ASA 5506W-X LAB ###
ASA5506W-X(config)#
ASA5506W-X(config)# http ?         

configure mode commands/options:
  Hostname or A.B.C.D                     The IP address of the host and/or
                                          network authorized to access the HTTP
                                          server
  Hostname/<0-128> or X:X:X:X::X/<0-128>  IPv6 address/prefix authorized to
                                          access the HTTP server
  authentication-certificate              Request a certificate from the HTTPS
                                          client when a management connection
                                          is being established
  redirect                                Redirect HTTP connections to the
                                          security gateway to use HTTPS
  server                                  Enable the http server required to
                                          run Device Manager
  username-from-certificate               The DN of the HTTP client certificate
                                          used as username for authorization
                                          and/or authentication
ASA5506W-X(config)# http server ?

configure mode commands/options:
  enable           Enable the http server required to run Device Manager
  idle-timeout     Idle timeout in minutes (single routed mode only in case of
                   ASDM)
  session-timeout  Session timeout in minutes (single routed mode only)
ASA5506W-X(config)# http server enable
ASA5506W-X(config)# http ?

configure mode commands/options:
  Hostname or A.B.C.D                     The IP address of the host and/or
                                          network authorized to access the HTTP
                                          server
  Hostname/<0-128> or X:X:X:X::X/<0-128>  IPv6 address/prefix authorized to
                                          access the HTTP server
  authentication-certificate              Request a certificate from the HTTPS
                                          client when a management connection
                                          is being established
  redirect                                Redirect HTTP connections to the
                                          security gateway to use HTTPS
  server                                  Enable the http server required to
                                          run Device Manager
  username-from-certificate               The DN of the HTTP client certificate
                                          used as username for authorization
                                          and/or authentication
ASA5506W-X(config)# http 192.168.1.0 ?

configure mode commands/options:
  A.B.C.D  The IP netmask to apply to the IP address
ASA5506W-X(config)# http 192.168.1.0 255.255.255.0 ?

configure mode commands/options:
Current available interface(s):
  inside-1  Name of interface GigabitEthernet1/2
  inside-2  Name of interface GigabitEthernet1/3
  inside-3  Name of interface GigabitEthernet1/4
  inside-4  Name of interface GigabitEthernet1/5
  inside-5  Name of interface GigabitEthernet1/6
  inside-6  Name of interface GigabitEthernet1/7
  inside-7  Name of interface GigabitEthernet1/8
  outside   Name of interface GigabitEthernet1/1
  wifi      Name of interface GigabitEthernet1/9
ASA5506W-X(config)# http 192.168.1.0 255.255.255.0 inside-1      // ALLOW ASDM FROM inside
ASA5506W-X(config)# http 192.168.1.0 255.255.255.0 inside-2
ASA5506W-X(config)# http 192.168.1.0 255.255.255.0 inside-3
ASA5506W-X(config)# http 192.168.1.0 255.255.255.0 inside-4
ASA5506W-X(config)# http 192.168.1.0 255.255.255.0 inside-5
ASA5506W-X(config)# http 192.168.1.0 255.255.255.0 inside-6
ASA5506W-X(config)# http 192.168.1.0 255.255.255.0 inside-7
ASA5506W-X(config)# http 192.168.10.0 255.255.255.0 wifi     // ALOW ASDM FROM wifi CLIENTS
ASA5506W-X(config)# ssh ?          

configure mode commands/options:
  Hostname or A.B.C.D                     The IP address of the host and/or
                                          network authorized to login to the
                                          system
  Hostname/<0-128> or X:X:X:X::X/<0-128>  IPv6 address/prefix authorized to
                                          login to the system
  cipher                                  Specify ssh cipher parameters
  key-exchange                            Configure the Diffie-Hellman key
                                          exchange group to use for SSH
  pubkey-chain                            SSH host public keys
  scopy                                   Secure Copy mode
  stricthostkeycheck                      SSH strict host key check
  timeout                                 Configure ssh idle timeout
  version                                 Specify protocol version to be
                                          supported

exec mode commands/options:
  disconnect  Specify SSH session id to be disconnected after this keyword
ASA5506W-X(config)# ssh 192.168.1.0 ?

configure mode commands/options:
  A.B.C.D  The IP netmask to apply to the IP address
ASA5506W-X(config)# ssh 192.168.1.0 255.255.255.0 ?

configure mode commands/options:
Current available interface(s):
  inside-1  Name of interface GigabitEthernet1/2
  inside-2  Name of interface GigabitEthernet1/3
  inside-3  Name of interface GigabitEthernet1/4
  inside-4  Name of interface GigabitEthernet1/5
  inside-5  Name of interface GigabitEthernet1/6
  inside-6  Name of interface GigabitEthernet1/7
  inside-7  Name of interface GigabitEthernet1/8
  outside   Name of interface GigabitEthernet1/1
  wifi      Name of interface GigabitEthernet1/9
ASA5506W-X(config)# ssh 192.168.1.0 255.255.255.0 inside-1     ALLOW SSH ACCESS TO ASA
ASA5506W-X(config)# ssh 192.168.1.0 255.255.255.0 inside-2
ASA5506W-X(config)# ssh 192.168.1.0 255.255.255.0 inside-3
ASA5506W-X(config)# ssh 192.168.1.0 255.255.255.0 inside-4
ASA5506W-X(config)# ssh 192.168.1.0 255.255.255.0 inside-5
ASA5506W-X(config)# ssh 192.168.1.0 255.255.255.0 inside-6
ASA5506W-X(config)# ssh 192.168.1.0 255.255.255.0 inside-7
ASA5506W-X(config)# ssh 192.168.10.0 255.255.255.0 wifi
ASA5506W-X(config)# end

ASA5506W-X# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Virtual0                   127.1.0.1       YES unset  up                    up 
GigabitEthernet1/1         unassigned      YES DHCP   down                  down
GigabitEthernet1/2         192.168.1.1     YES unset  down                  down
GigabitEthernet1/3         192.168.1.1     YES unset  down                  down
GigabitEthernet1/4         192.168.1.1     YES unset  down                  down
GigabitEthernet1/5         192.168.1.1     YES unset  down                  down
GigabitEthernet1/6         192.168.1.1     YES unset  down                  down
GigabitEthernet1/7         192.168.1.1     YES unset  down                  down
GigabitEthernet1/8         192.168.1.1     YES unset  down                  down
GigabitEthernet1/9         192.168.10.1    YES manual up                    up 
Internal-Control1/1        127.0.1.1       YES unset  up                    up 
Internal-Data1/1           unassigned      YES unset  down                  down
Internal-Data1/2           unassigned      YES unset  up                    up 
Internal-Data1/3           unassigned      YES unset  up                    up 
Internal-Data1/4           169.254.1.1     YES unset  up                    up 
Management1/1              unassigned      YES unset  administratively down down
BVI1                       192.168.1.1     YES manual up                    up 

ASA5506W-X# show nameif
Interface                Name                     Security
GigabitEthernet1/1       outside                    0
GigabitEthernet1/2       inside-1                 100
GigabitEthernet1/3       inside-2                 100
GigabitEthernet1/4       inside-3                 100
GigabitEthernet1/5       inside-4                 100
GigabitEthernet1/6       inside-5                 100
GigabitEthernet1/7       inside-6                 100
GigabitEthernet1/8       inside-7                 100
GigabitEthernet1/9       wifi                     100
BVI1                     inside                   100

ASA5506W-X# more system:running-config
: Saved

:
: Serial Number: JAD200800US
: Hardware:   ASA5506W, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 20:04:10.279 UTC Sat Aug 25 2018
!
ASA Version 9.8(2)38
!
hostname ASA5506W-X
domain-name lab.com
enable password $sha512$5000$J2KrgQkeNeU2GsBrTH9GpA==$vaclWslt/ICaR68qIltgvA== pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names

!
interface GigabitEthernet1/1
 description ### ISP WAN ###
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet1/2
 description ### DIRECT CABLE TO MGMT 1/1 - FP IP: 192.168.1.2 ###
 bridge-group 1
 nameif inside-1
 security-level 100
!
interface GigabitEthernet1/3
 description ### VM/ASDM PC: 192.168.1.100 ###
 bridge-group 1
 nameif inside-2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside-3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside-4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside-5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside-6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside-7
 security-level 100
!
interface GigabitEthernet1/9
 description ### INTERNAL AP: 192.168.10.2 ###
 nameif wifi
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Management1/1
 management-only
 shutdown    
 no nameif
 no security-level
 no ip address
!
interface BVI1
 description ### WIRED LAN GW ###
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
banner login ### ASA 5506W-X LAB ###
boot system disk0:/asa982-38-lfbff-k8.SPA
ftp mode passive
dns server-group DefaultDNS
 domain-name lab.com
same-security-traffic permit inter-interface
object network obj_inside-1
 subnet 192.168.1.0 255.255.255.0
object network obj_inside-2
 subnet 192.168.1.0 255.255.255.0
object network obj_inside-3
 subnet 192.168.1.0 255.255.255.0
object network obj_inside-4
 subnet 192.168.1.0 255.255.255.0
object network obj_inside-5
 subnet 192.168.1.0 255.255.255.0
object network obj_inside-6
 subnet 192.168.1.0 255.255.255.0
object network obj_inside-7
 subnet 192.168.1.0 255.255.255.0
object network obj_any_wifi
 subnet 192.168.10.0 255.255.255.0
access-list OUTSIDE-IN remark ALLOW ICMP AND TRACEROUTE
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
pager lines 24
mtu outside 1500
mtu inside-1 1500
mtu inside-2 1500
mtu inside-3 1500
mtu inside-4 1500
mtu inside-5 1500
mtu inside-6 1500
mtu inside-7 1500
mtu wifi 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_inside-1
 nat (inside-1,outside) dynamic interface
object network obj_inside-2
 nat (inside-2,outside) dynamic interface
object network obj_inside-3
 nat (inside-3,outside) dynamic interface
object network obj_inside-4
 nat (inside-4,outside) dynamic interface
object network obj_inside-5
 nat (inside-5,outside) dynamic interface
object network obj_inside-6
 nat (inside-6,outside) dynamic interface
object network obj_inside-7
 nat (inside-7,outside) dynamic interface
object network obj_any_wifi
 nat (wifi,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside-1
http 192.168.1.0 255.255.255.0 inside-2
http 192.168.1.0 255.255.255.0 inside-3
http 192.168.1.0 255.255.255.0 inside-4
http 192.168.1.0 255.255.255.0 inside-5
http 192.168.1.0 255.255.255.0 inside-6
http 192.168.1.0 255.255.255.0 inside-7
http 192.168.10.0 255.255.255.0 wifi
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside-1
ssh 192.168.1.0 255.255.255.0 inside-2
ssh 192.168.1.0 255.255.255.0 inside-3
ssh 192.168.1.0 255.255.255.0 inside-4
ssh 192.168.1.0 255.255.255.0 inside-5
ssh 192.168.1.0 255.255.255.0 inside-6
ssh 192.168.1.0 255.255.255.0 inside-7
ssh 192.168.10.0 255.255.255.0 wifi
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd address 192.168.1.10-192.168.1.50 inside
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
dhcpd domain lab.com interface inside
dhcpd enable inside
!
dhcpd address 192.168.10.10-192.168.10.50 wifi
dhcpd dns 8.8.8.8 4.2.2.2 interface wifi
dhcpd domain lab.com interface wifi
dhcpd enable wifi
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin password $sha512$5000$gVaa8zHedgEDR5ydCt1JjA==$G2xWFA2NeQMf+q+EIHz+XA== pbkdf2 privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect dns preset_dns_map
  inspect icmp
  inspect icmp error
policy-map type inspect dns migrated_dns_map_2
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!            
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e689f8e4ab02668c431c64e49e76d90a
: end



To modify the built-in AP settings, HTTP to the AP management IP 192.168.10.10 (I got this IP by default) using the default login: cisco / Cisco



You can change the AP management IP, go under Home > Easy Setup > Network Configuration.


Click Static IP and type the new IP address (192.168.10.2 in this case).


To configure a wireless SSID, go under Radio Configuration > Radio 5GHz > type the SSID name > click Enable VLAN ID: type "1" > under Universal Admin Mode: choose Disable > under Security: choose WPA2-PSK > type the Pre-Shared Key > click Apply.

The Pre-Shared Key uses hexadecimal characters: A-F (case insensitive) and 0-9.


To enable the 5GHz , go under Summary > Radio1-802.11N (I chose to run in 5 GHz) > Settings tab > Enable Radio >  Enable.


Click Save Configuration on the top right corner to save configuration in NVRAM.


You can modify the Local User List under Security > Admin Access. You can remove the default cisco login from here. I tried configuring admin / cisco but it didn't take the small "c" for the password probably due to the password complexity policy.

The SSID settings can be modified under Security > SSID Manager.



You can view the associated wifi users using the ASA show arp command.

ASA5506W-X# show arp          
        inside 192.168.1.10 8cec.4be6.a3c4 17
        outside 222.165.104.1 0017.108e.ec1f 0
        wifi 192.168.10.14 b072.bf5a.10cb 12
        wifi 192.168.10.11 ac1f.7451.d91f 13
        wifi 192.168.10.13 3010.e466.ce5a 15
        wifi 192.168.10.15 b853.acc9.9644 20
        wifi 192.168.10.12 703e.ac93.ef1a 37
        wifi 192.168.10.2 f078.163d.f100 2034
        wifi 192.168.10.10 f078.163d.f100 3688


The ASA 5506W-X gig port 1/1 connects to my cable modem and it received a public IP address via DHCP from the ISP.

ASA5506W-X# show interface g1/1   
Interface GigabitEthernet1/1 "outside", is up, line protocol is up
  Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is off
        Description: ### ISP WAN ###
        MAC address 0078.884b.bf63, MTU 1500
        IP address 222.165.108.160, subnet mask 255.255.248.0
        551915 packets input, 294680883 bytes, 0 no buffer
        Received 344987 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        42217 packets output, 10437234 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        input queue (blocks free curr/low): hardware (954/891)
        output queue (blocks free curr/low): hardware (1023/1012)
  Traffic Statistics for "outside":
        551826 packets input, 284732216 bytes
        42217 packets output, 9660520 bytes
        338 packets dropped
      1 minute input rate 507 pkts/sec,  362042 bytes/sec
      1 minute output rate 57 pkts/sec,  6625 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 521 pkts/sec,  386945 bytes/sec
      5 minute output rate 46 pkts/sec,  21843 bytes/sec
      5 minute drop rate, 0 pkts/sec

ASA5506W-X# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Virtual0                   127.1.0.1       YES unset  up                    up 
GigabitEthernet1/1         222.165.108.160 YES DHCP   up                    up 
GigabitEthernet1/2         192.168.1.1     YES unset  down                  down
GigabitEthernet1/3         192.168.1.1     YES unset  down                  down
GigabitEthernet1/4         192.168.1.1     YES unset  down                  down
GigabitEthernet1/5         192.168.1.1     YES unset  down                  down
GigabitEthernet1/6         192.168.1.1     YES unset  down                  down
GigabitEthernet1/7         192.168.1.1     YES unset  down                  down
GigabitEthernet1/8         192.168.1.1     YES unset  down                  down
GigabitEthernet1/9         192.168.10.1    YES manual up                    up 
Internal-Control1/1        127.0.1.1       YES unset  up                    up 
Internal-Data1/1           unassigned      YES unset  down                  down
Internal-Data1/2           unassigned      YES unset  up                    up 
Internal-Data1/3           unassigned      YES unset  up                    up 
Internal-Data1/4           169.254.1.1     YES unset  up                    up 
Management1/1              unassigned      YES unset  administratively down down
BVI1                       192.168.1.1     YES manual up                    up 

ASA5506W-X# show nat

Auto NAT Policies (Section 2)
1 (inside-1) to (outside) source dynamic obj_inside-1 interface
    translate_hits = 0, untranslate_hits = 0
2 (inside-2) to (outside) source dynamic obj_inside-2 interface
    translate_hits = 0, untranslate_hits = 0
3 (inside-3) to (outside) source dynamic obj_inside-3 interface
    translate_hits = 2420, untranslate_hits = 55      // NAT TRANSLATIONS FROM WIRED PC CONNECTED TO GIG 1/3
4 (inside-4) to (outside) source dynamic obj_inside-4 interface
    translate_hits = 0, untranslate_hits = 0
5 (inside-5) to (outside) source dynamic obj_inside-5 interface
    translate_hits = 0, untranslate_hits = 0
6 (inside-6) to (outside) source dynamic obj_inside-6 interface
    translate_hits = 0, untranslate_hits = 0
7 (inside-7) to (outside) source dynamic obj_inside-7 interface
    translate_hits = 0, untranslate_hits = 0
8 (wifi) to (outside) source dynamic obj_any_wifi interface
    translate_hits = 1524, untranslate_hits = 308      // NAT TRANSLATIONS FROM WIFI CLIENTS


ASA5506W-X# show xlate
217 in use, 929 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net

UDP PAT from wifi:192.168.10.13/51901 to outside:222.165.108.160/51901 flags ri idle 0:00:48 timeout 0:00:30
UDP PAT from wifi:192.168.10.13/60458 to outside:222.165.108.160/60458 flags ri idle 0:00:48 timeout 0:00:30
UDP PAT from wifi:192.168.10.13/51885 to outside:222.165.108.160/51885 flags ri idle 0:00:50 timeout 0:00:30
UDP PAT from wifi:192.168.10.13/52118 to outside:222.165.108.160/52118 flags ri idle 0:00:50 timeout 0:00:30
TCP PAT from wifi:192.168.10.13/49166 to outside:222.165.108.160/49166 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from wifi:192.168.10.13/49163 to outside:222.165.108.160/49163 flags ri idle 0:07:22 timeout 0:00:30
TCP PAT from wifi:192.168.10.13/49162 to outside:222.165.108.160/49162 flags ri idle 0:07:27 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/49386 to outside:222.165.108.160/49386 flags ri idle 0:00:00 timeout 0:00:30
UDP PAT from wifi:192.168.10.15/53201 to outside:222.165.108.160/53201 flags ri idle 0:00:21 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/49385 to outside:222.165.108.160/49385 flags ri idle 0:00:00 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/49384 to outside:222.165.108.160/49384 flags ri idle 0:00:22 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/49383 to outside:222.165.108.160/49383 flags ri idle 0:00:28 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/49382 to outside:222.165.108.160/49382 flags ri idle 0:00:00 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/49381 to outside:222.165.108.160/49381 flags ri idle 0:00:20 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/49380 to outside:222.165.108.160/49380 flags ri idle 0:00:55 timeout 0:00:30
UDP PAT from wifi:192.168.10.15/61486 to outside:222.165.108.160/61486 flags ri idle 0:01:19 timeout 0:00:30
UDP PAT from wifi:192.168.10.15/49637 to outside:222.165.108.160/49637 flags ri idle 0:01:19 timeout 0:00:30
UDP PAT from wifi:192.168.10.15/58541 to outside:222.165.108.160/58541 flags ri idle 0:01:20 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/57508 to outside:222.165.108.160/57508 flags ri idle 0:01:21 timeout 0:00:30
UDP PAT from wifi:192.168.10.15/56241 to outside:222.165.108.160/56241 flags ri idle 0:01:53 timeout 0:00:30
UDP PAT from wifi:192.168.10.15/57234 to outside:222.165.108.160/57234 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/57506 to outside:222.165.108.160/57506 flags ri idle 0:03:09 timeout 0:00:30
UDP PAT from wifi:192.168.10.15/53091 to outside:222.165.108.160/53091 flags ri idle 0:03:09 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/57505 to outside:222.165.108.160/57505 flags ri idle 0:03:09 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/49374 to outside:222.165.108.160/49374 flags ri idle 0:03:19 timeout 0:00:30
TCP PAT from wifi:192.168.10.15/57503 to outside:222.165.108.160/57503 flags ri idle 0:03:25 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50012 to outside:222.165.108.160/50012 flags ri idle 0:00:33 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/55080 to outside:222.165.108.160/55080 flags ri idle 0:00:40 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/39050 to outside:222.165.108.160/39050 flags ri idle 0:00:50 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/39049 to outside:222.165.108.160/39049 flags ri idle 0:00:51 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/42389 to outside:222.165.108.160/42389 flags ri idle 0:00:54 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/41097 to outside:222.165.108.160/41097 flags ri idle 0:01:02 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/54947 to outside:222.165.108.160/54947 flags ri idle 0:01:07 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/54946 to outside:222.165.108.160/54946 flags ri idle 0:01:07 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/42295 to outside:222.165.108.160/42295 flags ri idle 0:01:10 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/42294 to outside:222.165.108.160/42294 flags ri idle 0:01:10 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50001 to outside:222.165.108.160/50001 flags ri idle 0:00:05 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/37526 to outside:222.165.108.160/37526 flags ri idle 0:01:11 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/35704 to outside:222.165.108.160/35704 flags ri idle 0:01:11 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/41900 to outside:222.165.108.160/41900 flags ri idle 0:01:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/42932 to outside:222.165.108.160/42932 flags ri idle 0:01:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/34785 to outside:222.165.108.160/34785 flags ri idle 0:01:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/37521 to outside:222.165.108.160/37521 flags ri idle 0:01:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/43526 to outside:222.165.108.160/43526 flags ri idle 0:01:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/36228 to outside:222.165.108.160/36228 flags ri idle 0:01:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/42174 to outside:222.165.108.160/42174 flags ri idle 0:01:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/49991 to outside:222.165.108.160/49991 flags ri idle 0:01:43 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/43584 to outside:222.165.108.160/43584 flags ri idle 0:01:48 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/40526 to outside:222.165.108.160/40526 flags ri idle 0:00:30 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/53684 to outside:222.165.108.160/53684 flags ri idle 0:01:55 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/33488 to outside:222.165.108.160/33488 flags ri idle 0:01:56 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/33486 to outside:222.165.108.160/33486 flags ri idle 0:01:56 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/56170 to outside:222.165.108.160/56170 flags ri idle 0:01:57 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/56168 to outside:222.165.108.160/56168 flags ri idle 0:01:57 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/56167 to outside:222.165.108.160/56167 flags ri idle 0:01:57 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/56165 to outside:222.165.108.160/56165 flags ri idle 0:01:57 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/49361 to outside:222.165.108.160/49361 flags ri idle 0:01:59 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/49360 to outside:222.165.108.160/49360 flags ri idle 0:01:59 timeout 0:00:30
UDP PAT from wifi:192.168.10.14/36471 to outside:222.165.108.160/36471 flags ri idle 0:01:59 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/35677 to outside:222.165.108.160/35677 flags ri idle 0:01:59 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/59676 to outside:222.165.108.160/59676 flags ri idle 0:02:01 timeout 0:00:30
UDP PAT from wifi:192.168.10.14/47372 to outside:222.165.108.160/47372 flags ri idle 0:02:06 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/41264 to outside:222.165.108.160/41264 flags ri idle 0:02:07 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50955 to outside:222.165.108.160/50955 flags ri idle 0:02:09 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50954 to outside:222.165.108.160/50954 flags ri idle 0:02:09 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50953 to outside:222.165.108.160/50953 flags ri idle 0:02:09 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50952 to outside:222.165.108.160/50952 flags ri idle 0:02:09 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50951 to outside:222.165.108.160/50951 flags ri idle 0:02:09 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50950 to outside:222.165.108.160/50950 flags ri idle 0:02:09 timeout 0:00:30
UDP PAT from wifi:192.168.10.14/53764 to outside:222.165.108.160/53764 flags ri idle 0:00:09 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/45523 to outside:222.165.108.160/45523 flags ri idle 0:02:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/58053 to outside:222.165.108.160/58053 flags ri idle 0:02:15 timeout 0:00:30
UDP PAT from wifi:192.168.10.14/33824 to outside:222.165.108.160/33824 flags ri idle 0:00:00 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/41040 to outside:222.165.108.160/41040 flags ri idle 0:02:30 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/56928 to outside:222.165.108.160/56928 flags ri idle 0:02:45 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/58287 to outside:222.165.108.160/58287 flags ri idle 0:02:53 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/54885 to outside:222.165.108.160/54885 flags ri idle 0:03:04 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/49308 to outside:222.165.108.160/49308 flags ri idle 0:00:07 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/54883 to outside:222.165.108.160/54883 flags ri idle 0:03:07 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/49306 to outside:222.165.108.160/49306 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/41841 to outside:222.165.108.160/41841 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/48893 to outside:222.165.108.160/48893 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/54879 to outside:222.165.108.160/54879 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/56383 to outside:222.165.108.160/56383 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/43244 to outside:222.165.108.160/43244 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/34264 to outside:222.165.108.160/34264 flags ri idle 0:03:23 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/34262 to outside:222.165.108.160/34262 flags ri idle 0:03:27 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/37775 to outside:222.165.108.160/37775 flags ri idle 0:03:29 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/51453 to outside:222.165.108.160/51453 flags ri idle 0:03:30 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/37652 to outside:222.165.108.160/37652 flags ri idle 0:03:31 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/54868 to outside:222.165.108.160/54868 flags ri idle 0:03:31 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/49520 to outside:222.165.108.160/49520 flags ri idle 0:03:36 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/33788 to outside:222.165.108.160/33788 flags ri idle 0:03:36 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/49602 to outside:222.165.108.160/49602 flags ri idle 0:03:37 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/48628 to outside:222.165.108.160/48628 flags ri idle 0:04:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/48626 to outside:222.165.108.160/48626 flags ri idle 0:04:12 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/37733 to outside:222.165.108.160/37733 flags ri idle 0:04:22 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/50239 to outside:222.165.108.160/50239 flags ri idle 0:04:27 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/41151 to outside:222.165.108.160/41151 flags ri idle 0:04:55 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/37384 to outside:222.165.108.160/37384 flags ri idle 0:05:27 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/37381 to outside:222.165.108.160/37381 flags ri idle 0:05:27 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/54758 to outside:222.165.108.160/54758 flags ri idle 0:05:28 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/54757 to outside:222.165.108.160/54757 flags ri idle 0:05:29 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/49371 to outside:222.165.108.160/49371 flags ri idle 0:05:52 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/55868 to outside:222.165.108.160/55868 flags ri idle 0:06:23 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/57545 to outside:222.165.108.160/57545 flags ri idle 0:06:25 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/57731 to outside:222.165.108.160/57731 flags ri idle 0:00:20 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/57730 to outside:222.165.108.160/57730 flags ri idle 0:00:20 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/48866 to outside:222.165.108.160/48866 flags ri idle 0:06:29 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/38453 to outside:222.165.108.160/38453 flags ri idle 0:06:29 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/56285 to outside:222.165.108.160/56285 flags ri idle 0:06:29 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/33673 to outside:222.165.108.160/33673 flags ri idle 0:06:30 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/51186 to outside:222.165.108.160/51186 flags ri idle 0:06:43 timeout 0:00:30
TCP PAT from wifi:192.168.10.14/57614 to outside:222.165.108.160/57614 flags ri idle 0:06:54 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50974 to outside:222.165.108.160/50974 flags ri idle 0:02:11 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50973 to outside:222.165.108.160/50973 flags ri idle 0:02:11 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50970 to outside:222.165.108.160/50970 flags ri idle 0:02:59 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50968 to outside:222.165.108.160/50968 flags ri idle 0:03:11 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50962 to outside:222.165.108.160/50962 flags ri idle 0:03:15 timeout 0:00:30
UDP PAT from wifi:192.168.10.12/51905 to outside:222.165.108.160/51905 flags ri idle 0:00:14 timeout 0:00:30
UDP PAT from wifi:192.168.10.12/61651 to outside:222.165.108.160/61651 flags ri idle 0:00:30 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50960 to outside:222.165.108.160/50960 flags ri idle 0:03:41 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50959 to outside:222.165.108.160/50959 flags ri idle 0:03:42 timeout 0:00:30
UDP PAT from wifi:192.168.10.12/52583 to outside:222.165.108.160/52583 flags ri idle 0:00:30 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50924 to outside:222.165.108.160/50924 flags ri idle 0:15:52 timeout 0:00:30
TCP PAT from wifi:192.168.10.12/50913 to outside:222.165.108.160/50913 flags ri idle 0:16:03 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/64131 to outside:222.165.108.160/64131 flags ri idle 0:00:08 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/64129 to outside:222.165.108.160/64129 flags ri idle 0:00:08 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/64128 to outside:222.165.108.160/64128 flags ri idle 0:00:08 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52851 to outside:222.165.108.160/52851 flags ri idle 0:00:11 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52850 to outside:222.165.108.160/52850 flags ri idle 0:00:11 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52849 to outside:222.165.108.160/52849 flags ri idle 0:00:13 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/64127 to outside:222.165.108.160/64127 flags ri idle 0:00:13 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52848 to outside:222.165.108.160/52848 flags ri idle 0:00:16 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/55114 to outside:222.165.108.160/55114 flags ri idle 0:00:33 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/51688 to outside:222.165.108.160/51688 flags ri idle 0:00:39 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/55476 to outside:222.165.108.160/55476 flags ri idle 0:00:39 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52846 to outside:222.165.108.160/52846 flags ri idle 0:00:40 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/64220 to outside:222.165.108.160/64220 flags ri idle 0:00:41 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/53442 to outside:222.165.108.160/53442 flags ri idle 0:00:41 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52845 to outside:222.165.108.160/52845 flags ri idle 0:00:41 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52844 to outside:222.165.108.160/52844 flags ri idle 0:00:41 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/61257 to outside:222.165.108.160/61257 flags ri idle 0:00:41 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/60167 to outside:222.165.108.160/60167 flags ri idle 0:00:41 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52843 to outside:222.165.108.160/52843 flags ri idle 0:00:47 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52842 to outside:222.165.108.160/52842 flags ri idle 0:00:47 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/54607 to outside:222.165.108.160/54607 flags ri idle 0:00:47 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/54089 to outside:222.165.108.160/54089 flags ri idle 0:00:47 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/50801 to outside:222.165.108.160/50801 flags ri idle 0:00:47 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/56979 to outside:222.165.108.160/56979 flags ri idle 0:00:58 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/57436 to outside:222.165.108.160/57436 flags ri idle 0:01:03 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/58865 to outside:222.165.108.160/58865 flags ri idle 0:01:03 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/51621 to outside:222.165.108.160/51621 flags ri idle 0:01:03 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52830 to outside:222.165.108.160/52830 flags ri idle 0:01:07 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52828 to outside:222.165.108.160/52828 flags ri idle 0:01:07 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/52324 to outside:222.165.108.160/52324 flags ri idle 0:01:22 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52811 to outside:222.165.108.160/52811 flags ri idle 0:00:21 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/52320 to outside:222.165.108.160/52320 flags ri idle 0:01:23 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52769 to outside:222.165.108.160/52769 flags ri idle 0:01:40 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52768 to outside:222.165.108.160/52768 flags ri idle 0:01:40 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/58263 to outside:222.165.108.160/58263 flags ri idle 0:01:40 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52719 to outside:222.165.108.160/52719 flags ri idle 0:01:56 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/64830 to outside:222.165.108.160/64830 flags ri idle 0:01:57 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52718 to outside:222.165.108.160/52718 flags ri idle 0:01:59 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52717 to outside:222.165.108.160/52717 flags ri idle 0:02:00 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/55231 to outside:222.165.108.160/55231 flags ri idle 0:02:01 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/50729 to outside:222.165.108.160/50729 flags ri idle 0:00:00 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/63674 to outside:222.165.108.160/63674 flags ri idle 0:00:00 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52711 to outside:222.165.108.160/52711 flags ri idle 0:02:07 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/62438 to outside:222.165.108.160/62438 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/62692 to outside:222.165.108.160/62692 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/50524 to outside:222.165.108.160/50524 flags ri idle 0:00:06 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52710 to outside:222.165.108.160/52710 flags ri idle 0:02:07 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/53448 to outside:222.165.108.160/53448 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/50484 to outside:222.165.108.160/50484 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/50483 to outside:222.165.108.160/50483 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/57592 to outside:222.165.108.160/57592 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/53063 to outside:222.165.108.160/53063 flags ri idle 0:00:06 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52690 to outside:222.165.108.160/52690 flags ri idle 0:02:12 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/61983 to outside:222.165.108.160/61983 flags ri idle 0:00:10 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52689 to outside:222.165.108.160/52689 flags ri idle 0:02:15 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/52908 to outside:222.165.108.160/52908 flags ri idle 0:00:14 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52688 to outside:222.165.108.160/52688 flags ri idle 0:02:15 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/60321 to outside:222.165.108.160/60321 flags ri idle 0:00:14 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52685 to outside:222.165.108.160/52685 flags ri idle 0:00:15 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/54235 to outside:222.165.108.160/54235 flags ri idle 0:00:18 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/58810 to outside:222.165.108.160/58810 flags ri idle 0:00:18 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52682 to outside:222.165.108.160/52682 flags ri idle 0:02:20 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/56007 to outside:222.165.108.160/56007 flags ri idle 0:00:19 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/63291 to outside:222.165.108.160/63291 flags ri idle 0:00:23 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52656 to outside:222.165.108.160/52656 flags ri idle 0:00:30 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/58715 to outside:222.165.108.160/58715 flags ri idle 0:00:23 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/59462 to outside:222.165.108.160/59462 flags ri idle 0:00:14 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52578 to outside:222.165.108.160/52578 flags ri idle 0:04:23 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/49156 to outside:222.165.108.160/49156 flags ri idle 0:05:00 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52479 to outside:222.165.108.160/52479 flags ri idle 0:00:09 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52478 to outside:222.165.108.160/52478 flags ri idle 0:05:03 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52420 to outside:222.165.108.160/52420 flags ri idle 0:05:20 timeout 0:00:30
UDP PAT from inside-3:192.168.1.10/4500 to outside:222.165.108.160/4500 flags ri idle 0:05:31 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52241 to outside:222.165.108.160/52241 flags ri idle 0:05:33 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52238 to outside:222.165.108.160/52238 flags ri idle 0:05:33 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52239 to outside:222.165.108.160/52239 flags ri idle 0:05:33 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52233 to outside:222.165.108.160/52233 flags ri idle 0:05:34 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52231 to outside:222.165.108.160/52231 flags ri idle 0:05:34 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52227 to outside:222.165.108.160/52227 flags ri idle 0:05:34 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52007 to outside:222.165.108.160/52007 flags ri idle 0:18:30 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/52005 to outside:222.165.108.160/52005 flags ri idle 0:18:32 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/51986 to outside:222.165.108.160/51986 flags ri idle 0:18:35 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/51907 to outside:222.165.108.160/51907 flags ri idle 0:20:51 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/51671 to outside:222.165.108.160/51671 flags ri idle 0:25:00 timeout 0:00:30
TCP PAT from inside-3:192.168.1.10/51278 to outside:222.165.108.160/51278 flags ri idle 0:27:31 timeout 0:00:30


I connected to the SSID on my iPhone and HTTP to the AP management GUI.



The ASA was able to capture my iPhone's Internet session.


ASA5506W-X# show xlate | inc 192.168.10.11
UDP PAT from wifi:192.168.10.11/57796 to outside:222.165.108.160/57796 flags ri idle 0:00:14 timeout 0:00:30
UDP PAT from wifi:192.168.10.11/57035 to outside:222.165.108.160/57035 flags ri idle 0:00:14 timeout 0:00:30
TCP PAT from wifi:192.168.10.11/62247 to outside:222.165.108.160/62247 flags ri idle 0:00:15 timeout 0:00:30
UDP PAT from wifi:192.168.10.11/60123 to outside:222.165.108.160/60123 flags ri idle 0:00:15 timeout 0:00:30
TCP PAT from wifi:192.168.10.11/62246 to outside:222.165.108.160/62246 flags ri idle 0:00:19 timeout 0:00:30
UDP PAT from wifi:192.168.10.11/62221 to outside:222.165.108.160/62221 flags ri idle 0:00:19 timeout 0:00:30
TCP PAT from wifi:192.168.10.11/62245 to outside:222.165.108.160/62245 flags ri idle 0:00:19 timeout 0:00:30
TCP PAT from wifi:192.168.10.11/62244 to outside:222.165.108.160/62244 flags ri idle 0:00:20 timeout 0:00:30
TCP PAT from wifi:192.168.10.11/62243 to outside:222.165.108.160/62243 flags ri idle 0:03:52 timeout 0:00:30

ASA5506W-X# show conn | inc 192.168.10.11
TCP outside  40.100.29.226:443 wifi  192.168.10.11:62243, idle 0:03:55, bytes 5246, flags UIO
TCP outside  125.252.217.78:443 wifi  192.168.10.11:62246, idle 0:00:22, bytes 7591, flags UIO
TCP outside  17.167.194.230:443 wifi  192.168.10.11:62244, idle 0:00:23, bytes 1836, flags UIO
TCP outside  17.242.28.90:5223 wifi  192.168.10.11:62247, idle 0:00:18, bytes 7069, flags UIO


Below is the configuration template that I used for my ASA 5506W-X. I'll be upgrading and configure the ASA FirePOWER module next.


hostname ASA5506W-X
domain-name lab.com
enable password cisco
passwd cisco
username admin password cisco privilege 15

crypto key generate rsa modulus 2048

boot system disk0:/asa982-38-lfbff-k8.SPA
asdm image disk0:/asdm-792-152.bin


interface GigabitEthernet1/1
 description ### ISP WAN ###
 nameif outside
 security-level 0
 ip address dhcp setroute
 no shutdown

interface BVI1
 description ### WIRED LAN GW ###
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0

interface GigabitEthernet1/2
 description ### DIRECT CABLE MGMT 1/1 - FP IP: 192.168.1.2 ###
 bridge-group 1
 nameif inside-1
 security-level 100
 no shutdown

interface GigabitEthernet1/3
 description ### VM/ASDM PC: 192.168.1.100 ###
 bridge-group 1
 nameif inside-2
 security-level 100
 no shutdown

interface GigabitEthernet1/4
 bridge-group 1
 nameif inside-3
 security-level 100
 no shutdown

interface GigabitEthernet1/5
 bridge-group 1
 nameif inside-4
 security-level 100
 no shutdown

interface GigabitEthernet1/6
 bridge-group 1
 nameif inside-5
 security-level 100
 no shutdown

interface GigabitEthernet1/7
 bridge-group 1
 nameif inside0-6
 security-level 100

interface GigabitEthernet1/8
 bridge-group 1
 nameif inside-7
 security-level 100
 no shutdown


hw-module module wlan recover configuration   

interface GigabitEthernet1/9
 description ### INTERNAL AP IP: 192.168.10.2 ###
 nameif wifi
 security-level 100
 ip address 192.168.10.1 255.255.255.0

same-security-traffic permit inter-interface


dhcpd address 192.168.1.10-192.168.1.50 inside
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
dhcpd domain lab.com interface inside
dhcpd enable inside

dhcpd address 192.168.10.10-192.168.10.50 wifi
dhcpd dns 8.8.8.8 4.2.2.2 interface wifi
dhcpd domain lab.com interface wifi
dhcpd enable wifi


object network obj_inside-1
 subnet 192.168.1.0 255.255.255.0
 nat (inside-1,outside) dynamic interface

object network obj_inside-2
 subnet 192.168.1.0 255.255.255.0
 nat (inside-2,outside) dynamic interface

object network obj_inside-3
 subnet 192.168.1.0 255.255.255.0
 nat (inside-3,outside) dynamic interface

object network obj_inside-4
 subnet 192.168.1.0 255.255.255.0
 nat (inside-4,outside) dynamic interface

object network obj_inside-5
 subnet 192.168.1.0 255.255.255.0
 nat (inside-5,outside) dynamic interface

object network obj_inside-6
 subnet 192.168.1.0 255.255.255.0
 nat (inside-6,outside) dynamic interface

object network obj_inside-7
 subnet 192.168.1.0 255.255.255.0
 nat (inside-7,outside) dynamic interface

object network obj_any_wifi
 subnet 192.168.10.0 255.255.255.0
 nat (wifi,outside) dynamic interface


access-list OUTSIDE_IN remark ALLOW ICMP AND TRACEROUTE
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable

access-group OUTSIDE_IN in interface outside

policy-map global_policy
 class inspection_default
  inspect icmp
  inspect icmp error


aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL

banner login ### ASA 5506W-X LAB ###


http server enable
http 192.168.1.0 255.255.255.0 inside-1
http 192.168.1.0 255.255.255.0 inside-2
http 192.168.1.0 255.255.255.0 inside-3
http 192.168.1.0 255.255.255.0 inside-4
http 192.168.1.0 255.255.255.0 inside-5
http 192.168.1.0 255.255.255.0 inside-6
http 192.168.1.0 255.255.255.0 inside-7
http 192.168.10.0 255.255.255.0 wifi

ssh 192.168.1.0 255.255.255.0 inside-1
ssh 192.168.1.0 255.255.255.0 inside-2
ssh 192.168.1.0 255.255.255.0 inside-3
ssh 192.168.1.0 255.255.255.0 inside-4
ssh 192.168.1.0 255.255.255.0 inside-5
ssh 192.168.1.0 255.255.255.0 inside-6
ssh 192.168.1.0 255.255.255.0 inside-7
ssh 192.168.10.0 255.255.255.0 wifi

write memory

No comments:

Post a Comment