Cisco ASA 5500-X Series Next-Generation Firewalls

Cisco ASA 5585-X Quick Start Guide

  • Viewing Options

  • PDF (931.8 KB)
  • Feedback
Quick Start Guide

Table Of Contents

Cisco ASA 5585-X

Verifying the Package Contents

Powering On the ASA

Connecting Interface Cables and Verifying Connectivity

Launching ASDM

Running the Startup Wizard

(Optional) Allowing Access to Public Servers Behind the ASA

(Optional) Running VPN Wizards

(Optional) Running Other Wizards in ASDM

Advanced Configuration

Quick Start Guide

Cisco ASA 5585-X

Regulatory Compliance and Safety Information

Read the safety warnings in the Regulatory Compliance and Safety Information (RCSI), and follow proper safety procedures when performing the steps in this guide. See for links to the RCSI and other documents.

Revised: May 10, 2013, 78-19542-03

1 Verifying the Package Contents

Verify the contents of the packing box to ensure that you have received all items necessary to install your ASA.


ASA 5585-X Chassis


1 Yellow Ethernet Cable


Power Cable (US Shown)1


Blue Console Cable PC Terminal Adapter


Cable Management Brackets


4 Cable Management Bracket Screws


Rack-Mount Bracket Kit


Documentation and Software CD


Ground Lug Kit


1 The ASA 5585-X with SSP-10, SSP-20, or SSP-40 ships with one power supply module installed and one power cable. The ASA 5585-X with SSP-60, ships with two power supply modules installed and two power cables.

2 Powering On the ASA

Step 1 Attach the power cable to the back of the ASA. If you have redundant power supplies, you must connect both power cables to the back of the chassis.


Power Supply Module (PS0)


Power Supply Module (PS1)

Step 2 Connect the power cables to the electrical outlets.

Step 3 Power on the ASA. If you have redundant power supplies, you must power on both modules.

Step 4 Check the Power LED on the front of the ASA; the AC ON indicator should be green, the FAN ON indicator should be green, and the OUT OK indicator should be off.

3 Connecting Interface Cables and Verifying Connectivity

The ASA 5585-X comes with a core SSP that is installed in slot 0. The content of the other slot (slot 1) varies depending on how you ordered your ASA. For software compatibility information and guidelines for modules and SSPs, see Cisco ASA Compatibility.

Step 1 Connect a management PC to the core SSP Management 0/0 interface for use with the Adaptive Security Device Manager (ASDM).You can connect the PC directly with an Ethernet cable, or connect the PC and the ASA to the same management network. Make sure the PC is configured to obtain an IP address using DHCP.

The SSP has 2 management interfaces (Management 0/0 and Management 0/1); however, only Management 0/0 is configured for use.

If you want to use the CLI, connect your PC to the console port, and see the CLI configuration guide for more information.

Step 2 Connect your networks to the appropriate interfaces. If you are using the fiber interfaces, you need an SFP+ module for 10-Gigabit Ethernet (a license may be required) or an SFP module for Gigabit Ethernet. (SFP or SFP+ modules are not included.)

The interfaces available depend on your model. See the Hardware Installation Guide for more information.


(Optional) Slot 1 module, multiple types available. See Step 4.


Slot 0 SSP


SSP Management 0/0 interface (RJ-45)


Step 3 Check the LINK/ACT indicators to verify interface connectivity.

Step 4 (Optional) Depending on the type of module you installed in slot 1, your cabling needs will vary.

For example, if you install a second SSP in slot 1, you must manage each SSP separately: repeat Step 1 through Step 3. For an IPS SSP, all non-management interfaces belong to the ASA while the management interfaces belong to the IPS SSP.

4 Launching ASDM

The ASA ships with a default configuration that enables ASDM connectivity to the Management 0/0 interface. Using ASDM, you can use wizards to configure basic and advanced features. ASDM is a graphical user interface that allows you to manage the ASA from any location by using a web browser.

See the ASDM release notes on for the requirements to run ASDM.

Step 1 On the PC connected to the ASA, launch a web browser.

Step 2 In the Address field, enter the following URL: The Cisco ASDM web page appears.

Step 3 Click Run Startup Wizard.

Step 4 Accept any certificates according to the dialog boxes that appear. The Cisco ASDM-IDM Launcher appears.

Step 5 Leave the username and password fields empty, and click OK. The main ASDM window appears and the Startup Wizard opens.

5 Running the Startup Wizard

Run the Startup Wizard to modify the default configuration so that you can customize the security policy to suit your deployment. Using the startup wizard, you can set the following:


Domain name

Administrative passwords


IP addresses

Static routes

DHCP server

Network address translation rules

and more...

Step 1 If the wizard is not already running, in the main ASDM window, choose Wizards > Startup Wizard.

Step 2 Follow the instructions in the Startup Wizard to configure your ASA.

Step 3 While running the wizard, you can accept the default settings or change them as required. (For information about any wizard field, click Help.)

6 (Optional) Allowing Access to Public Servers Behind the ASA

The Public Server pane automatically configures the security policy to make an inside server accessible from the Internet. As a business owner, you might have internal network services, such as a web and FTP server, that need to be available to an outside user. You can place these services on a separate network behind the ASA, called a demilitarized zone (DMZ). By placing the public servers on the DMZ, any attacks launched against the public servers do not affect your inside networks.

Step 1 In the main ASDM window, choose Configuration > Firewall > Public Servers. The Public Server pane appears.

Step 2 Click Add, then enter the public server settings in the Add Public Server dialog box. (For information about any field, click Help.)

Step 3 Click OK. The server appears in the list.

Step 4 Click Apply to submit the configuration to the ASA.

7 (Optional) Running VPN Wizards

You can configure VPN using the following wizards:

Site-to-Site VPN Wizard—Creates an IPsec site-to-site tunnel between two ASAs.

AnyConnect VPN Wizard—Configures SSL VPN remote access for the Cisco AnyConnect VPN client. AnyConnect provides secure SSL connections to the ASA for remote users with full VPN tunneling to corporate resources. The ASA policy can be configured to download the AnyConnect client to remote users when they initially connect via a browser. With AnyConnect 3.0 and later, the client can run either the SSL or IPsec IKEv2 VPN protocol.

Clientless SSL VPN Wizard—Configures clientless SSL VPN remote access for a browser. Clientless, browser-based SSL VPN lets users establish a secure, remote-access VPN tunnel to the ASA using a web browser. After authentication, users access a portal page and can access specific, supported internal resources. The network administrator provides access to resources by users on a group basis. ACLs can be applied to restrict or allow access to specific corporate resources.

IPsec (IKEv1) Remote Access VPN Wizard—Configures IPsec VPN remote access for the Cisco IPsec client.

Step 1 In the main ASDM window, choose Wizards > VPN Wizards, then choose one of the following:

Site-to-Site VPN Wizard

AnyConnect VPN Wizard

Clientless VPN Wizard

IPsec (IKEv1) Remote Access VPN Wizard

Step 2 Follow the wizard instructions. (For information about any wizard field, click Help.)

8 (Optional) Running Other Wizards in ASDM

You can optionally run the following additional wizards in ASDM:

High Availability and Scalability Wizard

Configure Active/Active or Active/Standby failover, VPN cluster load balancing, or ASA clustering.

Unified Communications Wizard

Configure a proxy on the ASA for remote access or business-to-business communications. (Special licenses may apply. See the CLI configuration guide for information about ASA licensing.)

Packet Capture Wizard

Configure and run packet capture. The wizard will run one packet capture on each of the ingress and egress interfaces. After capturing packets, you can save the packet captures to your PC for examination and replay in the packet analyzer.

9 Advanced Configuration

To continue configuring your ASA, see the documents available for your software version at: