Cisco Security Appliance Command Line Configuration Guide, Version 7.1
Getting Started
Downloads: This chapterpdf (PDF - 198.0KB) The complete bookPDF (PDF - 17.86MB) | Feedback

Getting Started

Table Of Contents

Getting Started

Accessing the Command-Line Interface

Setting Transparent or Routed Firewall Mode

Working with the Configuration

Saving Configuration Changes

Copying the Startup Configuration to the Running Configuration

Viewing the Configuration

Clearing and Removing Configuration Settings

Creating Text Configuration Files Offline


Getting Started


This chapter describes how to access the command-line interface, configure the firewall mode, and work with the configuration. This chapter includes the following sections:

Accessing the Command-Line Interface

Setting Transparent or Routed Firewall Mode

Working with the Configuration

Accessing the Command-Line Interface

For initial configuration, access the command-line interface directly from the console port. Later, you can configure remote access using Telnet or SSH according to Chapter 33, "Managing System Access." If your system is already in multiple context mode, then accessing the console port places you in the system execution space. See Chapter 3, "Enabling Multiple Context Mode," for more information about multiple context mode.


Note If you want to use ASDM to configure the security appliance instead of the command-line interface, you can connect to the default management address of 192.168.1.1 (if your security appliance includes a factory default configuration). On the ASA 5500 series adaptive security appliance, the interface to which you connect with ASDM is Management 0/0. For the PIX 500 series security appliance, the interface to which you connect with ASDM is Ethernet 1. If you do not have a factory default configuration, follow the steps in this section to access the command-line interface. You can then configure the minimum parameters to access ASDM by entering the setup command.


To access the command-line interface, perform the following steps:


Step 1 Connect a PC to the console port using the provided console cable, and connect to the console using a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.

See the hardware guide that came with your security appliance for more information about the console cable.

Step 2 Press the Enter key to see the following prompt:

hostname>

This prompt indicates that you are in user EXEC mode.

Step 3 To access privileged EXEC mode, enter the following command:

hostname> enable

The following prompt appears:

Password:

Step 4 Enter the enable password at the prompt.

By default, the password is blank, and you can press the Enter key to continue. See the "Changing the Enable Password" section on page 7-1 to change the enable password.

The prompt changes to:

hostname#

To exit privileged mode, enter the disable, exit, or quit command.

Step 5 To access global configuration mode, enter the following command:

hostname# configure terminal

The prompt changes to the following:

hostname(config)#

To exit global configuration mode, enter the exit, quit, or end command.


Setting Transparent or Routed Firewall Mode

You can set the security appliance to run in routed firewall mode (the default) or transparent firewall mode.

For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system execution space.

When you change modes, the security appliance clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before changing the mode; you can use this backup for reference when creating your new configuration.

If you download a text configuration to the security appliance that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the security appliance changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the security appliance clears all the preceding lines in the configuration.

To set the mode to transparent, enter the following command in the system execution space:

hostname(config)# firewall transparent

This command also appears in each context configuration for informational purposes only; you cannot enter this command in a context.

To set the mode to routed, enter the following command in the system execution space:

hostname(config)# no firewall transparent

Working with the Configuration

This section describes how to work with the configuration. The security appliance loads the configuration from a text file, called the startup configuration. This file resides by default as a hidden file in internal Flash memory. You can, however, specify a different path for the startup configuration. (For more information, see Chapter 34, "Managing Software, Licenses, and Configurations.")

When you enter a command, the change is made only to the running configuration in memory. You must manually save the running configuration to the startup configuration for your changes to remain after a reboot.

The information in this section applies to both single and multiple security contexts, except where noted. Additional information about contexts is in Chapter 3, "Enabling Multiple Context Mode."

This section includes the following topics:

Saving Configuration Changes

Copying the Startup Configuration to the Running Configuration

Viewing the Configuration

Clearing and Removing Configuration Settings

Creating Text Configuration Files Offline

Saving Configuration Changes

To save your running configuration to the startup configuration, enter the following command:

hostname# write memory

For multiple context mode, you must enter this command within each context. Context startup configurations can reside on external servers. In this case, the security appliance saves the configuration back to the server you identified in the context URL, except for an HTTP or HTTPS URL, which do not let you save the configuration to the server.


Note The copy running-config startup-config command is equivalent to the write memory command.


Copying the Startup Configuration to the Running Configuration

Copy a new startup configuration to the running configuration using one of these options:

To merge the startup configuration with the running configuration, enter the following command:

hostname(config)# copy startup-config running-config

To load the startup configuration and discard the running configuration, restart the security appliance by entering the following command:

hostname# reload

Alternatively, you can use the following commands to load the startup configuration and discard the running configuration without requiring a reboot:

hostname/contexta(config)# clear configure all
hostname/contexta(config)# copy startup-config running-config

Viewing the Configuration

The following commands let you view the running and startup configurations.

To view the running configuration, enter the following command:

hostname# show running-config

To view the running configuration of a specific command, enter the following command:

hostname# show running-config command

To view the startup configuration, enter the following command:

hostname# show startup-config

Clearing and Removing Configuration Settings

To erase settings, enter one of the following commands.

To clear all the configuration for a specified command, enter the following command:

hostname(config)# clear configure configurationcommand [level2configurationcommand]

This command clears all the current configuration for the specified configuration command. If you only want to clear the configuration for a specific version of the command, you can enter a value for level2configurationcommand.

For example, to clear the configuration for all aaa commands, enter the following command:

hostname(config)# clear configure aaa

To clear the configuration for only aaa authentication commands, enter the following command:

hostname(config)# clear configure aaa authentication

To disable the specific parameters or options of a command, enter the following command:

hostname(config)# no configurationcommand [level2configurationcommand] qualifier

In this case, you use the no command to remove the specific configuration identified by qualifier.

For example, to remove a specific nat command, enter enough of the command to identify it uniquely as follows:

hostname(config)# no nat (inside) 1

To erase the startup configuration, enter the following command:

hostname(config)# write erase

To erase the running configuration, enter the following command:

hostname(config)# clear configure all


Note In multiple context mode, if you enter clear configure all from the system configuration, you also remove all contexts and stop them from running.


Creating Text Configuration Files Offline

This guide describes how to use the CLI to configure the security appliance; when you save commands, the changes are written to a text file. Instead of using the CLI, however, you can edit a text file directly on your PC and paste a configuration at the configuration mode command-line prompt in its entirety, or line by line. Alternatively, you can download a text file to the security appliance internal Flash memory. See Chapter 34, "Managing Software, Licenses, and Configurations," for information on downloading the configuration file to the security appliance.

In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the following example is "hostname(config)#":

hostname(config)# context a

In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows:

context a

For additional information about formatting the file, see Appendix C, "Using the Command-Line Interface."