Cisco Security Appliance Command Line Configuration Guide, Version 7.2
Getting Started
Downloads: This chapterpdf (PDF - 426.0KB) The complete bookPDF (PDF - 13.04MB) | Feedback

Getting Started

Table Of Contents

Getting Started

Getting Started with Your Platform Model

Factory Default Configurations

Restoring the Factory Default Configuration

ASA 5505 Default Configuration

ASA 5510 and Higher Default Configuration

PIX 515/515E Default Configuration

Accessing the Command-Line Interface

Setting Transparent or Routed Firewall Mode

Working with the Configuration

Saving Configuration Changes

Saving Configuration Changes in Single Context Mode

Saving Configuration Changes in Multiple Context Mode

Copying the Startup Configuration to the Running Configuration

Viewing the Configuration

Clearing and Removing Configuration Settings

Creating Text Configuration Files Offline


Getting Started


This chapter describes how to access the command-line interface, configure the firewall mode, and work with the configuration. This chapter includes the following sections:

Getting Started with Your Platform Model

Factory Default Configurations

Accessing the Command-Line Interface

Setting Transparent or Routed Firewall Mode

Working with the Configuration

Getting Started with Your Platform Model

This guide applies to multiple security appliance platforms and models: the PIX 500 series security appliances and the ASA 5500 series adaptive security appliances. There are some hardware differences between the PIX and the ASA security appliance. Moreover, the ASA 5505 includes a built-in switch, and requires some special configuration. For these hardware-based differences, the platforms or models supported are noted directly in each section.

Some models do not support all features covered in this guide. For example, the ASA 5505 adaptive security appliance does not support security contexts. This guide might not list each supported model when discussing a feature. To determine the features that are supported for your model before you start your configuration, see the "Supported Platforms and Feature Licenses" section on page A-1 for a detailed list of the features supported for each model.

Factory Default Configurations

The factory default configuration is the configuration applied by Cisco to new security appliances. The factory default configuration is supported on all models except for the PIX 525 and PIX 535 security appliances.

For the PIX 515/515E and the ASA 5510 and higher security appliances, the factory default configuration configures an interface for management so you can connect to it using ASDM, with which you can then complete your configuration.

For the ASA 5505 adaptive security appliance, the factory default configuration configures interfaces and NAT so that the security appliance is ready to use in your network immediately.

The factory default configuration is available only for routed firewall mode and single context mode. See Chapter 3, "Enabling Multiple Context Mode," for more information about multiple context mode. See the "Setting Transparent or Routed Firewall Mode" section for more information about routed and transparent firewall mode.

This section includes the following topics:

Restoring the Factory Default Configuration

ASA 5505 Default Configuration

ASA 5510 and Higher Default Configuration

PIX 515/515E Default Configuration

Restoring the Factory Default Configuration

To restore the factory default configuration, enter the following command:

hostname(config)# configure factory-default [ip_address [mask]]

If you specify the ip_address, then you set the inside or management interface IP address, depending on your model, instead of using the default IP address of 192.168.1.1. The http command uses the subnet you specify. Similarly, the dhcpd address command range consists of addresses within the subnet that you specify.

After you restore the factory default configuration, save it to internal Flash memory using the write memory command. The write memory command saves the running configuration to the default location for the startup configuration, even if you previously configured the boot config command to set a different location; when the configuration was cleared, this path was also cleared.


Note This command also clears the boot system command, if present, along with the rest of the configuration. The boot system command lets you boot from a specific image, including an image on the external Flash memory card. The next time you reload the security appliance after restoring the factory configuration, it boots from the first image in internal Flash memory; if you do not have an image in internal Flash memory, the security appliance does not boot.


To configure additional settings that are useful for a full configuration, see the setup command.

ASA 5505 Default Configuration

The default factory configuration for the ASA 5505 adaptive security appliance configures the following:

An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0.

An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address using DHCP.

The default route is also derived from DHCP.

All inside IP addresses are translated when accessing the outside using interface PAT.

By default, inside users can access the outside with an access list, and outside users are prevented from accessing the inside.

The DHCP server is enabled on the security appliance, so a PC connecting to the VLAN 1 interface receives an address between 192.168.1.2 and 192.168.1.254.

The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.

The configuration consists of the following commands:

interface Ethernet 0/0
   switchport access vlan 2
   no shutdown
interface Ethernet 0/1
   switchport access vlan 1
   no shutdown
interface Ethernet 0/2
   switchport access vlan 1
   no shutdown
interface Ethernet 0/3
   switchport access vlan 1
   no shutdown
interface Ethernet 0/4
   switchport access vlan 1
   no shutdown
interface Ethernet 0/5
   switchport access vlan 1
   no shutdown
interface Ethernet 0/6
   switchport access vlan 1
   no shutdown
interface Ethernet 0/7
   switchport access vlan 1
   no shutdown
interface vlan2
   nameif outside
   no shutdown
   ip address dhcp setroute
interface vlan1
   nameif inside
   ip address 192.168.1.1 255.255.255.0
   security-level 100
   no shutdown
global (outside) 1 interface
nat (inside) 1 0 0
http server enable
http 192.168.1.0 255.255.255.0 inside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd auto_config outside
dhcpd enable inside
logging asdm informational

ASA 5510 and Higher Default Configuration

The default factory configuration for the ASA 5510 and higher adaptive security appliance configures the following:

The management interface, Management 0/0. If you did not set the IP address in the configure factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0.

The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254.

The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.

The configuration consists of the following commands:

interface management 0/0
   ip address 192.168.1.1 255.255.255.0
   nameif management
   security-level 100
   no shutdown
asdm logging informational 100
asdm history enable
http server enable
http 192.168.1.0 255.255.255.0 management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable management

PIX 515/515E Default Configuration

The default factory configuration for the PIX 515/515E security appliance configures the following:

The inside Ethernet1 interface. If you did not set the IP address in the configure factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0.

The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254.

The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.

The configuration consists of the following commands:

interface ethernet 1
   ip address 192.168.1.1 255.255.255.0
   nameif management
   security-level 100
   no shutdown
asdm logging informational 100
asdm history enable
http server enable
http 192.168.1.0 255.255.255.0 management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable management

Accessing the Command-Line Interface

For initial configuration, access the command-line interface directly from the console port. Later, you can configure remote access using Telnet or SSH according to Chapter 40, "Managing System Access." If your system is already in multiple context mode, then accessing the console port places you in the system execution space. See Chapter 3, "Enabling Multiple Context Mode," for more information about multiple context mode.


Note If you want to use ASDM to configure the security appliance instead of the command-line interface, you can connect to the default management address of 192.168.1.1 (if your security appliance includes a factory default configuration. See the "Factory Default Configurations" section.). On the ASA 5510 and higher adaptive security appliances, the interface to which you connect with ASDM is Management 0/0. For the ASA 5505 adaptive security appliance, the switch port to which you connect with ASDM is any port, except for Ethernet 0/0. For the PIX 515/515E security appliance, the interface to which you connect with ASDM is Ethernet 1. If you do not have a factory default configuration, follow the steps in this section to access the command-line interface. You can then configure the minimum parameters to access ASDM by entering the setup command.


To access the command-line interface, perform the following steps:


Step 1 Connect a PC to the console port using the provided console cable, and connect to the console using a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.

See the hardware guide that came with your security appliance for more information about the console cable.

Step 2 Press the Enter key to see the following prompt:

hostname>

This prompt indicates that you are in user EXEC mode.

Step 3 To access privileged EXEC mode, enter the following command:

hostname> enable

The following prompt appears:

Password:

Step 4 Enter the enable password at the prompt.

By default, the password is blank, and you can press the Enter key to continue. See the "Changing the Enable Password" section on page 8-1 to change the enable password.

The prompt changes to:

hostname#

To exit privileged mode, enter the disable, exit, or quit command.

Step 5 To access global configuration mode, enter the following command:

hostname# configure terminal

The prompt changes to the following:

hostname(config)#

To exit global configuration mode, enter the exit, quit, or end command.


Setting Transparent or Routed Firewall Mode

You can set the security appliance to run in routed firewall mode (the default) or transparent firewall mode.

For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system execution space.

When you change modes, the security appliance clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before changing the mode; you can use this backup for reference when creating your new configuration. See the "Backing Up Configuration Files" section on page 41-8. For multiple context mode, the system configuration is erased. This action removes any contexts from running. If you then re-add a context that has an existing configuration that was created for the wrong mode, the context configuration will not work correctly. Be sure to recreate your context configurations for the correct mode before you re-add them, or add new contexts with new paths for the new configurations.

If you download a text configuration to the security appliance that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the security appliance changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the security appliance clears all the preceding lines in the configuration. See the "Downloading Software or Configuration Files to Flash Memory" section on page 41-3 for information about downloading text files.

To set the mode to transparent, enter the following command in the system execution space:

hostname(config)# firewall transparent

This command also appears in each context configuration for informational purposes only; you cannot enter this command in a context.

To set the mode to routed, enter the following command in the system execution space:

hostname(config)# no firewall transparent

Working with the Configuration

This section describes how to work with the configuration. The security appliance loads the configuration from a text file, called the startup configuration. This file resides by default as a hidden file in internal Flash memory. You can, however, specify a different path for the startup configuration. (For more information, see Chapter 41, "Managing Software, Licenses, and Configurations.")

When you enter a command, the change is made only to the running configuration in memory. You must manually save the running configuration to the startup configuration for your changes to remain after a reboot.

The information in this section applies to both single and multiple security contexts, except where noted. Additional information about contexts is in Chapter 3, "Enabling Multiple Context Mode."

This section includes the following topics:

Saving Configuration Changes

Copying the Startup Configuration to the Running Configuration

Viewing the Configuration

Clearing and Removing Configuration Settings

Creating Text Configuration Files Offline

Saving Configuration Changes

This section describes how to save your configuration, and includes the following topics:

Saving Configuration Changes in Single Context Mode

Saving Configuration Changes in Multiple Context Mode

Saving Configuration Changes in Single Context Mode

To save the running configuration to the startup configuration, enter the following command:

hostname# write memory


Note The copy running-config startup-config command is equivalent to the write memory command.


Saving Configuration Changes in Multiple Context Mode

You can save each context (and system) configuration separately, or you can save all context configurations at the same time. This section includes the following topics:

Saving Each Context and System Separately

Saving All Context Configurations at the Same Time

Saving Each Context and System Separately

To save the system or context configuration, enter the following command within the system or context:

hostname# write memory


Note The copy running-config startup-config command is equivalent to the write memory command.


For multiple context mode, context startup configurations can reside on external servers. In this case, the security appliance saves the configuration back to the server you identified in the context URL, except for an HTTP or HTTPS URL, which do not let you save the configuration to the server.

Saving All Context Configurations at the Same Time

To save all context configurations at the same time, as well as the system configuration, enter the following command in the system execution space:

hostname# write memory all [/noconfirm]

If you do not enter the /noconfirm keyword, you see the following prompt:

Are you sure [Y/N]:

After you enter Y, the security appliance saves the system configuration and each context. Context startup configurations can reside on external servers. In this case, the security appliance saves the configuration back to the server you identified in the context URL, except for an HTTP or HTTPS URL, which do not let you save the configuration to the server.

After the security appliance saves each context, the following message appears:

`Saving context `b' ... ( 1/3 contexts saved ) '

Sometimes, a context is not saved because of an error. See the following information for errors:

For contexts that are not saved because of low memory, the following message appears:

The context 'context a' could not be saved due to Unavailability of resources

For contexts that are not saved because the remote destination is unreachable, the following message appears:

The context 'context a' could not be saved due to non-reachability of destination

For contexts that are not saved because the context is locked, the following message appears:

Unable to save the configuration for the following contexts as these contexts are 
locked.
context `a' , context `x' , context `z' .

A context is only locked if another user is already saving the configuration or in the process of deleting the context.

For contexts that are not saved because the startup configuration is read-only (for example, on an HTTP server), the following message report is printed at the end of all other messages:

Unable to save the configuration for the following contexts as these contexts have 
read-only config-urls:
context `a' , context `b' , context `c' .

For contexts that are not saved because of bad sectors in the Flash memory, the following message appears:

The context 'context a' could not be saved due to Unknown errors

Copying the Startup Configuration to the Running Configuration

Copy a new startup configuration to the running configuration using one of these options:

To merge the startup configuration with the running configuration, enter the following command:

hostname(config)# copy startup-config running-config

A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results.

To load the startup configuration and discard the running configuration, restart the security appliance by entering the following command:

hostname# reload

Alternatively, you can use the following commands to load the startup configuration and discard the running configuration without requiring a reboot:

hostname/contexta(config)# clear configure all
hostname/contexta(config)# copy startup-config running-config

Viewing the Configuration

The following commands let you view the running and startup configurations.

To view the running configuration, enter the following command:

hostname# show running-config

To view the running configuration of a specific command, enter the following command:

hostname# show running-config command

To view the startup configuration, enter the following command:

hostname# show startup-config

Clearing and Removing Configuration Settings

To erase settings, enter one of the following commands.

To clear all the configuration for a specified command, enter the following command:

hostname(config)# clear configure configurationcommand [level2configurationcommand]

This command clears all the current configuration for the specified configuration command. If you only want to clear the configuration for a specific version of the command, you can enter a value for level2configurationcommand.

For example, to clear the configuration for all aaa commands, enter the following command:

hostname(config)# clear configure aaa

To clear the configuration for only aaa authentication commands, enter the following command:

hostname(config)# clear configure aaa authentication

To disable the specific parameters or options of a command, enter the following command:

hostname(config)# no configurationcommand [level2configurationcommand] qualifier

In this case, you use the no command to remove the specific configuration identified by qualifier.

For example, to remove a specific nat command, enter enough of the command to identify it uniquely as follows:

hostname(config)# no nat (inside) 1

To erase the startup configuration, enter the following command:

hostname(config)# write erase

To erase the running configuration, enter the following command:

hostname(config)# clear configure all


Note In multiple context mode, if you enter clear configure all from the system configuration, you also remove all contexts and stop them from running.


Creating Text Configuration Files Offline

This guide describes how to use the CLI to configure the security appliance; when you save commands, the changes are written to a text file. Instead of using the CLI, however, you can edit a text file directly on your PC and paste a configuration at the configuration mode command-line prompt in its entirety, or line by line. Alternatively, you can download a text file to the security appliance internal Flash memory. See Chapter 41, "Managing Software, Licenses, and Configurations," for information on downloading the configuration file to the security appliance.

In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the following example is "hostname(config)#":

hostname(config)# context a

In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows:

context a

For additional information about formatting the file, see Appendix C, "Using the Command-Line Interface."